fix: 修复 public 和 smart API 权限包含 connection token

pull/8625/head
Jiangjie.Bai 2022-07-15 14:56:51 +08:00 committed by 老广
parent 93537c07a1
commit 41541a91b9
3 changed files with 28 additions and 4 deletions

View File

@ -7,6 +7,9 @@ from rest_framework import permissions
from authentication.const import ConfirmType
from common.exceptions import UserConfirmRequired
from orgs.utils import tmp_to_root_org
from authentication.models import ConnectionToken
from common.utils import get_object_or_none
class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
@ -17,6 +20,22 @@ class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
and request.user.is_valid
class IsValidUserOrConnectionToken(IsValidUser):
def has_permission(self, request, view):
return super(IsValidUserOrConnectionToken, self).has_permission(request, view) \
or self.is_valid_connection_token(request)
@staticmethod
def is_valid_connection_token(request):
token_id = request.query_params.get('token')
if not token_id:
return False
with tmp_to_root_org():
token = get_object_or_none(ConnectionToken, id=token_id)
return token and token.is_valid
class OnlySuperUser(IsValidUser):
def has_permission(self, request, view):
return super().has_permission(request, view) \

View File

@ -3,7 +3,11 @@ from rest_framework.permissions import AllowAny, IsAuthenticated
from django.conf import settings
from jumpserver.utils import has_valid_xpack_license, get_xpack_license_info
from common.utils import get_logger, lazyproperty
from common.utils import get_logger, lazyproperty, get_object_or_none
from authentication.models import ConnectionToken
from orgs.utils import tmp_to_root_org
from common.permissions import IsValidUserOrConnectionToken
from .. import serializers
from ..utils import get_interface_setting_or_default
@ -28,7 +32,7 @@ class OpenPublicSettingApi(generics.RetrieveAPIView):
class PublicSettingApi(OpenPublicSettingApi):
permission_classes = (IsAuthenticated,)
permission_classes = (IsValidUserOrConnectionToken,)
serializer_class = serializers.PrivateSettingSerializer
def get_object(self):

View File

@ -9,9 +9,9 @@ from assets.models import Asset
from orgs.utils import tmp_to_root_org
from applications.models import Application
from terminal.models import Session
from common.permissions import IsValidUser
from ..models import Endpoint, EndpointRule
from .. import serializers
from common.permissions import IsValidUserOrConnectionToken
__all__ = ['EndpointViewSet', 'EndpointRuleViewSet']
@ -25,7 +25,8 @@ class SmartEndpointViewMixin:
target_instance: None
target_protocol: None
@action(methods=['get'], detail=False, permission_classes=[IsValidUser], url_path='smart')
@action(methods=['get'], detail=False, permission_classes=[IsValidUserOrConnectionToken],
url_path='smart')
def smart(self, request, *args, **kwargs):
self.target_instance = self.get_target_instance()
self.target_protocol = self.get_target_protocol()