fix: Addressing the issue of unauthorized execution of system tools (#14209)

* fix: Addressing the issue of unauthorized execution of system tools * perf: Optimization conditions --------- Co-authored-by: jiangweidong <1053570670@qq.com>
2024-09-27 14:17:16 +08:00 · 2024-09-27 14:17:16 +08:00 · 43fa3f420a
parent 0311446384
commit 43fa3f420a
1 changed files with 25 additions and 2 deletions
--- a/apps/settings/ws.py
+++ b/apps/settings/ws.py
@ -3,10 +3,11 @@
 import json
 import asyncio

+from asgiref.sync import sync_to_async
 from channels.generic.websocket import AsyncJsonWebsocketConsumer
 from django.core.cache import cache
 from django.conf import settings
-from django.utils.translation import gettext_lazy as _, activate
+from django.utils.translation import gettext_lazy as _
 from django.utils import translation
 from urllib.parse import parse_qs

@ -37,13 +38,29 @@ TASK_STATUS_IS_OVER = 'OVER'


 class ToolsWebsocket(AsyncJsonWebsocketConsumer):
+    is_closed: bool = False
+
+    @staticmethod
+    @sync_to_async
+    def get_user_roles(user):
+        return [str(i) for i in user.system_roles.values_list('id', flat=True)]
+
+    async def is_superuser(self, user):
+        from rbac.builtin import BuiltinRole
+
+        ids = await self.get_user_roles(user)
+        return BuiltinRole.system_admin.id in ids

    async def connect(self):
        user = self.scope["user"]
        if user.is_authenticated:
+            has_perm = await sync_to_async(user.has_perm)('rbac.view_systemtools')
+            if await self.is_superuser(user) or (settings.TOOL_USER_ENABLED and has_perm):
                await self.accept()
            else:
                await self.close()
+        else:
+            await self.close()

    async def send_msg(self, msg=''):
        await self.send_json({'msg': f'{msg}\r\n'})
@ -96,6 +113,12 @@ class ToolsWebsocket(AsyncJsonWebsocketConsumer):
        await self.send_msg()
        await self.close()

+    async def close(self, code=None):
+        if self.is_closed:
+            return
+        await super().close(code)
+        self.is_closed = True
+
    async def disconnect(self, code):
        await self.close()
        close_old_connections()