From 4797f99f60fd3a2915dacbcadca2d9aebce2b2a0 Mon Sep 17 00:00:00 2001 From: BaiJiangJie Date: Mon, 16 Sep 2019 17:59:21 +0800 Subject: [PATCH] =?UTF-8?q?[Bugfix]=20=E4=BF=AE=E5=A4=8D=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E8=AE=A4=E8=AF=81=E5=BA=8F=E5=88=97=E7=B1=BB=E8=8E=B7=E5=8F=96?= =?UTF-8?q?=20request=20=E7=9A=84=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/authentication/api/auth.py | 26 +++++++++++++++++++++++--- apps/common/permissions.py | 6 ++++++ 2 files changed, 29 insertions(+), 3 deletions(-) diff --git a/apps/authentication/api/auth.py b/apps/authentication/api/auth.py index 6fbd2b6d2..101d6436e 100644 --- a/apps/authentication/api/auth.py +++ b/apps/authentication/api/auth.py @@ -41,6 +41,16 @@ class UserAuthApi(RootOrgViewMixin, APIView): permission_classes = (AllowAny,) serializer_class = UserSerializer + def get_serializer_context(self): + return { + 'request': self.request, + 'view': self + } + + def get_serializer(self, *args, **kwargs): + kwargs['context'] = self.get_serializer_context() + return self.serializer_class(*args, **kwargs) + def post(self, request): # limit login username = request.data.get('username') @@ -65,7 +75,7 @@ class UserAuthApi(RootOrgViewMixin, APIView): clean_failed_count(username, ip) token, expired_at = user.create_bearer_token(request) return Response( - {'token': token, 'user': self.serializer_class(user).data} + {'token': token, 'user': self.get_serializer(user).data} ) seed = uuid.uuid4().hex @@ -77,7 +87,7 @@ class UserAuthApi(RootOrgViewMixin, APIView): 'conduct MFA secondary certification'), 'otp_url': reverse('api-auth:user-otp-auth'), 'seed': seed, - 'user': self.serializer_class(user).data + 'user': self.get_serializer(user).data }, status=300 ) @@ -147,6 +157,16 @@ class UserOtpAuthApi(RootOrgViewMixin, APIView): permission_classes = (AllowAny,) serializer_class = UserSerializer + def get_serializer_context(self): + return { + 'request': self.request, + 'view': self + } + + def get_serializer(self, *args, **kwargs): + kwargs['context'] = self.get_serializer_context() + return self.serializer_class(*args, **kwargs) + def post(self, request): otp_code = request.data.get('otp_code', '') seed = request.data.get('seed', '') @@ -161,7 +181,7 @@ class UserOtpAuthApi(RootOrgViewMixin, APIView): return Response({'msg': _('MFA certification failed')}, status=401) self.send_auth_signal(success=True, user=user) token, expired_at = user.create_bearer_token(request) - data = {'token': token, 'user': self.serializer_class(user).data} + data = {'token': token, 'user': self.get_serializer(user).data} return Response(data) def send_auth_signal(self, success=True, user=None, username='', reason=''): diff --git a/apps/common/permissions.py b/apps/common/permissions.py index 08350d89b..12bc5c6d4 100644 --- a/apps/common/permissions.py +++ b/apps/common/permissions.py @@ -132,6 +132,8 @@ class CanUpdateDeleteUser(permissions.BasePermission): @staticmethod def has_delete_object_permission(request, view, obj): + if request.user.is_anonymous: + return False if not request.user.can_admin_current_org: return False # 超级管理员 / 组织管理员 @@ -157,6 +159,8 @@ class CanUpdateDeleteUser(permissions.BasePermission): @staticmethod def has_update_object_permission(request, view, obj): + if request.user.is_anonymous: + return False if not request.user.can_admin_current_org: return False # 超级管理员 / 组织管理员 @@ -179,6 +183,8 @@ class CanUpdateDeleteUser(permissions.BasePermission): return True def has_object_permission(self, request, view, obj): + if request.user.is_anonymous: + return False if not request.user.can_admin_current_org: return False if request.method in ['DELETE']: