From 540becdcbef659dcea923b407ffc721f14426b8d Mon Sep 17 00:00:00 2001
From: feng <1304903146@qq.com>
Date: Wed, 20 Aug 2025 17:08:53 +0800
Subject: [PATCH] perf: org admin view settings

---
 apps/assets/api/platform.py     | 10 ++++++++++
 apps/rbac/models/rolebinding.py |  7 +++++++
 apps/settings/api/settings.py   |  8 ++++++--
 3 files changed, 23 insertions(+), 2 deletions(-)

diff --git a/apps/assets/api/platform.py b/apps/assets/api/platform.py
index 2bb9f84b2..ce2ba0dae 100644
--- a/apps/assets/api/platform.py
+++ b/apps/assets/api/platform.py
@@ -12,10 +12,13 @@ from assets.serializers import PlatformSerializer, PlatformProtocolSerializer, P
 from common.api import JMSModelViewSet
 from common.permissions import IsValidUser
 from common.serializers import GroupedChoiceSerializer
+from rbac.models import RoleBinding
 
 __all__ = ['AssetPlatformViewSet', 'PlatformAutomationMethodsApi', 'PlatformProtocolViewSet']
 
 
+
+
 class PlatformFilter(filters.FilterSet):
     name__startswith = filters.CharFilter(field_name='name', lookup_expr='istartswith')
 
@@ -63,6 +66,13 @@ class AssetPlatformViewSet(JMSModelViewSet):
             return super().get_object()
         return self.get_queryset().get(name=pk)
 
+
+    def check_permissions(self, request):
+        if self.action == 'list' and RoleBinding.is_org_admin(request.user):
+            return True
+        else:
+            return super().check_permissions(request)
+
     def check_object_permissions(self, request, obj):
         if request.method.lower() in ['delete', 'put', 'patch'] and obj.internal:
             self.permission_denied(
diff --git a/apps/rbac/models/rolebinding.py b/apps/rbac/models/rolebinding.py
index ee019f34b..05dbd95b2 100644
--- a/apps/rbac/models/rolebinding.py
+++ b/apps/rbac/models/rolebinding.py
@@ -110,6 +110,13 @@ class RoleBinding(JMSBaseModel):
     def is_scope_org(self):
         return self.scope == Scope.org
 
+    @classmethod
+    def is_org_admin(cls, user):
+        from rbac.builtin import BuiltinRole
+        return cls.objects_raw.filter(
+            role_id=BuiltinRole.org_admin.id, user_id=user.id
+        ).exists()
+
     @staticmethod
     def orgs_order_by_name(orgs):
         from orgs.models import Organization
diff --git a/apps/settings/api/settings.py b/apps/settings/api/settings.py
index b986b0394..c9ba2b802 100644
--- a/apps/settings/api/settings.py
+++ b/apps/settings/api/settings.py
@@ -1,5 +1,4 @@
 # -*- coding: utf-8 -*-
-#
 
 from django.conf import settings
 from django.core.cache import cache
@@ -12,6 +11,7 @@ from rest_framework.views import APIView
 
 from common.utils import get_logger
 from jumpserver.conf import Config
+from rbac.models import RoleBinding
 from rbac.permissions import RBACPermission
 from users.models import User
 from .. import serializers
@@ -118,10 +118,14 @@ class SettingsApi(generics.RetrieveUpdateAPIView):
         return Setting.objects.all()
 
     def check_permissions(self, request):
+        ok = RoleBinding.is_org_admin(request.user)
         category = request.query_params.get('category', 'basic')
         perm_required = self.rbac_category_permissions.get(category)
-        has = self.request.user.has_perm(perm_required)
 
+        if ok and perm_required == 'settings.view_setting':
+            return True
+
+        has = request.user.has_perm(perm_required)
         if not has:
             self.permission_denied(request)