fix(orgs): 修复访问 current org api 错误

perf(users): 优化用户删除和移除行为 perf: 优化组织权限判断
2021-03-15 14:53:19 +08:00 · 2021-03-15 14:53:19 +08:00 · 7dfd0ee8fe
parent 41f375a4f7
commit 7dfd0ee8fe
6 changed files with 39 additions and 19 deletions
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@ -109,9 +109,9 @@ class PermissionsMixin(UserPassesTestMixin):
        return True


-class UserCanUseCurrentOrg(permissions.BasePermission):
+class UserCanAnyPermCurrentOrg(permissions.BasePermission):
    def has_permission(self, request, view):
-        return current_org.can_use_by(request.user)
+        return current_org.can_any_by(request.user)


 class UserCanUpdatePassword(permissions.BasePermission):
--- a/apps/orgs/api.py
+++ b/apps/orgs/api.py
@ -8,7 +8,7 @@ from rest_framework_bulk import BulkModelViewSet
 from rest_framework.generics import RetrieveAPIView
 from rest_framework.exceptions import PermissionDenied

-from common.permissions import IsSuperUserOrAppUser, IsValidUser, UserCanUseCurrentOrg
+from common.permissions import IsSuperUserOrAppUser, IsValidUser, UserCanAnyPermCurrentOrg
 from common.drf.api import JMSBulkRelationModelViewSet
 from .models import Organization, ROLE
 from .serializers import (
@ -136,7 +136,7 @@ class OrgMemberUserRelationBulkViewSet(JMSBulkRelationModelViewSet):

 class CurrentOrgDetailApi(RetrieveAPIView):
    serializer_class = CurrentOrgSerializer
-    permission_classes = (IsValidUser, UserCanUseCurrentOrg)
+    permission_classes = (IsValidUser, UserCanAnyPermCurrentOrg)

    def get_object(self):
        return current_org
--- a/apps/orgs/models.py
+++ b/apps/orgs/models.py
@ -118,6 +118,8 @@ class Organization(models.Model):
    def can_audit_by(self, user):
        if user.is_superuser or user.is_super_auditor:
            return True
+        if self.can_admin_by(user):
+            return True
        if self.auditors.filter(id=user.id).exists():
            return True
        return False
@ -125,10 +127,17 @@ class Organization(models.Model):
    def can_use_by(self, user):
        if user.is_superuser or user.is_super_auditor:
            return True
+        if self.can_audit_by(user):
+            return True
        if self.users.filter(id=user.id).exists():
            return True
        return False

+    def can_any_by(self, user):
+        if user.is_superuser or user.is_super_auditor:
+            return True
+        return self.members.filter(id=user.id).exists()
+
    @classmethod
    def get_user_orgs_by_role(cls, user, role):
        if not isinstance(role, (tuple, list)):
--- a/apps/settings/api/common.py
+++ b/apps/settings/api/common.py
@ -98,12 +98,9 @@ class PublicSettingApi(generics.RetrieveAPIView):
    def get_xpack_license_is_valid():
        if not settings.XPACK_ENABLED:
            return False
-        try:
-            from xpack.plugins.license.models import License
-            return License.has_valid_license()
-        except Exception as e:
-            logger.error(e)
-            return False
+
+        from xpack.plugins.license.models import License
+        return License.has_valid_license()

    @staticmethod
    def get_login_title():
--- a/apps/users/api/user.py
+++ b/apps/users/api/user.py
@ -2,7 +2,7 @@
 from django.core.cache import cache
 from django.utils.translation import ugettext as _
 from rest_framework.decorators import action
-
+from django.conf import settings
 from rest_framework import generics
 from rest_framework.response import Response
 from rest_framework_bulk import BulkModelViewSet
@ -88,17 +88,14 @@ class UserViewSet(CommonApiMixin, UserQuerysetMixin, BulkModelViewSet):

    def get_permissions(self):
        if self.action in ["retrieve", "list"]:
-            self.permission_classes = (IsOrgAdminOrAppUser,)
-        if self.request.query_params.get('all'):
+            if self.request.query_params.get('all'):
+                self.permission_classes = (IsSuperUser,)
+            else:
+                self.permission_classes = (IsOrgAdminOrAppUser,)
+        elif self.action in ['destroy']:
            self.permission_classes = (IsSuperUser,)
        return super().get_permissions()

-    def perform_destroy(self, instance):
-        if not current_org.is_root():
-            instance.remove()
-        else:
-            return super().perform_destroy(instance)
-
    def perform_bulk_destroy(self, objects):
        for obj in objects:
            self.check_object_permissions(self.request, obj)
@ -164,6 +161,21 @@ class UserViewSet(CommonApiMixin, UserQuerysetMixin, BulkModelViewSet):
        OrganizationMember.objects.bulk_create(relations, ignore_conflicts=True)
        return Response(serializer.data, status=201)

+    @action(methods=['post'], detail=True, permission_classes=(IsOrgAdmin,))
+    def remove(self, request, *args, **kwargs):
+        instance = self.get_object()
+        instance.remove()
+        return Response(status=204)
+
+    @action(methods=['post'], detail=False, permission_classes=(IsOrgAdmin,), url_path='remove')
+    def bulk_remove(self, request, *args, **kwargs):
+        qs = self.get_queryset()
+        filtered = self.filter_queryset(qs)
+
+        for instance in filtered:
+            instance.remove()
+        return Response(status=204)
+

 class UserChangePasswordApi(UserQuerysetMixin, generics.RetrieveUpdateAPIView):
    permission_classes = (IsOrgAdmin,)
--- a/apps/users/serializers/profile.py
+++ b/apps/users/serializers/profile.py
@ -11,6 +11,8 @@ from .user import UserSerializer
 class UserOrgSerializer(serializers.Serializer):
    id = serializers.CharField()
    name = serializers.CharField()
+    is_default = serializers.BooleanField(read_only=True)
+    is_root = serializers.BooleanField(read_only=True)


 class UserOrgLabelSerializer(serializers.Serializer):