github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: Other people can delete adhoc or playbook

pull/14440/head
wangruidong 2024-11-12 15:58:41 +08:00 committed by Bryan
parent 86273865c8
commit 804bd289a4
2 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
apps/ops/api/adhoc.py
View File

@ -20,6 +20,11 @@ class AdHocViewSet(JMSBulkModelViewSet):
search_fields = ('name', 'comment')
filterset_fields = ['scope', 'creator']
def allow_bulk_destroy(self, qs, filtered):
for obj in filtered:
self.check_object_permissions(self.request, obj)
return True
def check_object_permissions(self, request, obj):
if request.method != 'GET' and obj.creator != request.user:
self.permission_denied(

5
apps/ops/api/playbook.py
View File

@ -38,6 +38,11 @@ class PlaybookViewSet(JMSBulkModelViewSet):
search_fields = ('name', 'comment')
filterset_fields = ['scope', 'creator']
def allow_bulk_destroy(self, qs, filtered):
for obj in filtered:
self.check_object_permissions(self.request, obj)
return True
def check_object_permissions(self, request, obj):
if request.method != 'GET' and obj.creator != request.user:
self.permission_denied(