fix: windows sync remove account fail and applet deploy rbac perm error and job exection log admin auditor cannot view

2024-05-25 22:45:30 +08:00 · 2024-05-25 22:45:30 +08:00 · 81da9e018a
parent 7f90fccc4f
commit 81da9e018a
3 changed files with 21 additions and 5 deletions
--- a/apps/accounts/automations/remove_account/host/windows/main.yml
+++ b/apps/accounts/automations/remove_account/host/windows/main.yml
@ -4,6 +4,4 @@
    - name: "Remove account"
      ansible.windows.win_user:
        name: "{{ account.username }}"
-        state: absent
-        purge: yes
-        force: yes
+        state: absent
--- a/apps/ops/ws.py
+++ b/apps/ops/ws.py
@ -7,6 +7,7 @@ from channels.generic.websocket import AsyncJsonWebsocketConsumer

 from common.db.utils import close_old_connections
 from common.utils import get_logger
+from rbac.builtin import BuiltinRole
 from .ansible.utils import get_ansible_task_log_path
 from .celery.utils import get_celery_task_log_path
 from .const import CELERY_LOG_MAGIC_MARK
@ -48,13 +49,30 @@ class TaskLogWebsocket(AsyncJsonWebsocketConsumer):
        else:
            return None

+    @sync_to_async
+    def get_current_user_role_ids(self, user):
+        roles = user.system_roles.all() | user.org_roles.all()
+        user_role_ids = set(map(str, roles.values_list('id', flat=True)))
+        return user_role_ids
+
    async def receive_json(self, content, **kwargs):
        task_id = content.get('task')
        task = await self.get_task(task_id)
        if not task:
            await self.send_json({'message': 'Task not found', 'task': task_id})
            return
-        if task.name in self.user_tasks and task.creator != self.scope['user']:
+
+        admin_auditor_role_ids = {
+            BuiltinRole.system_admin.id,
+            BuiltinRole.system_auditor.id,
+            BuiltinRole.org_admin.id,
+            BuiltinRole.org_auditor.id
+        }
+        user = self.scope['user']
+        user_role_ids = await self.get_current_user_role_ids(user)
+        has_admin_auditor_role = bool(admin_auditor_role_ids & user_role_ids)
+
+        if not has_admin_auditor_role and task.name in self.user_tasks and task.creator != user:
            await self.send_json({'message': 'No permission', 'task': task_id})
            return

--- a/apps/terminal/api/applet/host.py
+++ b/apps/terminal/api/applet/host.py
@ -60,7 +60,7 @@ class AppletHostDeploymentViewSet(viewsets.ModelViewSet):
    queryset = AppletHostDeployment.objects.all()
    filterset_fields = ['host', ]
    rbac_perms = (
-        ('applets', 'terminal.view_AppletHostDeployment'),
+        ('applets', 'terminal.view_applethostdeployment'),
        ('uninstall', 'terminal.change_applethost'),
    )