From 81da9e018ac53851dd65d7ee278f0c202535c837 Mon Sep 17 00:00:00 2001
From: feng <1304903146@qq.com>
Date: Sat, 25 May 2024 22:45:30 +0800
Subject: [PATCH] fix: windows sync remove account fail and applet deploy rbac
 perm error and job exection log admin auditor cannot view

---
 .../remove_account/host/windows/main.yml      |  4 +---
 apps/ops/ws.py                                | 20 ++++++++++++++++++-
 apps/terminal/api/applet/host.py              |  2 +-
 3 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/apps/accounts/automations/remove_account/host/windows/main.yml b/apps/accounts/automations/remove_account/host/windows/main.yml
index 7be9940b3..a3856c1ce 100644
--- a/apps/accounts/automations/remove_account/host/windows/main.yml
+++ b/apps/accounts/automations/remove_account/host/windows/main.yml
@@ -4,6 +4,4 @@
     - name: "Remove account"
       ansible.windows.win_user:
         name: "{{ account.username }}"
-        state: absent
-        purge: yes
-        force: yes
\ No newline at end of file
+        state: absent
\ No newline at end of file
diff --git a/apps/ops/ws.py b/apps/ops/ws.py
index 9605835a0..a9660482a 100644
--- a/apps/ops/ws.py
+++ b/apps/ops/ws.py
@@ -7,6 +7,7 @@ from channels.generic.websocket import AsyncJsonWebsocketConsumer
 
 from common.db.utils import close_old_connections
 from common.utils import get_logger
+from rbac.builtin import BuiltinRole
 from .ansible.utils import get_ansible_task_log_path
 from .celery.utils import get_celery_task_log_path
 from .const import CELERY_LOG_MAGIC_MARK
@@ -48,13 +49,30 @@ class TaskLogWebsocket(AsyncJsonWebsocketConsumer):
         else:
             return None
 
+    @sync_to_async
+    def get_current_user_role_ids(self, user):
+        roles = user.system_roles.all() | user.org_roles.all()
+        user_role_ids = set(map(str, roles.values_list('id', flat=True)))
+        return user_role_ids
+
     async def receive_json(self, content, **kwargs):
         task_id = content.get('task')
         task = await self.get_task(task_id)
         if not task:
             await self.send_json({'message': 'Task not found', 'task': task_id})
             return
-        if task.name in self.user_tasks and task.creator != self.scope['user']:
+
+        admin_auditor_role_ids = {
+            BuiltinRole.system_admin.id,
+            BuiltinRole.system_auditor.id,
+            BuiltinRole.org_admin.id,
+            BuiltinRole.org_auditor.id
+        }
+        user = self.scope['user']
+        user_role_ids = await self.get_current_user_role_ids(user)
+        has_admin_auditor_role = bool(admin_auditor_role_ids & user_role_ids)
+
+        if not has_admin_auditor_role and task.name in self.user_tasks and task.creator != user:
             await self.send_json({'message': 'No permission', 'task': task_id})
             return
 
diff --git a/apps/terminal/api/applet/host.py b/apps/terminal/api/applet/host.py
index 6022a3b49..a67ccf9db 100644
--- a/apps/terminal/api/applet/host.py
+++ b/apps/terminal/api/applet/host.py
@@ -60,7 +60,7 @@ class AppletHostDeploymentViewSet(viewsets.ModelViewSet):
     queryset = AppletHostDeployment.objects.all()
     filterset_fields = ['host', ]
     rbac_perms = (
-        ('applets', 'terminal.view_AppletHostDeployment'),
+        ('applets', 'terminal.view_applethostdeployment'),
         ('uninstall', 'terminal.change_applethost'),
     )