From 82f96d6ed2dc67f124a8c851269608a15e8dcabd Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Thu, 14 Sep 2023 10:42:16 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E9=99=90=E5=88=B6=E8=B6=85=E7=BA=A7?=
 =?UTF-8?q?=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/jumpserver/conf.py            |  4 +++-
 apps/jumpserver/settings/custom.py |  1 +
 apps/users/models/user.py          | 16 +++++++++++++---
 3 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
index 9b6127c4b..b24ef5746 100644
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -578,7 +578,9 @@ class Config(dict):
         'FTP_FILE_MAX_STORE': 100,
 
         # API 请求次数限制
-        'MAX_LIMIT_PER_PAGE': 100
+        'MAX_LIMIT_PER_PAGE': 100,
+
+        'LIMIT_SUPER_PRIV': False,
     }
 
     old_config_map = {
diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py
index 0bc8b380b..18d0bccca 100644
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -203,3 +203,4 @@ MAX_LIMIT_PER_PAGE = CONFIG.MAX_LIMIT_PER_PAGE
 
 # Magnus DB Port
 MAGNUS_ORACLE_PORTS = CONFIG.MAGNUS_ORACLE_PORTS
+LIMIT_SUPER_PRIV = CONFIG.LIMIT_SUPER_PRIV
diff --git a/apps/users/models/user.py b/apps/users/models/user.py
index 49ac4182f..93228aa9b 100644
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -400,10 +400,17 @@ class RoleMixin:
         data = cache.get(key)
         if data:
             return data
+        console_orgs = RoleBinding.get_user_has_the_perm_orgs('rbac.view_console', self)
+        audit_orgs = RoleBinding.get_user_has_the_perm_orgs('rbac.view_audit', self)
+        workbench_orgs = RoleBinding.get_user_has_the_perm_orgs('rbac.view_workbench', self)
+
+        if settings.LIMIT_SUPER_PRIV:
+            audit_orgs = list(set(audit_orgs) - set(console_orgs))
+
         data = {
-            'console_orgs': RoleBinding.get_user_has_the_perm_orgs('rbac.view_console', self),
-            'audit_orgs': RoleBinding.get_user_has_the_perm_orgs('rbac.view_audit', self),
-            'workbench_orgs': RoleBinding.get_user_has_the_perm_orgs('rbac.view_workbench', self),
+            'console_orgs': console_orgs,
+            'audit_orgs': audit_orgs,
+            'workbench_orgs': workbench_orgs,
         }
         cache.set(key, data, 60 * 60)
         return data
@@ -541,6 +548,9 @@ class RoleMixin:
     def get_all_permissions(self):
         from rbac.models import RoleBinding
         perms = RoleBinding.get_user_perms(self)
+
+        if settings.LIMIT_SUPER_PRIV and 'view_console' in perms:
+            perms = [p for p in perms if p != "view_audit"]
         return perms