feat: 限制超级权限

apps/jumpserver/conf.py

@@ -578,7 +578,9 @@ class Config(dict):
         'FTP_FILE_MAX_STORE': 100,
 
         # API 请求次数限制
-        'MAX_LIMIT_PER_PAGE': 100
+        'MAX_LIMIT_PER_PAGE': 100,
+
+        'LIMIT_SUPER_PRIV': False,
     }
 
     old_config_map = {

apps/jumpserver/settings/custom.py

@@ -203,3 +203,4 @@ MAX_LIMIT_PER_PAGE = CONFIG.MAX_LIMIT_PER_PAGE
 
 # Magnus DB Port
 MAGNUS_ORACLE_PORTS = CONFIG.MAGNUS_ORACLE_PORTS
+LIMIT_SUPER_PRIV = CONFIG.LIMIT_SUPER_PRIV

apps/users/models/user.py

@@ -400,10 +400,17 @@ class RoleMixin:
         data = cache.get(key)
         if data:
             return data
+        console_orgs = RoleBinding.get_user_has_the_perm_orgs('rbac.view_console', self)
+        audit_orgs = RoleBinding.get_user_has_the_perm_orgs('rbac.view_audit', self)
+        workbench_orgs = RoleBinding.get_user_has_the_perm_orgs('rbac.view_workbench', self)
+
+        if settings.LIMIT_SUPER_PRIV:
+            audit_orgs = list(set(audit_orgs) - set(console_orgs))
+
         data = {
-            'console_orgs': RoleBinding.get_user_has_the_perm_orgs('rbac.view_console', self),
-            'audit_orgs': RoleBinding.get_user_has_the_perm_orgs('rbac.view_audit', self),
-            'workbench_orgs': RoleBinding.get_user_has_the_perm_orgs('rbac.view_workbench', self),
+            'console_orgs': console_orgs,
+            'audit_orgs': audit_orgs,
+            'workbench_orgs': workbench_orgs,
         }
         cache.set(key, data, 60 * 60)
         return data
@@ -541,6 +548,9 @@ class RoleMixin:
     def get_all_permissions(self):
         from rbac.models import RoleBinding
         perms = RoleBinding.get_user_perms(self)
+
+        if settings.LIMIT_SUPER_PRIV and 'view_console' in perms:
+            perms = [p for p in perms if p != "view_audit"]
         return perms