From 90587a83cc1b451d624cbc4704addff049041265 Mon Sep 17 00:00:00 2001
From: Ewall555 <a03216@foxmail.com>
Date: Mon, 14 Jul 2025 01:49:47 +0000
Subject: [PATCH] feat: support rbac SSO token

---
 apps/authentication/api/sso.py | 8 +++++---
 apps/rbac/const.py             | 3 ++-
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/apps/authentication/api/sso.py b/apps/authentication/api/sso.py
index 801a15a7d..bb0aedbb7 100644
--- a/apps/authentication/api/sso.py
+++ b/apps/authentication/api/sso.py
@@ -14,7 +14,6 @@ from rest_framework.response import Response
 from authentication.errors import ACLError
 from common.api import JMSGenericViewSet
 from common.const.http import POST, GET
-from common.permissions import OnlySuperUser
 from common.serializers import EmptySerializer
 from common.utils import reverse, safe_next_url
 from common.utils.timezone import utc_now
@@ -38,8 +37,11 @@ class SSOViewSet(AuthMixin, JMSGenericViewSet):
         'login_url': SSOTokenSerializer,
         'login': EmptySerializer
     }
-
-    @action(methods=[POST], detail=False, permission_classes=[OnlySuperUser], url_path='login-url')
+    rbac_perms = {
+        'login_url': 'authentication.add_ssotoken',
+    }
+    
+    @action(methods=[POST], detail=False, url_path='login-url')
     def login_url(self, request, *args, **kwargs):
         if not settings.AUTH_SSO:
             raise SSOAuthClosed()
diff --git a/apps/rbac/const.py b/apps/rbac/const.py
index c47c22dba..172682924 100644
--- a/apps/rbac/const.py
+++ b/apps/rbac/const.py
@@ -24,7 +24,7 @@ exclude_permissions = (
     ('authentication', 'privatetoken', '*', '*'),
     ('authentication', 'connectiontoken', 'delete,change', 'connectiontoken'),
     ('authentication', 'connectiontoken', 'view', 'connectiontokensecret'),
-    ('authentication', 'ssotoken', '*', '*'),
+    ('authentication', 'ssotoken', 'change,delete', 'ssotoken'),
     ('authentication', 'superconnectiontoken', 'change,delete', 'superconnectiontoken'),
     ('authentication', 'temptoken', 'delete', 'temptoken'),
     ('users', 'userpasswordhistory', '*', '*'),
@@ -148,6 +148,7 @@ only_system_permissions = (
     ('authentication', 'superconnectiontoken', '*', '*'),
     ('authentication', 'temptoken', '*', '*'),
     ('authentication', 'passkey', '*', '*'),
+    ('authentication', 'ssotoken', '*', '*'),
     ('tickets', '*', '*', '*'),
     ('orgs', 'organization', 'view', 'rootorg'),
     ('terminal', 'applet', '*', '*'),