perf(permission): 优化权限控制，显式的声明权限

2021-02-03 10:52:51 +08:00 · 2021-02-03 10:52:51 +08:00 · 93474766f6
parent 542eb25e7b
commit 93474766f6
9 changed files with 14 additions and 12 deletions
--- a/apps/assets/api/mixin.py
+++ b/apps/assets/api/mixin.py
@ -2,13 +2,11 @@ from typing import List

 from assets.models import Node, Asset
 from assets.pagination import AssetLimitOffsetPagination
-from common.utils import lazyproperty, dict_get_any, is_uuid, get_object_or_none
+from common.utils import lazyproperty
 from assets.utils import get_node, is_query_node_all_assets


 class SerializeToTreeNodeMixin:
-    permission_classes = ()
-
    def serialize_nodes(self, nodes: List[Node], with_asset_amount=False):
        if with_asset_amount:
            def _name(node: Node):
--- a/apps/authentication/api/init.py
+++ b/apps/authentication/api/init.py
@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 #

-from .auth import *
+from .connection_token import *
 from .token import *
 from .mfa import *
 from .access_key import *
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
--- a/apps/authentication/api/login_confirm.py
+++ b/apps/authentication/api/login_confirm.py
@ -3,10 +3,10 @@
 from rest_framework.generics import UpdateAPIView
 from rest_framework.response import Response
 from rest_framework.views import APIView
+from rest_framework.permissions import AllowAny
 from django.shortcuts import get_object_or_404
-from django.utils.translation import ugettext as _

-from common.utils import get_logger, get_object_or_none
+from common.utils import get_logger
 from common.permissions import IsOrgAdmin
 from ..models import LoginConfirmSetting
 from ..serializers import LoginConfirmSettingSerializer
@ -32,7 +32,7 @@ class LoginConfirmSettingUpdateApi(UpdateAPIView):


 class TicketStatusApi(mixins.AuthMixin, APIView):
-    permission_classes = ()
+    permission_classes = (AllowAny,)

    def get(self, request, *args, **kwargs):
        try:
--- a/apps/authentication/api/sso.py
+++ b/apps/authentication/api/sso.py
@ -7,6 +7,7 @@ from django.http.response import HttpResponseRedirect
 from rest_framework.decorators import action
 from rest_framework.response import Response
 from rest_framework.request import Request
+from rest_framework.permissions import AllowAny

 from common.utils.timezone import utcnow
 from common.const.http import POST, GET
@ -31,6 +32,7 @@ class SSOViewSet(AuthMixin, JmsGenericViewSet):
        'login_url': SSOTokenSerializer,
        'login': EmptySerializer
    }
+    permission_classes = (IsSuperUser,)

    @action(methods=[POST], detail=False, permission_classes=[IsSuperUser], url_path='login-url')
    def login_url(self, request, *args, **kwargs):
@ -54,7 +56,7 @@ class SSOViewSet(AuthMixin, JmsGenericViewSet):
        login_url = '%s?%s' % (reverse('api-auth:sso-login', external=True), urlencode(query))
        return Response(data={'login_url': login_url})

-    @action(methods=[GET], detail=False, filter_backends=[AuthKeyQueryDeclaration], permission_classes=[])
+    @action(methods=[GET], detail=False, filter_backends=[AuthKeyQueryDeclaration], permission_classes=[AllowAny])
    def login(self, request: Request, *args, **kwargs):
        """
        此接口违反了 `Restful` 的规范
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@ -97,7 +97,7 @@ class WithBootstrapToken(permissions.BasePermission):


 class PermissionsMixin(UserPassesTestMixin):
-    permission_classes = []
+    permission_classes = [permissions.IsAuthenticated]

    def get_permissions(self):
        return self.permission_classes
--- a/apps/jumpserver/api.py
+++ b/apps/jumpserver/api.py
@ -4,6 +4,7 @@ from django.utils.timesince import timesince
 from django.db.models import Count, Max
 from django.http.response import JsonResponse, HttpResponse
 from rest_framework.views import APIView
+from rest_framework.permissions import AllowAny
 from collections import Counter

 from users.models import User
@ -307,7 +308,7 @@ class IndexApi(TotalCountMixin, DatesLoginMetricMixin, APIView):


 class PrometheusMetricsApi(APIView):
-    permission_classes = ()
+    permission_classes = (AllowAny,)

    def get(self, request, *args, **kwargs):
        util = ComponentsPrometheusMetricsUtil()
--- a/apps/jumpserver/settings/libs.py
+++ b/apps/jumpserver/settings/libs.py
@ -7,7 +7,7 @@ REST_FRAMEWORK = {
    # Use Django's standard `django.contrib.auth` permissions,
    # or allow read-only access for unauthenticated users.
    'DEFAULT_PERMISSION_CLASSES': (
-        'common.permissions.IsOrgAdmin',
+        'common.permissions.IsSuperUser',
    ),
    'DEFAULT_RENDERER_CLASSES': (
        'rest_framework.renderers.JSONRenderer',
--- a/apps/jumpserver/views/other.py
+++ b/apps/jumpserver/views/other.py
@ -9,6 +9,7 @@ from django.views.generic import View
 from django.shortcuts import redirect
 from django.utils.translation import ugettext_lazy as _
 from rest_framework.views import APIView
+from rest_framework.permissions import AllowAny
 from django.views.decorators.csrf import csrf_exempt
 from django.http import HttpResponse

@ -64,7 +65,7 @@ def redirect_old_apps_view(request, *args, **kwargs):


 class HealthCheckView(APIView):
-    permission_classes = ()
+    permission_classes = (AllowAny,)

    def get(self, request):
        return JsonResponse({"status": 1, "time": int(time.time())})