From b644c47173e2cb0ccb4d41f169f27f75c4fc906c Mon Sep 17 00:00:00 2001 From: fit2bot <68588906+fit2bot@users.noreply.github.com> Date: Fri, 11 Mar 2022 11:04:21 +0800 Subject: [PATCH 01/13] =?UTF-8?q?perf:=20=E6=8E=92=E9=99=A4=E5=B7=A5?= =?UTF-8?q?=E5=8D=95=E6=B5=81=E6=9D=83=E9=99=90=20(#7798)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: feng626 <1304903146@qq.com> --- apps/rbac/const.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/rbac/const.py b/apps/rbac/const.py index c575cbfac..61a009e1c 100644 --- a/apps/rbac/const.py +++ b/apps/rbac/const.py @@ -57,9 +57,10 @@ exclude_permissions = ( ('audits', 'userloginlog', 'add,change,delete,change', 'userloginlog'), ('audits', 'ftplog', 'change,delete', 'ftplog'), ('tickets', 'ticket', '*', '*'), + ('tickets', 'ticketflow', 'add,delete', 'ticketflow'), ('tickets', 'comment', 'change,delete', 'comment'), ('tickets', 'ticketstep', '*', '*'), - ('tickets', 'ticketapprovalrule', '*', '*'), + ('tickets', 'approvalrule', '*', '*'), ('xpack', 'interface', '*', '*'), ('xpack', 'license', '*', '*'), ('xpack', 'syncinstancedetail', 'add,delete,change', 'syncinstancedetail'), From 10c877c12053f29e54c0a6af80be5cc34f48cd4d Mon Sep 17 00:00:00 2001 From: fit2bot <68588906+fit2bot@users.noreply.github.com> Date: Fri, 11 Mar 2022 13:30:14 +0800 Subject: [PATCH 02/13] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=B7=A5?= =?UTF-8?q?=E5=8D=95ticket=20exclude=20perm=20(#7799)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: 修复工单ticket exclude perm * fix: 修复perm tree Co-authored-by: feng626 <1304903146@qq.com> --- apps/rbac/const.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/apps/rbac/const.py b/apps/rbac/const.py index 61a009e1c..15ae12b05 100644 --- a/apps/rbac/const.py +++ b/apps/rbac/const.py @@ -23,6 +23,10 @@ exclude_permissions = ( ('common', 'setting', '*', '*'), ('authentication', 'privatetoken', '*', '*'), + ('authentication', 'accesskey', 'change,delete', 'accesskey'), + ('authentication', 'connectiontoken', 'change,delete', 'connectiontoken'), + ('authentication', 'ssotoken', 'change,delete', 'ssotoken'), + ('authentication', 'superconnectiontoken', 'change,delete', 'superconnectiontoken'), ('users', 'userpasswordhistory', '*', '*'), ('applications', 'applicationuser', '*', '*'), ('applications', 'historicalaccount', '*', '*'), @@ -56,9 +60,9 @@ exclude_permissions = ( ('audits', 'passwordchangelog', 'add,change,delete', 'passwordchangelog'), ('audits', 'userloginlog', 'add,change,delete,change', 'userloginlog'), ('audits', 'ftplog', 'change,delete', 'ftplog'), - ('tickets', 'ticket', '*', '*'), ('tickets', 'ticketflow', 'add,delete', 'ticketflow'), ('tickets', 'comment', 'change,delete', 'comment'), + ('tickets', 'ticket', 'delete', 'ticket'), ('tickets', 'ticketstep', '*', '*'), ('tickets', 'approvalrule', '*', '*'), ('xpack', 'interface', '*', '*'), @@ -76,6 +80,7 @@ exclude_permissions = ( only_system_permissions = ( + ('assets', 'platform', '*', '*'), ('users', 'user', 'delete', 'user'), ('rbac', 'role', 'delete,add,change', 'role'), ('rbac', 'systemrole', '*', '*'), From 416d4bd0c31aba86932cf383b12cba23e0476475 Mon Sep 17 00:00:00 2001 From: fit2bot <68588906+fit2bot@users.noreply.github.com> Date: Fri, 11 Mar 2022 17:24:28 +0800 Subject: [PATCH 03/13] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8Dtree=20(#7802)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: feng626 <1304903146@qq.com> --- apps/rbac/builtin.py | 1 + apps/rbac/const.py | 4 +++- .../migrations/0008_auto_20220311_1623.py | 17 +++++++++++++++++ 3 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 apps/settings/migrations/0008_auto_20220311_1623.py diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py index 64a73d546..0fe12195e 100644 --- a/apps/rbac/builtin.py +++ b/apps/rbac/builtin.py @@ -22,6 +22,7 @@ auditor_perms = user_perms + ( ('terminal', 'sessionreplay', 'view,download', 'sessionreplay'), ('terminal', 'session', '*', '*'), ('terminal', 'command', '*', '*'), + ('ops', 'commandexecution', 'view', 'commandexecution') ) diff --git a/apps/rbac/const.py b/apps/rbac/const.py index 15ae12b05..9e25279fb 100644 --- a/apps/rbac/const.py +++ b/apps/rbac/const.py @@ -60,11 +60,14 @@ exclude_permissions = ( ('audits', 'passwordchangelog', 'add,change,delete', 'passwordchangelog'), ('audits', 'userloginlog', 'add,change,delete,change', 'userloginlog'), ('audits', 'ftplog', 'change,delete', 'ftplog'), + ('tickets', 'ticketassignee', '*', 'ticketassignee'), ('tickets', 'ticketflow', 'add,delete', 'ticketflow'), ('tickets', 'comment', 'change,delete', 'comment'), ('tickets', 'ticket', 'delete', 'ticket'), ('tickets', 'ticketstep', '*', '*'), ('tickets', 'approvalrule', '*', '*'), + ('tickets', 'superticket', 'delete', 'superticket'), + ('tickets', 'ticketsession', 'delete', 'ticketsession'), ('xpack', 'interface', '*', '*'), ('xpack', 'license', '*', '*'), ('xpack', 'syncinstancedetail', 'add,delete,change', 'syncinstancedetail'), @@ -87,7 +90,6 @@ only_system_permissions = ( ('rbac', 'rolebinding', '*', '*'), ('rbac', 'systemrolebinding', '*', '*'), ('rbac', 'orgrole', 'delete,add,change', '*'), - ('rbac', 'orgrolebinding', 'delete,add,change', '*'), ('orgs', 'organization', '*', '*'), ('xpack', 'license', '*', '*'), ('settings', 'setting', '*', '*'), diff --git a/apps/settings/migrations/0008_auto_20220311_1623.py b/apps/settings/migrations/0008_auto_20220311_1623.py new file mode 100644 index 000000000..91f342927 --- /dev/null +++ b/apps/settings/migrations/0008_auto_20220311_1623.py @@ -0,0 +1,17 @@ +# Generated by Django 3.1.14 on 2022-03-11 08:23 + +from django.db import migrations + + +class Migration(migrations.Migration): + + dependencies = [ + ('settings', '0007_auto_20220310_2006'), + ] + + operations = [ + migrations.AlterModelOptions( + name='setting', + options={'permissions': [('change_basic', 'Can change basic setting'), ('change_email', 'Can change email setting'), ('change_auth', 'Can change auth setting'), ('change_systemmsgsubscription', 'Can sys msg sub setting'), ('change_sms', 'Can change sms setting'), ('change_security', 'Can change security setting'), ('change_clean', 'Can change clean setting'), ('change_interface', 'Can change interface setting'), ('change_license', 'Can change license setting'), ('change_terminal', 'Can change terminal setting'), ('change_other', 'Can change other setting')], 'verbose_name': 'System setting'}, + ), + ] From f0325c48df4e925bc6bf4163637f8e372957ccb5 Mon Sep 17 00:00:00 2001 From: fit2bot <68588906+fit2bot@users.noreply.github.com> Date: Fri, 11 Mar 2022 19:31:29 +0800 Subject: [PATCH 04/13] =?UTF-8?q?fix:=20=E5=B7=A5=E5=8D=95=E6=9D=83?= =?UTF-8?q?=E9=99=90=20(#7808)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: feng626 <1304903146@qq.com> --- apps/tickets/api/comment.py | 3 ++- apps/tickets/api/ticket.py | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/tickets/api/comment.py b/apps/tickets/api/comment.py index dc7740d1a..382ad2c99 100644 --- a/apps/tickets/api/comment.py +++ b/apps/tickets/api/comment.py @@ -4,6 +4,7 @@ from rest_framework import viewsets, mixins from common.exceptions import JMSException from common.utils import lazyproperty +from rbac.permissions import RBACPermission from tickets import serializers from tickets.models import Ticket from tickets.permissions.comment import IsAssignee, IsApplicant, IsSwagger @@ -14,7 +15,7 @@ __all__ = ['CommentViewSet'] class CommentViewSet(mixins.CreateModelMixin, viewsets.ReadOnlyModelViewSet): serializer_class = serializers.CommentSerializer - permission_classes = (IsSwagger | IsAssignee | IsApplicant,) + permission_classes = (RBACPermission| IsSwagger | IsAssignee | IsApplicant) @lazyproperty def ticket(self): diff --git a/apps/tickets/api/ticket.py b/apps/tickets/api/ticket.py index e61dda569..f112dae0c 100644 --- a/apps/tickets/api/ticket.py +++ b/apps/tickets/api/ticket.py @@ -19,7 +19,6 @@ __all__ = ['TicketViewSet', 'TicketFlowViewSet'] class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet): - permission_classes = (IsValidUser,) serializer_class = serializers.TicketDisplaySerializer serializer_classes = { 'open': serializers.TicketApplySerializer, From e3bc54e7642fce4c56091d047942e673e23eda5d Mon Sep 17 00:00:00 2001 From: fit2bot <68588906+fit2bot@users.noreply.github.com> Date: Fri, 11 Mar 2022 19:31:55 +0800 Subject: [PATCH 05/13] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E7=94=A8?= =?UTF-8?q?=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E7=94=A8=E6=88=B7=20(#7809?= =?UTF-8?q?)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: feng626 <1304903146@qq.com> --- apps/users/api/relation.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/users/api/relation.py b/apps/users/api/relation.py index 40f5566ae..23260a5ae 100644 --- a/apps/users/api/relation.py +++ b/apps/users/api/relation.py @@ -5,12 +5,13 @@ from django.db.models import F from common.drf.api import JMSBulkRelationModelViewSet from .. import serializers -from ..models import User +from ..models import User, UserGroup __all__ = ['UserUserGroupRelationViewSet'] class UserUserGroupRelationViewSet(JMSBulkRelationModelViewSet): + perm_model = UserGroup filterset_fields = ('user', 'usergroup') search_fields = filterset_fields serializer_class = serializers.UserUserGroupRelationSerializer From b3632f65317cc5e8306cebd47f76032090386f80 Mon Sep 17 00:00:00 2001 From: fit2bot <68588906+fit2bot@users.noreply.github.com> Date: Fri, 11 Mar 2022 19:32:23 +0800 Subject: [PATCH 06/13] fix: dingtalk auth perm (#7814) Co-authored-by: feng626 <1304903146@qq.com> --- apps/settings/api/dingtalk.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/apps/settings/api/dingtalk.py b/apps/settings/api/dingtalk.py index 196f259dc..216aeee0b 100644 --- a/apps/settings/api/dingtalk.py +++ b/apps/settings/api/dingtalk.py @@ -11,6 +11,9 @@ from .. import serializers class DingTalkTestingAPI(GenericAPIView): serializer_class = serializers.DingTalkSettingSerializer + rbac_perms = { + 'POST': 'settings.change_auth' + } def post(self, request): serializer = self.serializer_class(data=request.data) From 797b184c7f97c4be88f4095181f768c2a81d0afa Mon Sep 17 00:00:00 2001 From: ibuler Date: Fri, 11 Mar 2022 17:17:49 +0800 Subject: [PATCH 07/13] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20perm=20tree?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/jumpserver/api.py | 2 +- .../migrations/0005_auto_20220307_1524.py | 2 +- .../migrations/0006_auto_20220310_0616.py | 2 +- apps/rbac/models/menu.py | 1 - apps/rbac/tree.py | 53 +++++++++++++++---- .../migrations/0005_auto_20220310_0616.py | 2 +- .../migrations/0006_auto_20220310_1952.py | 17 ------ .../migrations/0007_auto_20220310_2006.py | 17 ------ apps/settings/models.py | 1 - utils/clean_db_content_types.py | 8 +-- 10 files changed, 53 insertions(+), 52 deletions(-) delete mode 100644 apps/settings/migrations/0006_auto_20220310_1952.py delete mode 100644 apps/settings/migrations/0007_auto_20220310_2006.py diff --git a/apps/jumpserver/api.py b/apps/jumpserver/api.py index eb09f7214..2de05b9c6 100644 --- a/apps/jumpserver/api.py +++ b/apps/jumpserver/api.py @@ -214,7 +214,7 @@ class DatesLoginMetricMixin: class IndexApi(DatesLoginMetricMixin, APIView): http_method_names = ['get'] rbac_perms = { - 'GET': 'rbac.view_dashboard' + 'GET': 'rbac.view_audit | rbac.view_console' } def get(self, request, *args, **kwargs): diff --git a/apps/rbac/migrations/0005_auto_20220307_1524.py b/apps/rbac/migrations/0005_auto_20220307_1524.py index 88b9a0f91..afc8ea8ba 100644 --- a/apps/rbac/migrations/0005_auto_20220307_1524.py +++ b/apps/rbac/migrations/0005_auto_20220307_1524.py @@ -12,6 +12,6 @@ class Migration(migrations.Migration): operations = [ migrations.AlterModelOptions( name='menupermission', - options={'default_permissions': [], 'permissions': [('view_dashboard', 'Can view resource statistics'), ('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'}, + options={'default_permissions': [], 'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'}, ), ] diff --git a/apps/rbac/migrations/0006_auto_20220310_0616.py b/apps/rbac/migrations/0006_auto_20220310_0616.py index aa76969bd..395b73f03 100644 --- a/apps/rbac/migrations/0006_auto_20220310_0616.py +++ b/apps/rbac/migrations/0006_auto_20220310_0616.py @@ -12,6 +12,6 @@ class Migration(migrations.Migration): operations = [ migrations.AlterModelOptions( name='menupermission', - options={'default_permissions': [], 'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager'), ('view_dashboard', 'Can view dashboard')], 'verbose_name': 'Menu permission'}, + options={'default_permissions': [], 'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager') ], 'verbose_name': 'Menu permission'}, ), ] diff --git a/apps/rbac/models/menu.py b/apps/rbac/models/menu.py index b13c3d99e..524894664 100644 --- a/apps/rbac/models/menu.py +++ b/apps/rbac/models/menu.py @@ -17,5 +17,4 @@ class MenuPermission(models.Model): ('view_workspace', _('Can view workspace view')), ('view_webterminal', _('Can view web terminal')), ('view_filemanager', _('Can view file manager')), - ('view_dashboard', _('Can view dashboard')), ] diff --git a/apps/rbac/tree.py b/apps/rbac/tree.py index 38ca93d78..a5d0cde1a 100644 --- a/apps/rbac/tree.py +++ b/apps/rbac/tree.py @@ -98,7 +98,14 @@ special_pid_mapper = { "perms.view_mydatabaseapp": "my_apps", "perms.connect_mydatabaseapp": "my_apps", "xpack.interface": "view_setting", - "settings.change_terminal": "terminal_node" + "settings.change_terminal": "terminal_node", + "settings.view_setting": "view_setting", + "settings.change_setting": "view_setting", + "rbac.view_console": "view_console", + "rbac.view_audit": "view_audit", + "rbac.view_workspace": "view_workspace", + "rbac.view_webterminal": "view_workspace", + "rbac.view_filemanager": "view_workspace", } verbose_name_mapper = { @@ -115,6 +122,32 @@ xpack_nodes = [ ] +def _sort_action(node): + value = 0 + + if 'view' in node.title: + value += 2 + elif 'add' in node.title: + value += 4 + elif 'change' in node.title: + value += 6 + elif 'delete' in node.title: + value += 8 + else: + value += 10 + return value + + +def sort_nodes(node): + value = 0 + + if node.isParent: + value += 50 + else: + value += _sort_action(node) + return value + + class PermissionTreeUtil: get_permissions: Callable @@ -122,7 +155,7 @@ class PermissionTreeUtil: self.permissions = self.prefetch_permissions(permissions) self.all_permissions = self.prefetch_permissions( Permission.get_permissions(scope) - ).order_by('-codename') + ) self.check_disabled = check_disabled self.total_counts = defaultdict(int) self.checked_counts = defaultdict(int) @@ -323,6 +356,8 @@ class PermissionTreeUtil: if not node_data.get('title'): node_data['title'] = node_data['name'] node = TreeNode(**node_data) + if settings.DEBUG: + node.name += ('-' + node.id) node.name += f'({checked_count}/{total_count})' return node @@ -367,12 +402,12 @@ class PermissionTreeUtil: return nodes def create_tree_nodes(self): - nodes = [self._create_root_tree_node()] - perms_nodes = self._create_perms_nodes() - models_nodes = self._create_models_nodes() - apps_nodes = self.create_apps_nodes() - extra_nodes = self._create_extra_nodes() - views_nodes = self._create_views_node() + nodes = self._create_perms_nodes() + nodes += self._create_models_nodes() + nodes += self.create_apps_nodes() + nodes += self._create_extra_nodes() + nodes += self._create_views_node() + nodes += [self._create_root_tree_node()] - nodes += views_nodes + apps_nodes + models_nodes + perms_nodes + extra_nodes + nodes.sort(key=sort_nodes) return nodes diff --git a/apps/settings/migrations/0005_auto_20220310_0616.py b/apps/settings/migrations/0005_auto_20220310_0616.py index f29f017c5..5e7d2c747 100644 --- a/apps/settings/migrations/0005_auto_20220310_0616.py +++ b/apps/settings/migrations/0005_auto_20220310_0616.py @@ -12,6 +12,6 @@ class Migration(migrations.Migration): operations = [ migrations.AlterModelOptions( name='setting', - options={'permissions': [('change_basic', 'Can change basic setting'), ('change_email', 'Can change email setting'), ('change_auth', 'Can change auth setting'), ('change_sms', 'Can change sms setting'), ('change_security', 'Can change security setting'), ('change_clean', 'Can change clean setting'), ('change_other', 'Can change other setting'), ('change_terminal_basic_setting', 'Can change terminal basic setting')], 'verbose_name': 'System setting'}, + options={'permissions': [('change_email', 'Can change email setting'), ('change_auth', 'Can change auth setting'), ('change_systemmsgsubscription', 'Can sys msg sub setting'), ('change_sms', 'Can change sms setting'), ('change_security', 'Can change security setting'), ('change_clean', 'Can change clean setting'), ('change_interface', 'Can change interface setting'), ('change_license', 'Can change license setting'), ('change_terminal', 'Can change terminal setting'), ('change_other', 'Can change other setting')], 'verbose_name': 'System setting'}, ), ] diff --git a/apps/settings/migrations/0006_auto_20220310_1952.py b/apps/settings/migrations/0006_auto_20220310_1952.py deleted file mode 100644 index 55e4572bc..000000000 --- a/apps/settings/migrations/0006_auto_20220310_1952.py +++ /dev/null @@ -1,17 +0,0 @@ -# Generated by Django 3.1.14 on 2022-03-10 11:52 - -from django.db import migrations - - -class Migration(migrations.Migration): - - dependencies = [ - ('settings', '0005_auto_20220310_0616'), - ] - - operations = [ - migrations.AlterModelOptions( - name='setting', - options={'permissions': [('change_basic', 'Can change basic setting'), ('change_email', 'Can change email setting'), ('change_auth', 'Can change auth setting'), ('change_sms', 'Can change sms setting'), ('change_security', 'Can change security setting'), ('change_clean', 'Can change clean setting'), ('change_other', 'Can change other setting'), ('change_interface', 'Can change interface setting'), ('change_license', 'Can change license setting'), ('change_terminal_basic_setting', 'Can change terminal basic setting')], 'verbose_name': 'System setting'}, - ), - ] diff --git a/apps/settings/migrations/0007_auto_20220310_2006.py b/apps/settings/migrations/0007_auto_20220310_2006.py deleted file mode 100644 index 257abde35..000000000 --- a/apps/settings/migrations/0007_auto_20220310_2006.py +++ /dev/null @@ -1,17 +0,0 @@ -# Generated by Django 3.1.14 on 2022-03-10 12:06 - -from django.db import migrations - - -class Migration(migrations.Migration): - - dependencies = [ - ('settings', '0006_auto_20220310_1952'), - ] - - operations = [ - migrations.AlterModelOptions( - name='setting', - options={'permissions': [('change_basic', 'Can change basic setting'), ('change_email', 'Can change email setting'), ('change_auth', 'Can change auth setting'), ('change_sys_msg_sub', 'Can sys msg sub setting'), ('change_sms', 'Can change sms setting'), ('change_security', 'Can change security setting'), ('change_clean', 'Can change clean setting'), ('change_interface', 'Can change interface setting'), ('change_license', 'Can change license setting'), ('change_terminal', 'Can change terminal setting'), ('change_other', 'Can change other setting')], 'verbose_name': 'System setting'}, - ), - ] diff --git a/apps/settings/models.py b/apps/settings/models.py index eee1a0d94..9fb07a18f 100644 --- a/apps/settings/models.py +++ b/apps/settings/models.py @@ -139,7 +139,6 @@ class Setting(models.Model): db_table = "settings_setting" verbose_name = _("System setting") permissions = [ - ('change_basic', _('Can change basic setting')), ('change_email', _('Can change email setting')), ('change_auth', _('Can change auth setting')), ('change_systemmsgsubscription', _('Can sys msg sub setting')), diff --git a/utils/clean_db_content_types.py b/utils/clean_db_content_types.py index 585c72314..6b317bcc5 100644 --- a/utils/clean_db_content_types.py +++ b/utils/clean_db_content_types.py @@ -53,9 +53,11 @@ def clean_db_content_types(): ('applications', 'remoteapp', 'view_remoteapp'), ('settings', 'setting', 'change_terminal_basic_setting'), - ('rbac', 'menupermission', 'view_resourcestatistics'), - - + ('settings', 'setting', 'change_sys_msg_sub'), + ('settings', 'setting', 'change_basic'), + ('rbac', 'menupermission', 'view_userview'), + ('rbac', 'menupermission', 'view_adminview'), + ('rbac', 'menupermission', 'view_auditview'), ] for app, model, codename in permissions_delete_required: print('delete {}.{} ({})'.format(app, codename, model)) From 224a9fbdb396cd13a02e6ce79cb26c813e5bbde4 Mon Sep 17 00:00:00 2001 From: "Jiangjie.Bai" Date: Fri, 11 Mar 2022 19:28:00 +0800 Subject: [PATCH 08/13] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=88=9B?= =?UTF-8?q?=E5=BB=BA=E6=8E=88=E6=9D=83=E6=97=B6actions=E4=B8=BA=E7=A9=BA?= =?UTF-8?q?=E4=BF=9D=E5=AD=98=E6=97=B6=E6=8A=A5=E9=94=99=E7=9A=84=E9=97=AE?= =?UTF-8?q?=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/perms/serializers/application/permission.py | 2 +- apps/perms/serializers/base.py | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/apps/perms/serializers/application/permission.py b/apps/perms/serializers/application/permission.py index c7ebdf769..ae65ea869 100644 --- a/apps/perms/serializers/application/permission.py +++ b/apps/perms/serializers/application/permission.py @@ -5,7 +5,7 @@ from rest_framework import serializers from django.utils.translation import ugettext_lazy as _ from orgs.mixins.serializers import BulkOrgResourceModelSerializer -from perms.models import ApplicationPermission +from perms.models import ApplicationPermission, Action from ..base import ActionsField, BasePermissionSerializer __all__ = [ diff --git a/apps/perms/serializers/base.py b/apps/perms/serializers/base.py index 81707dbd1..63cdd8d72 100644 --- a/apps/perms/serializers/base.py +++ b/apps/perms/serializers/base.py @@ -1,6 +1,7 @@ from rest_framework import serializers from perms.models import Action from orgs.mixins.serializers import BulkOrgResourceModelSerializer +from rest_framework.fields import empty __all__ = ['ActionsDisplayField', 'ActionsField', 'BasePermissionSerializer'] @@ -10,6 +11,12 @@ class ActionsField(serializers.MultipleChoiceField): kwargs['choices'] = Action.CHOICES super().__init__(*args, **kwargs) + def run_validation(self, data=empty): + data = super(ActionsField, self).run_validation() + if isinstance(data, list): + data = Action.choices_to_value(value=data) + return data + def to_representation(self, value): return Action.value_to_choices(value) From 8e2471c1eb7a13a195fb5ab242091fefa04fe379 Mon Sep 17 00:00:00 2001 From: "Jiangjie.Bai" Date: Fri, 11 Mar 2022 17:33:12 +0800 Subject: [PATCH 09/13] =?UTF-8?q?fix:=20=E7=A7=BB=E9=99=A4TICKET=5FENABLED?= =?UTF-8?q?=E9=85=8D=E7=BD=AE;=E7=B3=BB=E7=BB=9F=E8=AE=BE=E7=BD=AEAPI?= =?UTF-8?q?=E9=99=90=E5=88=B6=E6=9D=83=E9=99=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/jumpserver/conf.py | 1 - apps/jumpserver/settings/custom.py | 1 - apps/settings/api/public.py | 1 - apps/settings/api/settings.py | 32 ++++++++++++++++++++++++++++++ apps/settings/serializers/basic.py | 1 - 5 files changed, 32 insertions(+), 4 deletions(-) diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index 919fc5642..4af31bffb 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -390,7 +390,6 @@ class Config(dict): 'HELP_DOCUMENT_URL': 'http://docs.jumpserver.org', 'HELP_SUPPORT_URL': 'http://www.jumpserver.org/support/', - 'TICKETS_ENABLED': True, 'FORGOT_PASSWORD_URL': '', 'HEALTH_CHECK_TOKEN': '', } diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py index 4eff9d9fe..794180fd2 100644 --- a/apps/jumpserver/settings/custom.py +++ b/apps/jumpserver/settings/custom.py @@ -119,7 +119,6 @@ CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED = CONFIG.CHANGE_AUTH_PLAN_SECURE_MODE_ENABL DATETIME_DISPLAY_FORMAT = '%Y-%m-%d %H:%M:%S' -TICKETS_ENABLED = CONFIG.TICKETS_ENABLED REFERER_CHECK_ENABLED = CONFIG.REFERER_CHECK_ENABLED CONNECTION_TOKEN_ENABLED = CONFIG.CONNECTION_TOKEN_ENABLED diff --git a/apps/settings/api/public.py b/apps/settings/api/public.py index 349955007..314b7c9fa 100644 --- a/apps/settings/api/public.py +++ b/apps/settings/api/public.py @@ -43,7 +43,6 @@ class PublicSettingApi(generics.RetrieveAPIView): "XPACK_LICENSE_INFO": get_xpack_license_info(), "LOGIN_TITLE": self.get_login_title(), "LOGO_URLS": self.get_logo_urls(), - "TICKETS_ENABLED": settings.TICKETS_ENABLED, "PASSWORD_RULE": { 'SECURITY_PASSWORD_MIN_LENGTH': settings.SECURITY_PASSWORD_MIN_LENGTH, 'SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH': settings.SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH, diff --git a/apps/settings/api/settings.py b/apps/settings/api/settings.py index 7864b7c1c..454fc00d3 100644 --- a/apps/settings/api/settings.py +++ b/apps/settings/api/settings.py @@ -41,9 +41,41 @@ class SettingsApi(generics.RetrieveUpdateAPIView): 'tencent': serializers.TencentSMSSettingSerializer, } + rbac_category_permissions = { + # 'all': 'change_setting', + 'basic': 'change_basic', + 'terminal': 'change_terminal', + 'security': 'change_security', + 'ldap': 'change_auth', + 'email': 'change_email', + 'email_content': 'change_email', + 'wecom': 'change_auth', + 'dingtalk': 'change_auth', + 'feishu': 'change_auth', + 'auth': 'change_auth', + 'oidc': 'change_auth', + 'keycloak': 'change_auth', + 'radius': 'change_auth', + 'cas': 'change_auth', + 'sso': 'change_auth', + 'saml2': 'change_auth', + 'clean': 'change_clean', + 'other': 'change_other', + 'sms': 'change_sms', + 'alibaba': 'change_sms', + 'tencent': 'change_sms', + } + def get_queryset(self): return Setting.objects.all() + def check_permissions(self, request): + category = request.query_params.get('category', 'basic') + require_perm = self.rbac_category_permissions.get(category) + if not request.user.has_perm(require_perm): + self.permission_denied(request) + return super().check_permissions(request) + def get_serializer_class(self): category = self.request.query_params.get('category', 'basic') default = serializers.BasicSettingSerializer diff --git a/apps/settings/serializers/basic.py b/apps/settings/serializers/basic.py index 97ef96cbe..e0672f0df 100644 --- a/apps/settings/serializers/basic.py +++ b/apps/settings/serializers/basic.py @@ -41,7 +41,6 @@ class BasicSettingSerializer(serializers.Serializer): required=False, max_length=1024, allow_blank=True, allow_null=True, label=_("Global organization name"), help_text=_('The name of global organization to display') ) - TICKETS_ENABLED = serializers.BooleanField(required=False, default=True, label=_("Enable tickets")) ANNOUNCEMENT_ENABLED = serializers.BooleanField(label=_('Enable announcement'), default=True) ANNOUNCEMENT = AnnouncementSerializer(label=_("Announcement")) From 8423ae602f45a54a424432dcdc3ddfd90eecf6f2 Mon Sep 17 00:00:00 2001 From: "Jiangjie.Bai" Date: Fri, 11 Mar 2022 20:34:47 +0800 Subject: [PATCH 10/13] =?UTF-8?q?fix:=20=E7=A7=BB=E9=99=A4TICKET=5FENABLED?= =?UTF-8?q?=E9=85=8D=E7=BD=AE;=E7=B3=BB=E7=BB=9F=E8=AE=BE=E7=BD=AEAPI?= =?UTF-8?q?=E9=99=90=E5=88=B6=E6=9D=83=E9=99=90?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/settings/api/settings.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apps/settings/api/settings.py b/apps/settings/api/settings.py index 454fc00d3..3f81832e0 100644 --- a/apps/settings/api/settings.py +++ b/apps/settings/api/settings.py @@ -42,8 +42,8 @@ class SettingsApi(generics.RetrieveUpdateAPIView): } rbac_category_permissions = { - # 'all': 'change_setting', - 'basic': 'change_basic', + # 'all': 'view_setting', + 'basic': 'view_setting', 'terminal': 'change_terminal', 'security': 'change_security', 'ldap': 'change_auth', From a876a82a76029c0fe6ae7874c523288f433c4c92 Mon Sep 17 00:00:00 2001 From: "Jiangjie.Bai" Date: Fri, 11 Mar 2022 21:11:20 +0800 Subject: [PATCH 11/13] =?UTF-8?q?fix:=20=E4=BB=8E=E7=BB=84=E7=BB=87?= =?UTF-8?q?=E7=A7=BB=E9=99=A4=E7=94=A8=E6=88=B7?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/orgs/signal_handlers/common.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/orgs/signal_handlers/common.py b/apps/orgs/signal_handlers/common.py index dfd29955d..48576a828 100644 --- a/apps/orgs/signal_handlers/common.py +++ b/apps/orgs/signal_handlers/common.py @@ -14,6 +14,7 @@ from orgs.models import Organization from orgs.hands import set_current_org, Node, get_current_org from perms.models import (AssetPermission, ApplicationPermission) from users.models import UserGroup, User +from assets.models import SystemUser from common.const.signals import PRE_REMOVE, POST_REMOVE from common.decorator import on_transaction_commit from common.signals import django_ready @@ -135,7 +136,7 @@ def _clear_users_from_org(org, users): if not users: return - models = (AssetPermission, ApplicationPermission, UserGroup) + models = (AssetPermission, ApplicationPermission, UserGroup, SystemUser) for m in models: _remove_users(m, users, org) From 017710c0569add7da03a9507331cb194ca6418d2 Mon Sep 17 00:00:00 2001 From: fit2bot <68588906+fit2bot@users.noreply.github.com> Date: Fri, 11 Mar 2022 21:24:07 +0800 Subject: [PATCH 12/13] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9perms=20(#7822)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * perf: 修改 perm tree * perf: 修改perms Co-authored-by: ibuler --- apps/rbac/tree.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/apps/rbac/tree.py b/apps/rbac/tree.py index a5d0cde1a..68fb3fddc 100644 --- a/apps/rbac/tree.py +++ b/apps/rbac/tree.py @@ -305,7 +305,7 @@ class PermissionTreeUtil: # name 要特殊处理,解决 i18n 问题 name = self._get_permission_name(p, content_types_name_mapper) if settings.DEBUG: - name += '({})'.format(p.app_label_codename) + name += '[{}]'.format(p.app_label_codename) title = p.app_label_codename pid = model_id @@ -353,9 +353,10 @@ class PermissionTreeUtil: }, **data } - if not node_data.get('title'): - node_data['title'] = node_data['name'] + node_data['title'] = node_data['id'] node = TreeNode(**node_data) + if settings.DEBUG: + node.name += ('[' + node.id + ']') if settings.DEBUG: node.name += ('-' + node.id) node.name += f'({checked_count}/{total_count})' From 60564d1b4fbb7a8562b403b44f6dbb0a294ed0bd Mon Sep 17 00:00:00 2001 From: ibuler Date: Mon, 14 Mar 2022 10:00:00 +0800 Subject: [PATCH 13/13] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20bug?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../migrations/0008_auto_20220311_1623.py | 17 ----------------- 1 file changed, 17 deletions(-) delete mode 100644 apps/settings/migrations/0008_auto_20220311_1623.py diff --git a/apps/settings/migrations/0008_auto_20220311_1623.py b/apps/settings/migrations/0008_auto_20220311_1623.py deleted file mode 100644 index 91f342927..000000000 --- a/apps/settings/migrations/0008_auto_20220311_1623.py +++ /dev/null @@ -1,17 +0,0 @@ -# Generated by Django 3.1.14 on 2022-03-11 08:23 - -from django.db import migrations - - -class Migration(migrations.Migration): - - dependencies = [ - ('settings', '0007_auto_20220310_2006'), - ] - - operations = [ - migrations.AlterModelOptions( - name='setting', - options={'permissions': [('change_basic', 'Can change basic setting'), ('change_email', 'Can change email setting'), ('change_auth', 'Can change auth setting'), ('change_systemmsgsubscription', 'Can sys msg sub setting'), ('change_sms', 'Can change sms setting'), ('change_security', 'Can change security setting'), ('change_clean', 'Can change clean setting'), ('change_interface', 'Can change interface setting'), ('change_license', 'Can change license setting'), ('change_terminal', 'Can change terminal setting'), ('change_other', 'Can change other setting')], 'verbose_name': 'System setting'}, - ), - ]