From c456782d9ece34df42e9948ce9a3f06b1f858daf Mon Sep 17 00:00:00 2001
From: Bai <baijiangjie@gmail.com>
Date: Mon, 20 Feb 2023 15:08:06 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=20ticket=20session=20?=
 =?UTF-8?q?=E7=9B=91=E6=8E=A7=E7=94=A8=E6=88=B7=E6=B2=A1=E6=9C=89=E6=9D=83?=
 =?UTF-8?q?=E9=99=90=E7=9A=84=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/rbac/permissions.py             |  3 +++
 apps/terminal/api/session/session.py |  3 +++
 apps/terminal/permissions.py         | 16 ++++++++++++++++
 3 files changed, 22 insertions(+)
 create mode 100644 apps/terminal/permissions.py

diff --git a/apps/rbac/permissions.py b/apps/rbac/permissions.py
index e6e569c7f..788c10a69 100644
--- a/apps/rbac/permissions.py
+++ b/apps/rbac/permissions.py
@@ -141,3 +141,6 @@ class RBACPermission(permissions.DjangoModelPermissions):
         has = request.user.has_perms(perms)
         logger.debug('View require perms: {}, result: {}'.format(perms, has))
         return has
+
+    def has_object_permission(self, request, view, obj):
+        return self.has_permission(request, view)
diff --git a/apps/terminal/api/session/session.py b/apps/terminal/api/session/session.py
index beb790f5c..13cd62b7a 100644
--- a/apps/terminal/api/session/session.py
+++ b/apps/terminal/api/session/session.py
@@ -22,6 +22,7 @@ from common.drf.renders import PassthroughRenderer
 from common.api import AsyncApiMixin
 from common.utils import data_to_json, is_uuid
 from common.utils import get_logger, get_object_or_none
+from rbac.permissions import RBACPermission
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.utils import tmp_to_root_org, tmp_to_org
 from terminal import serializers
@@ -30,6 +31,7 @@ from terminal.utils import (
     find_session_replay_local, download_session_replay,
     is_session_approver, get_session_replay_url
 )
+from terminal.permissions import IsSessionAssignee
 from users.models import User
 
 __all__ = [
@@ -86,6 +88,7 @@ class SessionViewSet(OrgBulkModelViewSet):
     rbac_perms = {
         'download': ['terminal.download_sessionreplay']
     }
+    permission_classes = [RBACPermission | IsSessionAssignee]
 
     @staticmethod
     def prepare_offline_file(session, local_path):
diff --git a/apps/terminal/permissions.py b/apps/terminal/permissions.py
new file mode 100644
index 000000000..1165c0570
--- /dev/null
+++ b/apps/terminal/permissions.py
@@ -0,0 +1,16 @@
+from rest_framework import permissions
+from common.utils import get_logger
+
+logger = get_logger(__file__)
+
+
+__all__ = ['IsSessionAssignee']
+
+
+class IsSessionAssignee(permissions.BasePermission):
+
+    def has_object_permission(self, request, view, obj):
+        try:
+            return obj.ticket_relation.first().ticket.has_all_assignee(request.user)
+        except:
+            return False