Merge pull request #8603 from jumpserver/dev

v2.24.0-rc2
2022-07-15 18:07:09 +08:00 · 2022-07-15 18:07:09 +08:00 · c665b0dbae
parent a770a19252 0eaca0c1cb
commit c665b0dbae
10 changed files with 167 additions and 87 deletions
--- a/apps/applications/migrations/0023_auto_20220715_1556.py
+++ b/apps/applications/migrations/0023_auto_20220715_1556.py
@ -0,0 +1,48 @@
+# Generated by Django 3.1.14 on 2022-07-15 07:56
+import time
+from collections import defaultdict
+
+from django.db import migrations
+
+
+def migrate_account_dirty_data(apps, schema_editor):
+    db_alias = schema_editor.connection.alias
+    account_model = apps.get_model('applications', 'Account')
+
+    count = 0
+    bulk_size = 1000
+
+    while True:
+        accounts = account_model.objects.using(db_alias) \
+                       .filter(org_id='')[count:count + bulk_size]
+
+        if not accounts:
+            break
+
+        accounts = list(accounts)
+        start = time.time()
+        for i in accounts:
+            if i.app:
+                org_id = i.app.org_id
+            elif i.systemuser:
+                org_id = i.systemuser.org_id
+            else:
+                org_id = ''
+            if org_id:
+                i.org_id = org_id
+
+        account_model.objects.bulk_update(accounts, ['org_id', ])
+        print("Update account org is empty: {}-{} using: {:.2f}s".format(
+            count, count + len(accounts), time.time() - start
+        ))
+        count += len(accounts)
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ('applications', '0022_auto_20220714_1046'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_account_dirty_data),
+    ]
--- a/apps/authentication/errors/mfa.py
+++ b/apps/authentication/errors/mfa.py
@ -14,23 +14,23 @@ class WeComCodeInvalid(JMSException):


 class WeComBindAlready(JMSException):
-    default_code = 'wecom_bind_already'
-    default_detail = 'WeCom already binded'
+    default_code = 'wecom_not_bound'
+    default_detail = _('WeCom is already bound')


 class WeComNotBound(JMSException):
    default_code = 'wecom_not_bound'
-    default_detail = 'WeCom is not bound'
+    default_detail = _('WeCom is not bound')


 class DingTalkNotBound(JMSException):
    default_code = 'dingtalk_not_bound'
-    default_detail = 'DingTalk is not bound'
+    default_detail = _('DingTalk is not bound')


 class FeiShuNotBound(JMSException):
    default_code = 'feishu_not_bound'
-    default_detail = 'FeiShu is not bound'
+    default_detail = _('FeiShu is not bound')


 class PasswordInvalid(JMSException):
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@ -7,6 +7,9 @@ from rest_framework import permissions

 from authentication.const import ConfirmType
 from common.exceptions import UserConfirmRequired
+from orgs.utils import tmp_to_root_org
+from authentication.models import ConnectionToken
+from common.utils import get_object_or_none


 class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
@ -17,6 +20,22 @@ class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
               and request.user.is_valid


+class IsValidUserOrConnectionToken(IsValidUser):
+
+    def has_permission(self, request, view):
+        return super(IsValidUserOrConnectionToken, self).has_permission(request, view) \
+               or self.is_valid_connection_token(request)
+
+    @staticmethod
+    def is_valid_connection_token(request):
+        token_id = request.query_params.get('token')
+        if not token_id:
+            return False
+        with tmp_to_root_org():
+            token = get_object_or_none(ConnectionToken, id=token_id)
+        return token and token.is_valid
+
+
 class OnlySuperUser(IsValidUser):
    def has_permission(self, request, view):
        return super().has_permission(request, view) \
--- a/apps/locale/ja/LC_MESSAGES/django.po
+++ b/apps/locale/ja/LC_MESSAGES/django.po
@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-13 16:25+0800\n"
+"POT-Creation-Date: 2022-07-15 17:15+0800\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@ -89,7 +89,7 @@ msgstr "ログイン確認"
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:62 audits/models.py:87 audits/serializers.py:100
 #: authentication/models.py:54 authentication/models.py:78 orgs/models.py:214
-#: perms/models/base.py:84 rbac/builtin.py:118 rbac/models/rolebinding.py:41
+#: perms/models/base.py:84 rbac/builtin.py:117 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:44
 #: terminal/models/sharing.py:33 terminal/notifications.py:91
@ -214,7 +214,7 @@ msgid "Unsupported protocols: {}"
 msgstr "サポートされていないプロトコル: {}"

 #: acls/serializers/login_asset_acl.py:98
-#: tickets/serializers/ticket/ticket.py:78
+#: tickets/serializers/ticket/ticket.py:85
 msgid "The organization `{}` does not exist"
 msgstr "組織 '{}'は存在しません"

@ -2002,6 +2002,24 @@ msgstr "電話が設定されていない"
 msgid "SSO auth closed"
 msgstr "SSO authは閉鎖されました"

+#: authentication/errors/mfa.py:18 authentication/views/wecom.py:80
+msgid "WeCom is already bound"
+msgstr "企業の微信はすでにバインドされています"
+
+#: authentication/errors/mfa.py:23 authentication/views/wecom.py:237
+#: authentication/views/wecom.py:291
+msgid "WeCom is not bound"
+msgstr "企業の微信をバインドしていません"
+
+#: authentication/errors/mfa.py:28 authentication/views/dingtalk.py:242
+#: authentication/views/dingtalk.py:296
+msgid "DingTalk is not bound"
+msgstr "DingTalkはバインドされていません"
+
+#: authentication/errors/mfa.py:33 authentication/views/feishu.py:203
+msgid "FeiShu is not bound"
+msgstr "本を飛ばすは拘束されていません"
+
 #: authentication/errors/mfa.py:38
 msgid "Your password is invalid"
 msgstr "パスワードが無効です"
@ -2479,10 +2497,6 @@ msgstr "DingTalkのバインドに成功"
 msgid "Failed to get user from DingTalk"
 msgstr "DingTalkからユーザーを取得できませんでした"

-#: authentication/views/dingtalk.py:242 authentication/views/dingtalk.py:296
-msgid "DingTalk is not bound"
-msgstr "DingTalkはバインドされていません"
-
 #: authentication/views/dingtalk.py:243 authentication/views/dingtalk.py:297
 msgid "Please login with a password and then bind the DingTalk"
 msgstr "パスワードでログインし、DingTalkをバインドしてください"
@ -2511,10 +2525,6 @@ msgstr "本を飛ばすのバインドに成功"
 msgid "Failed to get user from FeiShu"
 msgstr "本を飛ばすからユーザーを取得できませんでした"

-#: authentication/views/feishu.py:203
-msgid "FeiShu is not bound"
-msgstr "本を飛ばすは拘束されていません"
-
 #: authentication/views/feishu.py:204
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "パスワードでログインしてから本を飛ばすをバインドしてください"
@ -2559,10 +2569,6 @@ msgstr "企業微信エラー、システム管理者に連絡してください
 msgid "WeCom Error"
 msgstr "企業微信エラー"

-#: authentication/views/wecom.py:80
-msgid "WeCom is already bound"
-msgstr "企業の微信はすでにバインドされています"
-
 #: authentication/views/wecom.py:163
 msgid "WeCom query user failed"
 msgstr "企業微信ユーザーの問合せに失敗しました"
@ -2579,10 +2585,6 @@ msgstr "企業の微信のバインドに成功"
 msgid "Failed to get user from WeCom"
 msgstr "企業の微信からユーザーを取得できませんでした"

-#: authentication/views/wecom.py:237 authentication/views/wecom.py:291
-msgid "WeCom is not bound"
-msgstr "企業の微信をバインドしていません"
-
 #: authentication/views/wecom.py:238 authentication/views/wecom.py:292
 msgid "Please login with a password and then bind the WeCom"
 msgstr "パスワードでログインしてからWeComをバインドしてください"
@ -3022,10 +3024,10 @@ msgstr "組織のリソース ({}) は削除できません"
 msgid "App organizations"
 msgstr "アプリ組織"

-#: orgs/mixins/models.py:54 orgs/mixins/serializers.py:25 orgs/models.py:80
+#: orgs/mixins/models.py:57 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
-#: tickets/models/ticket/general.py:300 tickets/serializers/ticket/ticket.py:64
+#: tickets/models/ticket/general.py:300 tickets/serializers/ticket/ticket.py:71
 msgid "Organization"
 msgstr "組織"

@ -3258,27 +3260,27 @@ msgstr "{} 少なくとも1つのシステムロール"
 msgid "RBAC"
 msgstr "RBAC"

-#: rbac/builtin.py:109
+#: rbac/builtin.py:108
 msgid "SystemAdmin"
 msgstr "システム管理者"

-#: rbac/builtin.py:112
+#: rbac/builtin.py:111
 msgid "SystemAuditor"
 msgstr "システム監査人"

-#: rbac/builtin.py:115
+#: rbac/builtin.py:114
 msgid "SystemComponent"
 msgstr "システムコンポーネント"

-#: rbac/builtin.py:121
+#: rbac/builtin.py:120
 msgid "OrgAdmin"
 msgstr "組織管理者"

-#: rbac/builtin.py:124
+#: rbac/builtin.py:123
 msgid "OrgAuditor"
 msgstr "監査員を組織する"

-#: rbac/builtin.py:127
+#: rbac/builtin.py:126
 msgid "OrgUser"
 msgstr "組織ユーザー"

@ -4687,7 +4689,7 @@ msgstr ""
 msgid "Offline video player"
 msgstr "オフラインビデオプレーヤー"

-#: terminal/api/endpoint.py:33
+#: terminal/api/endpoint.py:34
 msgid "Not found protocol query params"
 msgstr "プロトコルクエリパラメータが見つかりません"

@ -5261,7 +5263,7 @@ msgstr "カスタムユーザー"
 msgid "Ticket already closed"
 msgstr "チケットはすでに閉じています"

-#: tickets/handlers/apply_application.py:35
+#: tickets/handlers/apply_application.py:37
 msgid ""
 "Created by the ticket, ticket title: {}, ticket applicant: {}, ticket "
 "processor: {}, ticket ID: {}"
@ -5269,7 +5271,7 @@ msgstr ""
 "チケットによって作成されたチケットタイトル: {}、チケット申請者: {}、チケット"
 "処理者: {}、チケットID: {}"

-#: tickets/handlers/apply_asset.py:35
+#: tickets/handlers/apply_asset.py:37
 msgid ""
 "Created by the ticket ticket title: {} ticket applicant: {} ticket "
 "processor: {} ticket ID: {}"
@ -5277,19 +5279,19 @@ msgstr ""
 "チケットのタイトル: {} チケット申請者: {} チケットプロセッサ: {} チケットID: "
 "{}"

-#: tickets/handlers/base.py:79
+#: tickets/handlers/base.py:84
 msgid "Change field"
 msgstr "フィールドを変更"

-#: tickets/handlers/base.py:79
+#: tickets/handlers/base.py:84
 msgid "Before change"
 msgstr "変更前"

-#: tickets/handlers/base.py:79
+#: tickets/handlers/base.py:84
 msgid "After change"
 msgstr "変更後"

-#: tickets/handlers/base.py:91
+#: tickets/handlers/base.py:96
 msgid "{} {} the ticket"
 msgstr "{} {} チケット"

@ -5503,7 +5505,7 @@ msgstr "有効期限は開始日より大きくする必要があります"
 msgid "Permission named `{}` already exists"
 msgstr "'{}'という名前の権限は既に存在します"

-#: tickets/serializers/ticket/ticket.py:92
+#: tickets/serializers/ticket/ticket.py:99
 msgid "The ticket flow `{}` does not exist"
 msgstr "チケットフロー '{}'が存在しない"

--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-07-13 16:25+0800\n"
+"POT-Creation-Date: 2022-07-15 17:15+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@ -88,7 +88,7 @@ msgstr "登录复核"
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:62 audits/models.py:87 audits/serializers.py:100
 #: authentication/models.py:54 authentication/models.py:78 orgs/models.py:214
-#: perms/models/base.py:84 rbac/builtin.py:118 rbac/models/rolebinding.py:41
+#: perms/models/base.py:84 rbac/builtin.py:117 rbac/models/rolebinding.py:41
 #: terminal/backends/command/models.py:20
 #: terminal/backends/command/serializers.py:13 terminal/models/session.py:44
 #: terminal/models/sharing.py:33 terminal/notifications.py:91
@ -210,7 +210,7 @@ msgid "Unsupported protocols: {}"
 msgstr "不支持的协议: {}"

 #: acls/serializers/login_asset_acl.py:98
-#: tickets/serializers/ticket/ticket.py:78
+#: tickets/serializers/ticket/ticket.py:85
 msgid "The organization `{}` does not exist"
 msgstr "组织 `{}` 不存在"

@ -1982,6 +1982,24 @@ msgstr "手机号没有设置"
 msgid "SSO auth closed"
 msgstr "SSO 认证关闭了"

+#: authentication/errors/mfa.py:18 authentication/views/wecom.py:80
+msgid "WeCom is already bound"
+msgstr "企业微信已经绑定"
+
+#: authentication/errors/mfa.py:23 authentication/views/wecom.py:237
+#: authentication/views/wecom.py:291
+msgid "WeCom is not bound"
+msgstr "没有绑定企业微信"
+
+#: authentication/errors/mfa.py:28 authentication/views/dingtalk.py:242
+#: authentication/views/dingtalk.py:296
+msgid "DingTalk is not bound"
+msgstr "钉钉没有绑定"
+
+#: authentication/errors/mfa.py:33 authentication/views/feishu.py:203
+msgid "FeiShu is not bound"
+msgstr "没有绑定飞书"
+
 #: authentication/errors/mfa.py:38
 msgid "Your password is invalid"
 msgstr "您的密码无效"
@ -2445,10 +2463,6 @@ msgstr "绑定 钉钉 成功"
 msgid "Failed to get user from DingTalk"
 msgstr "从钉钉获取用户失败"

-#: authentication/views/dingtalk.py:242 authentication/views/dingtalk.py:296
-msgid "DingTalk is not bound"
-msgstr "钉钉没有绑定"
-
 #: authentication/views/dingtalk.py:243 authentication/views/dingtalk.py:297
 msgid "Please login with a password and then bind the DingTalk"
 msgstr "请使用密码登录，然后绑定钉钉"
@ -2477,10 +2491,6 @@ msgstr "绑定 飞书 成功"
 msgid "Failed to get user from FeiShu"
 msgstr "从飞书获取用户失败"

-#: authentication/views/feishu.py:203
-msgid "FeiShu is not bound"
-msgstr "没有绑定飞书"
-
 #: authentication/views/feishu.py:204
 msgid "Please login with a password and then bind the FeiShu"
 msgstr "请使用密码登录，然后绑定飞书"
@ -2525,10 +2535,6 @@ msgstr "企业微信错误，请联系系统管理员"
 msgid "WeCom Error"
 msgstr "企业微信错误"

-#: authentication/views/wecom.py:80
-msgid "WeCom is already bound"
-msgstr "企业微信已经绑定"
-
 #: authentication/views/wecom.py:163
 msgid "WeCom query user failed"
 msgstr "企业微信查询用户失败"
@ -2545,10 +2551,6 @@ msgstr "绑定 企业微信 成功"
 msgid "Failed to get user from WeCom"
 msgstr "从企业微信获取用户失败"

-#: authentication/views/wecom.py:237 authentication/views/wecom.py:291
-msgid "WeCom is not bound"
-msgstr "没有绑定企业微信"
-
 #: authentication/views/wecom.py:238 authentication/views/wecom.py:292
 msgid "Please login with a password and then bind the WeCom"
 msgstr "请使用密码登录，然后绑定企业微信"
@ -2982,10 +2984,10 @@ msgstr "组织存在资源 ({}) 不能被删除"
 msgid "App organizations"
 msgstr "组织管理"

-#: orgs/mixins/models.py:54 orgs/mixins/serializers.py:25 orgs/models.py:80
+#: orgs/mixins/models.py:57 orgs/mixins/serializers.py:25 orgs/models.py:80
 #: orgs/models.py:211 rbac/const.py:7 rbac/models/rolebinding.py:48
 #: rbac/serializers/rolebinding.py:40 settings/serializers/auth/ldap.py:62
-#: tickets/models/ticket/general.py:300 tickets/serializers/ticket/ticket.py:64
+#: tickets/models/ticket/general.py:300 tickets/serializers/ticket/ticket.py:71
 msgid "Organization"
 msgstr "组织"

@ -3216,27 +3218,27 @@ msgstr "{} 至少有一个系统角色"
 msgid "RBAC"
 msgstr "RBAC"

-#: rbac/builtin.py:109
+#: rbac/builtin.py:108
 msgid "SystemAdmin"
 msgstr "系统管理员"

-#: rbac/builtin.py:112
+#: rbac/builtin.py:111
 msgid "SystemAuditor"
 msgstr "系统审计员"

-#: rbac/builtin.py:115
+#: rbac/builtin.py:114
 msgid "SystemComponent"
 msgstr "系统组件"

-#: rbac/builtin.py:121
+#: rbac/builtin.py:120
 msgid "OrgAdmin"
 msgstr "组织管理员"

-#: rbac/builtin.py:124
+#: rbac/builtin.py:123
 msgid "OrgAuditor"
 msgstr "组织审计员"

-#: rbac/builtin.py:127
+#: rbac/builtin.py:126
 msgid "OrgUser"
 msgstr "组织用户"

@ -4611,7 +4613,7 @@ msgstr "Jmservisor 是在 windows 远程应用发布服务器中用来拉起远
 msgid "Offline video player"
 msgstr "离线录像播放器"

-#: terminal/api/endpoint.py:33
+#: terminal/api/endpoint.py:34
 msgid "Not found protocol query params"
 msgstr ""

@ -5183,33 +5185,33 @@ msgstr "自定义用户"
 msgid "Ticket already closed"
 msgstr "工单已经关闭"

-#: tickets/handlers/apply_application.py:35
+#: tickets/handlers/apply_application.py:37
 msgid ""
 "Created by the ticket, ticket title: {}, ticket applicant: {}, ticket "
 "processor: {}, ticket ID: {}"
 msgstr ""
 "通过工单创建, 工单标题: {}, 工单申请人: {}, 工单处理人: {}, 工单 ID: {}"

-#: tickets/handlers/apply_asset.py:35
+#: tickets/handlers/apply_asset.py:37
 msgid ""
 "Created by the ticket ticket title: {} ticket applicant: {} ticket "
 "processor: {} ticket ID: {}"
 msgstr ""
 "通过工单创建, 工单标题: {}, 工单申请人: {}, 工单处理人: {}, 工单 ID: {}"

-#: tickets/handlers/base.py:79
+#: tickets/handlers/base.py:84
 msgid "Change field"
 msgstr "变更字段"

-#: tickets/handlers/base.py:79
+#: tickets/handlers/base.py:84
 msgid "Before change"
 msgstr "变更前"

-#: tickets/handlers/base.py:79
+#: tickets/handlers/base.py:84
 msgid "After change"
 msgstr "变更后"

-#: tickets/handlers/base.py:91
+#: tickets/handlers/base.py:96
 msgid "{} {} the ticket"
 msgstr "{} {} 工单"

@ -5423,7 +5425,7 @@ msgstr "过期时间要大于开始时间"
 msgid "Permission named `{}` already exists"
 msgstr "授权名称 `{}` 已存在"

-#: tickets/serializers/ticket/ticket.py:92
+#: tickets/serializers/ticket/ticket.py:99
 msgid "The ticket flow `{}` does not exist"
 msgstr "工单流程 `{}` 不存在"

--- a/apps/settings/api/public.py
+++ b/apps/settings/api/public.py
@ -3,7 +3,11 @@ from rest_framework.permissions import AllowAny, IsAuthenticated
 from django.conf import settings

 from jumpserver.utils import has_valid_xpack_license, get_xpack_license_info
-from common.utils import get_logger, lazyproperty
+from common.utils import get_logger, lazyproperty, get_object_or_none
+from authentication.models import ConnectionToken
+from orgs.utils import tmp_to_root_org
+from common.permissions import IsValidUserOrConnectionToken
+
 from .. import serializers
 from ..utils import get_interface_setting_or_default

@ -28,7 +32,7 @@ class OpenPublicSettingApi(generics.RetrieveAPIView):


 class PublicSettingApi(OpenPublicSettingApi):
-    permission_classes = (IsAuthenticated,)
+    permission_classes = (IsValidUserOrConnectionToken,)
    serializer_class = serializers.PrivateSettingSerializer

    def get_object(self):
--- a/apps/terminal/api/endpoint.py
+++ b/apps/terminal/api/endpoint.py
@ -9,9 +9,9 @@ from assets.models import Asset
 from orgs.utils import tmp_to_root_org
 from applications.models import Application
 from terminal.models import Session
-from common.permissions import IsValidUser
 from ..models import Endpoint, EndpointRule
 from .. import serializers
+from common.permissions import IsValidUserOrConnectionToken


 __all__ = ['EndpointViewSet', 'EndpointRuleViewSet']
@ -25,7 +25,8 @@ class SmartEndpointViewMixin:
    target_instance: None
    target_protocol: None

-    @action(methods=['get'], detail=False, permission_classes=[IsValidUser], url_path='smart')
+    @action(methods=['get'], detail=False, permission_classes=[IsValidUserOrConnectionToken],
+            url_path='smart')
    def smart(self, request, *args, **kwargs):
        self.target_instance = self.get_target_instance()
        self.target_protocol = self.get_target_protocol()
--- a/apps/tickets/handlers/apply_application.py
+++ b/apps/tickets/handlers/apply_application.py
@ -16,16 +16,18 @@ class Handler(BaseHandler):

    # permission
    def _create_application_permission(self):
-        with tmp_to_root_org():
+        org_id = self.ticket.org_id
+        with tmp_to_org(org_id):
            application_permission = ApplicationPermission.objects.filter(id=self.ticket.id).first()
            if application_permission:
                return application_permission

+            apply_applications = self.ticket.apply_applications.all()
+            apply_system_users = self.ticket.apply_system_users.all()
+
        apply_permission_name = self.ticket.apply_permission_name
        apply_category = self.ticket.apply_category
        apply_type = self.ticket.apply_type
-        apply_applications = self.ticket.apply_applications.all()
-        apply_system_users = self.ticket.apply_system_users.all()
        apply_date_start = self.ticket.apply_date_start
        apply_date_expired = self.ticket.apply_date_expired
        permission_created_by = '{}:{}'.format(
--- a/apps/tickets/handlers/apply_asset.py
+++ b/apps/tickets/handlers/apply_asset.py
@ -16,15 +16,17 @@ class Handler(BaseHandler):

    # permission
    def _create_asset_permission(self):
-        with tmp_to_root_org():
+        org_id = self.ticket.org_id
+        with tmp_to_org(org_id):
            asset_permission = AssetPermission.objects.filter(id=self.ticket.id).first()
            if asset_permission:
                return asset_permission

+            apply_nodes = self.ticket.apply_nodes.all()
+            apply_assets = self.ticket.apply_assets.all()
+            apply_system_users = self.ticket.apply_system_users.all()
+
        apply_permission_name = self.ticket.apply_permission_name
-        apply_nodes = self.ticket.apply_nodes.all()
-        apply_assets = self.ticket.apply_assets.all()
-        apply_system_users = self.ticket.apply_system_users.all()
        apply_actions = self.ticket.apply_actions
        apply_date_start = self.ticket.apply_date_start
        apply_date_expired = self.ticket.apply_date_expired
--- a/requirements/mac_pkg.sh
+++ b/requirements/mac_pkg.sh
@ -3,7 +3,7 @@ BASE_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" >/dev/null 2>&1 && pwd)"
 PROJECT_DIR=$(dirname "$BASE_DIR")

 echo "1. 安装依赖"
-brew install libtiff libjpeg webp little-cms2 openssl gettext git git-lfs mysql libxml2 libxmlsec1 pkg-config
+brew install libtiff libjpeg webp little-cms2 openssl gettext git git-lfs mysql libxml2 libxmlsec1 pkg-config postgresql freetds openssl

 echo "2. 下载 IP 数据库"
 ip_db_path="${PROJECT_DIR}/apps/common/utils/geoip/GeoLite2-City.mmdb"