perf: 修改 acl 登录限制问题

2023-09-21 10:15:10 +08:00 · 2023-09-21 10:15:10 +08:00 · e11367088a
parent 1c74dd00ba
commit e11367088a
3 changed files with 19 additions and 16 deletions
--- a/apps/acls/models/base.py
+++ b/apps/acls/models/base.py
@ -103,25 +103,27 @@ class UserAssetAccountBaseACL(OrgModelMixin, UserBaseACL):
        abstract = True

    @classmethod
-    def filter_queryset(cls, user=None, asset=None, account=None, account_username=None, **kwargs):
+    def _get_filter_queryset(cls, user=None, asset=None, account=None, account_username=None, **kwargs):
        queryset = cls.objects.all()
-
-        if user:
-            q = cls.users.get_filter_q(user)
-            queryset = queryset.filter(q)
+        q = models.Q()

        if asset:
-            org_id = asset.org_id
-            with tmp_to_org(org_id):
-                q = cls.assets.get_filter_q(asset)
-            queryset = queryset.filter(q)
+            q &= cls.assets.get_filter_q(asset)
+        if user:
+            q &= cls.users.get_filter_q(user)
        if account and not account_username:
            account_username = account.username
        if account_username:
-            q = models.Q(accounts__contains=account_username) | \
-                models.Q(accounts__contains='*') | \
-                models.Q(accounts__contains='@ALL')
-            queryset = queryset.filter(q)
+            q &= models.Q(accounts__contains=account_username) | \
+                 models.Q(accounts__contains='*') | \
+                 models.Q(accounts__contains='@ALL')
        if kwargs:
-            queryset = queryset.filter(**kwargs)
+            q &= models.Q(**kwargs)
+        queryset = queryset.filter(q)
        return queryset.valid().distinct()
+
+    @classmethod
+    def filter_queryset(cls, asset=None, **kwargs):
+        org_id = asset.org_id if asset else ''
+        with tmp_to_org(org_id):
+            return cls._get_filter_queryset(asset=asset, **kwargs)
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@ -376,7 +376,7 @@ class ConnectionTokenViewSet(ExtraActionApiMixin, RootOrgViewMixin, JMSModelView

    def _validate_acl(self, user, asset, account):
        from acls.models import LoginAssetACL
-        acls = LoginAssetACL.filter_queryset(user, asset, account)
+        acls = LoginAssetACL.filter_queryset(user=user, asset=asset, account=account)
        ip = get_request_ip(self.request)
        acl = LoginAssetACL.get_match_rule_acls(user, ip, acls)
        if not acl:
--- a/apps/orgs/utils.py
+++ b/apps/orgs/utils.py
@ -87,7 +87,8 @@ def tmp_to_root_org():
@contextmanager
 def tmp_to_org(org):
    ori_org = get_current_org()
-    set_current_org(org)
+    if org:
+        set_current_org(org)
    yield
    if ori_org is not None:
        set_current_org(ori_org)