github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

[Update] 限制用户通过API删除自己

pull/2886/head
BaiJiangJie 2019-07-05 13:59:38 +08:00
parent ece8f082fb
commit e415ef8354
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apps/users/api/user.py
View File

@ -69,7 +69,11 @@ class UserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
check current user has permission to handle instance check current user has permission to handle instance
(update, destroy, bulk_update, bulk destroy) (update, destroy, bulk_update, bulk destroy)
""" """
return not self.request.user.is_superuser and instance.is_superuser if not self.request.user.is_superuser and instance.is_superuser:
return True
if self.request.user == instance:
return True
return False
def _bulk_deny_permission(self, instances): def _bulk_deny_permission(self, instances):
deny_instances = [i for i in instances if self._deny_permission(i)] deny_instances = [i for i in instances if self._deny_permission(i)]