github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

fix: 修复 private storage permission

pull/11534/head
ibuler 2023-09-11 11:13:34 +08:00 committed by Bryan
parent 816b284a51
commit f9d6de9c39
5 changed files with 10 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/common/permissions.py
View File

@ -12,7 +12,7 @@ from common.utils import get_object_or_none
from orgs.utils import tmp_to_root_org from orgs.utils import tmp_to_root_org
class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission): class IsValidUser(permissions.IsAuthenticated):
"""Allows access to valid user, is active and not expired""" """Allows access to valid user, is active and not expired"""
def has_permission(self, request, view): def has_permission(self, request, view):

2
apps/jumpserver/rewriting/storage/permissions.py
View File

@ -16,6 +16,8 @@ def allow_access(private_file):
path_base = path_list[1] if len(path_list) > 1 else None path_base = path_list[1] if len(path_list) > 1 else None
path_perm = path_perms_map.get(path_base, None) path_perm = path_perms_map.get(path_base, None)
if ".." in request_path:
return False
if not path_perm: if not path_perm:
return False return False
if path_perm == '*' or request.user.has_perms([path_perm]): if path_perm == '*' or request.user.has_perms([path_perm]):

6
apps/terminal/permissions.py
View File

@ -1,13 +1,15 @@
from rest_framework import permissions from rest_framework import permissions
from common.utils import get_logger from common.utils import get_logger
logger = get_logger(__file__) logger = get_logger(__file__)
__all__ = ['IsSessionAssignee'] __all__ = ['IsSessionAssignee']
class IsSessionAssignee(permissions.BasePermission): class IsSessionAssignee(permissions.IsAuthenticated):
def has_permission(self, request, view):
return False
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
try: try:

4
apps/tickets/permissions/ticket.py
View File

@ -1,12 +1,12 @@
from rest_framework import permissions from rest_framework import permissions
class IsAssignee(permissions.BasePermission): class IsAssignee(permissions.IsAuthenticated):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
return obj.has_current_assignee(request.user) return obj.has_current_assignee(request.user)
class IsApplicant(permissions.BasePermission): class IsApplicant(permissions.IsAuthenticated):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
return obj.applicant == request.user return obj.applicant == request.user

3
apps/users/permissions.py
View File

@ -1,6 +1,5 @@
from rest_framework import permissions from rest_framework import permissions
from rbac.builtin import BuiltinRole
from .utils import is_auth_password_time_valid from .utils import is_auth_password_time_valid
@ -11,7 +10,7 @@ class IsAuthPasswdTimeValid(permissions.IsAuthenticated):
and is_auth_password_time_valid(request.session) and is_auth_password_time_valid(request.session)
class UserObjectPermission(permissions.BasePermission): class UserObjectPermission(permissions.IsAuthenticated):
def has_object_permission(self, request, view, obj): def has_object_permission(self, request, view, obj):
if view.action not in ['update', 'partial_update', 'destroy']: if view.action not in ['update', 'partial_update', 'destroy']: