Merge pull request #3230 from jumpserver/dev_auth

[Bugfix] 修复用户认证序列类获取 request 的问题

Merge pull request #3230 from jumpserver/dev_auth
[Bugfix] 修复用户认证序列类获取 request 的问题
49317371 · BaiJiangJie · GitHub · 58288975 · 4797f99f · 49317371
Unverified Commit 49317371 authored Sep 16, 2019 by BaiJiangJie Committed by GitHub Sep 16, 2019
Show whitespace changes
Inline Side-by-side

Showing with 29 additions and 3 deletions

auth.py apps/authentication/api/auth.py +23 -3

permissions.py apps/common/permissions.py +6 -0

No files found.
--- a/apps/authentication/api/auth.py
+++ b/apps/authentication/api/auth.py
@@ -41,6 +41,16 @@ class UserAuthApi(RootOrgViewMixin, APIView):
    permission_classes = (AllowAny,)
    serializer_class = UserSerializer

+    def get_serializer_context(self):
+        return {
+            'request': self.request,
+            'view': self
+        }
+
+    def get_serializer(self, *args, **kwargs):
+        kwargs['context'] = self.get_serializer_context()
+        return self.serializer_class(*args, **kwargs)
+
    def post(self, request):
        # limit login
        username = request.data.get('username')
@@ -65,7 +75,7 @@ class UserAuthApi(RootOrgViewMixin, APIView):
            clean_failed_count(username, ip)
            token, expired_at = user.create_bearer_token(request)
            return Response(
-                {'token': token, 'user': self.serializer_class(user).data}
+                {'token': token, 'user': self.get_serializer(user).data}
            )

        seed = uuid.uuid4().hex
@@ -77,7 +87,7 @@ class UserAuthApi(RootOrgViewMixin, APIView):
                         'conduct MFA secondary certification'),
                'otp_url': reverse('api-auth:user-otp-auth'),
                'seed': seed,
-                'user': self.serializer_class(user).data
+                'user': self.get_serializer(user).data
            }, status=300
        )

@@ -147,6 +157,16 @@ class UserOtpAuthApi(RootOrgViewMixin, APIView):
    permission_classes = (AllowAny,)
    serializer_class = UserSerializer

+    def get_serializer_context(self):
+        return {
+            'request': self.request,
+            'view': self
+        }
+
+    def get_serializer(self, *args, **kwargs):
+        kwargs['context'] = self.get_serializer_context()
+        return self.serializer_class(*args, **kwargs)
+
    def post(self, request):
        otp_code = request.data.get('otp_code', '')
        seed = request.data.get('seed', '')
@@ -161,7 +181,7 @@ class UserOtpAuthApi(RootOrgViewMixin, APIView):
            return Response({'msg': _('MFA certification failed')}, status=401)
        self.send_auth_signal(success=True, user=user)
        token, expired_at = user.create_bearer_token(request)
-        data = {'token': token, 'user': self.serializer_class(user).data}
+        data = {'token': token, 'user': self.get_serializer(user).data}
        return Response(data)

    def send_auth_signal(self, success=True, user=None, username='', reason=''):

--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -132,6 +132,8 @@ class CanUpdateDeleteUser(permissions.BasePermission):

    @staticmethod
    def has_delete_object_permission(request, view, obj):
+        if request.user.is_anonymous:
+            return False
        if not request.user.can_admin_current_org:
            return False
        # 超级管理员 / 组织管理员
@@ -157,6 +159,8 @@ class CanUpdateDeleteUser(permissions.BasePermission):

    @staticmethod
    def has_update_object_permission(request, view, obj):
+        if request.user.is_anonymous:
+            return False
        if not request.user.can_admin_current_org:
            return False
        # 超级管理员 / 组织管理员
@@ -179,6 +183,8 @@ class CanUpdateDeleteUser(permissions.BasePermission):
        return True

    def has_object_permission(self, request, view, obj):
+        if request.user.is_anonymous:
+            return False
        if not request.user.can_admin_current_org:
            return False
        if request.method in ['DELETE']: