Commit 4b1f07d7 authored by jym503558564's avatar jym503558564

[Update] 禁止不是超级管理员角色 删除/更新 审计员

parent 70bf9d17
...@@ -165,6 +165,9 @@ class CanUpdateDeleteSuperUser(permissions.BasePermission): ...@@ -165,6 +165,9 @@ class CanUpdateDeleteSuperUser(permissions.BasePermission):
return True return True
elif request.method == 'DELETE' and str(request.user.id) == str(obj.id): elif request.method == 'DELETE' and str(request.user.id) == str(obj.id):
return False return False
elif request.method in ('DELETE', 'PATCH', 'PUT') and \
not request.user.is_superuser and obj.is_auditor:
return False
elif request.user.is_superuser: elif request.user.is_superuser:
return True return True
if hasattr(obj, 'is_superuser') and obj.is_superuser: if hasattr(obj, 'is_superuser') and obj.is_superuser:
......
...@@ -73,7 +73,8 @@ class UserViewSet(IDInCacheFilterMixin, BulkModelViewSet): ...@@ -73,7 +73,8 @@ class UserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
check current user has permission to handle instance check current user has permission to handle instance
(update, destroy, bulk_update, bulk destroy) (update, destroy, bulk_update, bulk destroy)
""" """
if not self.request.user.is_superuser and instance.is_superuser: if not self.request.user.is_superuser \
and (instance.is_superuser or instance.is_auditor):
return True return True
if self.request.user == instance: if self.request.user == instance:
return True return True
......
...@@ -99,7 +99,7 @@ function initTable() { ...@@ -99,7 +99,7 @@ function initTable() {
{targets: 7, createdCell: function (td, cellData, rowData) { {targets: 7, createdCell: function (td, cellData, rowData) {
var name = htmlEscape(rowData.name); var name = htmlEscape(rowData.name);
var update_btn = ""; var update_btn = "";
if (rowData.role === 'Admin' && ('{{ request.user.role }}' !== 'Admin')) { if (rowData.role === 'Admin' && ('{{ request.user.role }}' !== 'Admin') || rowData.role === 'Auditor' && ('{{ request.user.role }}' !== 'Admin')) {
update_btn = '<a class="btn btn-xs disabled btn-info">{% trans "Update" %}</a>'; update_btn = '<a class="btn btn-xs disabled btn-info">{% trans "Update" %}</a>';
} }
else{ else{
...@@ -107,7 +107,7 @@ function initTable() { ...@@ -107,7 +107,7 @@ function initTable() {
} }
var del_btn = ""; var del_btn = "";
if (rowData.id === 1 || rowData.username === "admin" || rowData.username === "{{ request.user.username }}" || (rowData.role === 'Admin' && ('{{ request.user.role }}' !== 'Admin'))) { if (rowData.id === 1 || rowData.username === "admin" || rowData.username === "{{ request.user.username }}" || (rowData.role === 'Admin' && ('{{ request.user.role }}' !== 'Admin')) || rowData.role === 'Auditor' && ('{{ request.user.role }}' !== 'Admin')) {
del_btn = '<a class="btn btn-xs btn-danger m-l-xs" disabled>{% trans "Delete" %}</a>' del_btn = '<a class="btn btn-xs btn-danger m-l-xs" disabled>{% trans "Delete" %}</a>'
.replace('{{ DEFAULT_PK }}', cellData) .replace('{{ DEFAULT_PK }}', cellData)
.replace('99991938', name); .replace('99991938', name);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment