[Update] 禁止不是超级管理员角色删除/更新审计员

4b1f07d7 · jym503558564 · 70bf9d17 · 4b1f07d7 · 4b1f07d7 · 4b1f07d7
Commit 4b1f07d7 authored Aug 08, 2019 by jym503558564
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 3 deletions

permissions.py apps/common/permissions.py +3 -0

user.py apps/users/api/user.py +2 -1

user_list.html apps/users/templates/users/user_list.html +2 -2

No files found.
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -165,6 +165,9 @@ class CanUpdateDeleteSuperUser(permissions.BasePermission):
            return True
        elif request.method == 'DELETE' and str(request.user.id) == str(obj.id):
            return False
+        elif request.method in ('DELETE', 'PATCH', 'PUT') and \
+                not request.user.is_superuser and obj.is_auditor:
+            return False
        elif request.user.is_superuser:
            return True
        if hasattr(obj, 'is_superuser') and obj.is_superuser:

--- a/apps/users/api/user.py
+++ b/apps/users/api/user.py
@@ -73,7 +73,8 @@ class UserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
        check current user has permission to handle instance
        (update, destroy, bulk_update, bulk destroy)
        """
-        if not self.request.user.is_superuser and instance.is_superuser:
+        if not self.request.user.is_superuser \
+                and (instance.is_superuser or instance.is_auditor):
            return True
        if self.request.user == instance:
            return True

--- a/apps/users/templates/users/user_list.html
+++ b/apps/users/templates/users/user_list.html
@@ -99,7 +99,7 @@ function initTable() {
            {targets: 7, createdCell: function (td, cellData, rowData) {
                var name = htmlEscape(rowData.name);
                var update_btn = "";
-                if (rowData.role === 'Admin' && ('{{ request.user.role }}' !== 'Admin')) {
+                if (rowData.role === 'Admin' && ('{{ request.user.role }}' !== 'Admin') || rowData.role === 'Auditor' &&  ('{{ request.user.role }}' !== 'Admin')) {
                    update_btn = '<a class="btn btn-xs disabled btn-info">{% trans "Update" %}</a>';
                }
                else{
@@ -107,7 +107,7 @@ function initTable() {
                }

                var del_btn = "";
-                if (rowData.id === 1 || rowData.username === "admin" || rowData.username === "{{ request.user.username }}" || (rowData.role === 'Admin' && ('{{ request.user.role }}' !== 'Admin'))) {
+                if (rowData.id === 1 || rowData.username === "admin" || rowData.username === "{{ request.user.username }}" || (rowData.role === 'Admin' && ('{{ request.user.role }}' !== 'Admin')) || rowData.role === 'Auditor' &&  ('{{ request.user.role }}' !== 'Admin')) {
                    del_btn = '<a class="btn btn-xs btn-danger m-l-xs" disabled>{% trans "Delete" %}</a>'
                            .replace('{{ DEFAULT_PK }}', cellData)
                            .replace('99991938', name);