diff --git a/apps/audits/views.py b/apps/audits/views.py
index 8c9b6467dd9bf8b5e3aa47fc6657910cbf078708..6f358090d0c5a8b8e336f188296302c16330425f 100644
--- a/apps/audits/views.py
+++ b/apps/audits/views.py
@@ -119,7 +119,7 @@ class OperateLogListView(PermissionsMixin, DatetimeSearchMixin, ListView):
def get_context_data(self, **kwargs):
context = {
- 'user_list': current_org.get_org_users(),
+ 'user_list': current_org.get_org_users_and_auditors(),
'actions': self.actions_dict,
'resource_type_list': get_resource_type_list(),
'date_from': self.date_from,
@@ -142,7 +142,7 @@ class PasswordChangeLogList(PermissionsMixin, DatetimeSearchMixin, ListView):
permission_classes = [IsOrgAdmin | IsAuditor]
def get_queryset(self):
- users = current_org.get_org_users()
+ users = current_org.get_org_users_and_auditors()
self.queryset = super().get_queryset().filter(
user__in=[user.__str__() for user in users]
)
@@ -159,7 +159,7 @@ class PasswordChangeLogList(PermissionsMixin, DatetimeSearchMixin, ListView):
def get_context_data(self, **kwargs):
context = {
- 'user_list': current_org.get_org_users(),
+ 'user_list': current_org.get_org_users_and_auditors(),
'date_from': self.date_from,
'date_to': self.date_to,
'user': self.user,
@@ -180,7 +180,7 @@ class LoginLogListView(PermissionsMixin, DatetimeSearchMixin, ListView):
@staticmethod
def get_org_users():
- users = current_org.get_org_users().values_list('username', flat=True)
+ users = current_org.get_org_users_and_auditors().values_list('username', flat=True)
return users
def get_queryset(self):
@@ -234,7 +234,7 @@ class CommandExecutionListView(UserCommandExecutionListView):
return queryset
def get_user_list(self):
- users = current_org.get_org_users()
+ users = current_org.get_org_users_exclude_auditors()
return users
def get_context_data(self, **kwargs):
diff --git a/apps/jumpserver/views.py b/apps/jumpserver/views.py
index f9d692f31362051e42b6d76d17ea6ecc303428a7..c5bcc3fb8cb73927fb7c3e8e9aa675ca014515d7 100644
--- a/apps/jumpserver/views.py
+++ b/apps/jumpserver/views.py
@@ -45,7 +45,7 @@ class IndexView(PermissionsMixin, TemplateView):
@staticmethod
def get_user_count():
- return current_org.get_org_users().count()
+ return current_org.get_org_users_and_auditors().count()
@staticmethod
def get_asset_count():
@@ -100,7 +100,7 @@ class IndexView(PermissionsMixin, TemplateView):
return self.session_month.values('user').distinct().count()
def get_month_inactive_user_total(self):
- count = current_org.get_org_users().count() - self.get_month_active_user_total()
+ count = current_org.get_org_users_and_auditors().count() - self.get_month_active_user_total()
if count < 0:
count = 0
return count
@@ -116,7 +116,7 @@ class IndexView(PermissionsMixin, TemplateView):
@staticmethod
def get_user_disabled_total():
- return current_org.get_org_users().filter(is_active=False).count()
+ return current_org.get_org_users_and_auditors().filter(is_active=False).count()
@staticmethod
def get_asset_disabled_total():
diff --git a/apps/orgs/models.py b/apps/orgs/models.py
index 9b97f77898350fc3d5540c907024e6c0e6805999..dcff6dc92240fa759a54877075a03429e7dd229d 100644
--- a/apps/orgs/models.py
+++ b/apps/orgs/models.py
@@ -68,6 +68,16 @@ class Organization(models.Model):
return org
def get_org_users(self, include_app=False):
+ from users.models import User
+ if self.is_real():
+ users = self.users.all()
+ else:
+ users = User.objects.all()
+ if not include_app:
+ users = users.exclude(role=User.ROLE_APP)
+ return users
+
+ def get_org_users_and_auditors(self, include_app=False):
from users.models import User
if self.is_real():
users = self.users.all() | self.auditors.all()
@@ -77,6 +87,16 @@ class Organization(models.Model):
users = users.exclude(role=User.ROLE_APP)
return users
+ def get_org_users_exclude_auditors(self, include_app=False):
+ from users.models import User
+ if self.is_real():
+ users = self.users.all()
+ else:
+ users = User.objects.exclude(role=User.ROLE_AUDITOR)
+ if not include_app:
+ users = users.exclude(role=User.ROLE_APP)
+ return users
+
def get_org_admins(self):
if self.is_real():
return self.admins.all()
@@ -115,7 +135,8 @@ class Organization(models.Model):
elif user.is_auditor:
admin_orgs = user.audit_orgs.all()
if not admin_orgs:
- admin_orgs = [cls.default()]
+ admin_orgs = list(cls.objects.all())
+ admin_orgs.append(cls.default())
return admin_orgs
@classmethod
diff --git a/apps/perms/forms/asset_permission.py b/apps/perms/forms/asset_permission.py
index da3096b301a33f31c3e1e38a8d16b59c301a27b2..bef671503f36896ebc44fb3be6e948f148273818 100644
--- a/apps/perms/forms/asset_permission.py
+++ b/apps/perms/forms/asset_permission.py
@@ -39,7 +39,7 @@ class AssetPermissionForm(OrgModelForm):
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
users_field = self.fields.get('users')
- users_field.queryset = current_org.get_org_users()
+ users_field.queryset = current_org.get_org_users_exclude_auditors()
nodes_field = self.fields['nodes']
nodes_field.choices = ((n.id, n.full_value) for n in Node.get_queryset())
diff --git a/apps/perms/forms/remote_app_permission.py b/apps/perms/forms/remote_app_permission.py
index 2e0cc1b665542f750be7c8d7198c9a8af388b03f..f8bdb391d4970d76799c13fcdffe6ce119a25de0 100644
--- a/apps/perms/forms/remote_app_permission.py
+++ b/apps/perms/forms/remote_app_permission.py
@@ -19,7 +19,7 @@ class RemoteAppPermissionCreateUpdateForm(OrgModelForm):
super().__init__(*args, **kwargs)
users_field = self.fields.get('users')
if hasattr(users_field, 'queryset'):
- users_field.queryset = current_org.get_org_users()
+ users_field.queryset = current_org.get_org_users_exclude_auditors()
class Meta:
model = RemoteAppPermission
diff --git a/apps/perms/views/asset_permission.py b/apps/perms/views/asset_permission.py
index 133e14e207adfbcad1a1d4966b75e8502f9bff86..ac7dd57b942748bd1495cc1e52f43feb53b20d62 100644
--- a/apps/perms/views/asset_permission.py
+++ b/apps/perms/views/asset_permission.py
@@ -135,7 +135,7 @@ class AssetPermissionUserView(PermissionsMixin,
context = {
'app': _('Perms'),
'action': _('Asset permission user list'),
- 'users_remain': current_org.get_org_users().exclude(
+ 'users_remain': current_org.get_org_users_exclude_auditors().exclude(
assetpermission=self.object
),
'user_groups_remain': UserGroup.objects.exclude(
diff --git a/apps/perms/views/remote_app_permission.py b/apps/perms/views/remote_app_permission.py
index 91774be0d00e449e2e41e130440648588cbc06f0..cab57092778aff87f2d9d468f2b5a790919e3fe0 100644
--- a/apps/perms/views/remote_app_permission.py
+++ b/apps/perms/views/remote_app_permission.py
@@ -107,7 +107,7 @@ class RemoteAppPermissionUserView(PermissionsMixin,
context = {
'app': _('Perms'),
'action': _('RemoteApp permission user list'),
- 'users_remain': current_org.get_org_users().exclude(
+ 'users_remain': current_org.get_org_users_exclude_auditors().exclude(
remoteapppermission=self.object
),
'user_groups_remain': UserGroup.objects.exclude(
diff --git a/apps/users/api/user.py b/apps/users/api/user.py
index 53933f577eaaf978dc6f075aa69e54aecd1e04cd..78c4725f879a8732b6b91383dc8980997d2f2eda 100644
--- a/apps/users/api/user.py
+++ b/apps/users/api/user.py
@@ -60,7 +60,7 @@ class UserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
self.send_created_signal(users)
def get_queryset(self):
- queryset = current_org.get_org_users().prefetch_related('groups')
+ queryset = current_org.get_org_users_and_auditors().prefetch_related('groups')
return queryset
def get_permissions(self):
diff --git a/apps/users/forms.py b/apps/users/forms.py
index 6b2c2f8d3f561801f73406bf2413e610cb54174b..4ea4fc364cbbabee7b62591273d8368186237eae 100644
--- a/apps/users/forms.py
+++ b/apps/users/forms.py
@@ -67,8 +67,14 @@ class UserCreateUpdateFormMixin(OrgModelForm):
# Org admin user
else:
- roles.append((User.ROLE_USER, dict(User.ROLE_CHOICES).get(User.ROLE_USER)))
- roles.append((User.ROLE_AUDITOR, dict(User.ROLE_CHOICES).get(User.ROLE_AUDITOR)))
+ user = kwargs.get('instance')
+ # Update
+ if user:
+ role = kwargs.get('instance').role
+ roles.append((role, dict(User.ROLE_CHOICES).get(role)))
+ # Create
+ else:
+ roles.append((User.ROLE_USER, dict(User.ROLE_CHOICES).get(User.ROLE_USER)))
field = self.fields['role']
field.choices = set(roles)
@@ -329,7 +335,7 @@ class UserGroupForm(OrgModelForm):
return
users_field = self.fields.get('users')
if hasattr(users_field, 'queryset'):
- users_field.queryset = current_org.get_org_users()
+ users_field.queryset = current_org.get_org_users_exclude_auditors()
def save(self, commit=True):
group = super().save(commit=commit)
diff --git a/apps/users/serializers/v1.py b/apps/users/serializers/v1.py
index 25b6207a4820727d1d0aab3263d159d27191b905..864618823daa2f5b3abc379e68dc7d33c5738e80 100644
--- a/apps/users/serializers/v1.py
+++ b/apps/users/serializers/v1.py
@@ -50,7 +50,7 @@ class UserSerializer(BulkSerializerMixin, serializers.ModelSerializer):
def validate_role(self, value):
request = self.context.get('request')
- if not request.user.is_org_admin and value != User.ROLE_USER:
+ if not request.user.is_superuser and value != User.ROLE_USER:
role_display = dict(User.ROLE_CHOICES)[User.ROLE_USER]
msg = _("Role limit to {}".format(role_display))
raise serializers.ValidationError(msg)
diff --git a/apps/users/templates/users/user_detail.html b/apps/users/templates/users/user_detail.html
index b39671a73467d83083798a1e7f405f2ba20d4dd2..1b38a217502476f4d7ecffa2ef0093281c959675 100644
--- a/apps/users/templates/users/user_detail.html
+++ b/apps/users/templates/users/user_detail.html
@@ -211,45 +211,46 @@
</table>
</div>
</div>
+ {% if not user_object.is_auditor %}
+ <div class="panel panel-info">
+ <div class="panel-heading">
+ <i class="fa fa-info-circle"></i> {% trans 'User group' %}
+ </div>
+ <div class="panel-body">
+ <table class="table group_edit">
+ <tbody>
+ <form>
+ <tr>
+ <td colspan="2" class="no-borders">
+ <select data-placeholder="{% trans 'Join user groups' %}" id="groups_selected" class="select2" style="width: 100%" multiple="" tabindex="4">
+ {% for group in groups %}
+ <option value="{{ group.id }}" id="opt_{{ group.id }}" >{{ group.name }}</option>
+ {% endfor %}
+ </select>
+ </td>
+ </tr>
+ <tr>
+ <td colspan="2" class="no-borders">
+ <button type="button" class="btn btn-info btn-small" id="btn_join_group">{% trans 'Join' %}</button>
+ </td>
+ </tr>
+ </form>
- <div class="panel panel-info">
- <div class="panel-heading">
- <i class="fa fa-info-circle"></i> {% trans 'User group' %}
- </div>
- <div class="panel-body">
- <table class="table group_edit">
- <tbody>
- <form>
- <tr>
- <td colspan="2" class="no-borders">
- <select data-placeholder="{% trans 'Join user groups' %}" id="groups_selected" class="select2" style="width: 100%" multiple="" tabindex="4">
- {% for group in groups %}
- <option value="{{ group.id }}" id="opt_{{ group.id }}" >{{ group.name }}</option>
- {% endfor %}
- </select>
- </td>
- </tr>
- <tr>
- <td colspan="2" class="no-borders">
- <button type="button" class="btn btn-info btn-small" id="btn_join_group">{% trans 'Join' %}</button>
- </td>
- </tr>
- </form>
-
- {% for group in user_object.groups.all %}
- <tr>
- <td >
- <b class="bdg_group" data-gid={{ group.id }}>{{ group.name }}</b>
- </td>
- <td>
- <button class="btn btn-danger pull-right btn-xs btn_leave_group" type="button"><i class="fa fa-minus"></i></button>
- </td>
- </tr>
- {% endfor %}
- </tbody>
- </table>
+ {% for group in user_object.groups.all %}
+ <tr>
+ <td >
+ <b class="bdg_group" data-gid={{ group.id }}>{{ group.name }}</b>
+ </td>
+ <td>
+ <button class="btn btn-danger pull-right btn-xs btn_leave_group" type="button"><i class="fa fa-minus"></i></button>
+ </td>
+ </tr>
+ {% endfor %}
+ </tbody>
+ </table>
+ </div>
</div>
- </div>
+ {% endif %}
</div>
</div>
</div>
diff --git a/apps/users/views/group.py b/apps/users/views/group.py
index 2f19a805552d8c3b20ed89ea9b9c59860c350e3a..88b8b8442fa1906f66b31fdc602266a0d6fb765e 100644
--- a/apps/users/views/group.py
+++ b/apps/users/views/group.py
@@ -76,7 +76,7 @@ class UserGroupDetailView(PermissionsMixin, DetailView):
permission_classes = [IsOrgAdmin]
def get_context_data(self, **kwargs):
- users = current_org.get_org_users().exclude(id__in=self.object.users.all())
+ users = current_org.get_org_users_exclude_auditors().exclude(id__in=self.object.users.all())
context = {
'app': _('Users'),
'action': _('User group detail'),
diff --git a/apps/users/views/user.py b/apps/users/views/user.py
index 1a8c25f2e3e03c0ca20e037ae2356cdd35088c57..353fbed40388cb8145264f420c16eb323c482285 100644
--- a/apps/users/views/user.py
+++ b/apps/users/views/user.py
@@ -195,7 +195,7 @@ class UserDetailView(PermissionsMixin, DetailView):
def get_queryset(self):
queryset = super().get_queryset()
- org_users = current_org.get_org_users().values_list('id', flat=True)
+ org_users = current_org.get_org_users_and_auditors().values_list('id', flat=True)
queryset = queryset.filter(id__in=org_users)
return queryset