[Update] 超级管理员创建超级审计员或组织审计员

apps/audits/views.py

@@ -119,7 +119,7 @@ class OperateLogListView(PermissionsMixin, DatetimeSearchMixin, ListView):
 
     def get_context_data(self, **kwargs):
         context = {
-            'user_list': current_org.get_org_users(),
+            'user_list': current_org.get_org_users_and_auditors(),
             'actions': self.actions_dict,
             'resource_type_list': get_resource_type_list(),
             'date_from': self.date_from,
@@ -142,7 +142,7 @@ class PasswordChangeLogList(PermissionsMixin, DatetimeSearchMixin, ListView):
     permission_classes = [IsOrgAdmin | IsAuditor]
 
     def get_queryset(self):
-        users = current_org.get_org_users()
+        users = current_org.get_org_users_and_auditors()
         self.queryset = super().get_queryset().filter(
             user__in=[user.__str__() for user in users]
         )
@@ -159,7 +159,7 @@ class PasswordChangeLogList(PermissionsMixin, DatetimeSearchMixin, ListView):
 
     def get_context_data(self, **kwargs):
         context = {
-            'user_list': current_org.get_org_users(),
+            'user_list': current_org.get_org_users_and_auditors(),
             'date_from': self.date_from,
             'date_to': self.date_to,
             'user': self.user,
@@ -180,7 +180,7 @@ class LoginLogListView(PermissionsMixin, DatetimeSearchMixin, ListView):
 
     @staticmethod
     def get_org_users():
-        users = current_org.get_org_users().values_list('username', flat=True)
+        users = current_org.get_org_users_and_auditors().values_list('username', flat=True)
         return users
 
     def get_queryset(self):
@@ -234,7 +234,7 @@ class CommandExecutionListView(UserCommandExecutionListView):
         return queryset
 
     def get_user_list(self):
-        users = current_org.get_org_users()
+        users = current_org.get_org_users_exclude_auditors()
         return users
 
     def get_context_data(self, **kwargs):

apps/jumpserver/views.py

@@ -45,7 +45,7 @@ class IndexView(PermissionsMixin, TemplateView):
 
     @staticmethod
     def get_user_count():
-        return current_org.get_org_users().count()
+        return current_org.get_org_users_and_auditors().count()
 
     @staticmethod
     def get_asset_count():
@@ -100,7 +100,7 @@ class IndexView(PermissionsMixin, TemplateView):
         return self.session_month.values('user').distinct().count()
 
     def get_month_inactive_user_total(self):
-        count = current_org.get_org_users().count() - self.get_month_active_user_total()
+        count = current_org.get_org_users_and_auditors().count() - self.get_month_active_user_total()
         if count < 0:
             count = 0
         return count
@@ -116,7 +116,7 @@ class IndexView(PermissionsMixin, TemplateView):
 
     @staticmethod
     def get_user_disabled_total():
-        return current_org.get_org_users().filter(is_active=False).count()
+        return current_org.get_org_users_and_auditors().filter(is_active=False).count()
 
     @staticmethod
     def get_asset_disabled_total():

apps/orgs/models.py

@@ -68,6 +68,16 @@ class Organization(models.Model):
         return org
 
     def get_org_users(self, include_app=False):
+        from users.models import User
+        if self.is_real():
+            users = self.users.all()
+        else:
+            users = User.objects.all()
+        if not include_app:
+            users = users.exclude(role=User.ROLE_APP)
+        return users
+
+    def get_org_users_and_auditors(self, include_app=False):
         from users.models import User
         if self.is_real():
             users = self.users.all() | self.auditors.all()
@@ -77,6 +87,16 @@ class Organization(models.Model):
             users = users.exclude(role=User.ROLE_APP)
         return users
 
+    def get_org_users_exclude_auditors(self, include_app=False):
+        from users.models import User
+        if self.is_real():
+            users = self.users.all()
+        else:
+            users = User.objects.exclude(role=User.ROLE_AUDITOR)
+        if not include_app:
+            users = users.exclude(role=User.ROLE_APP)
+        return users
+
     def get_org_admins(self):
         if self.is_real():
             return self.admins.all()
@@ -115,7 +135,8 @@ class Organization(models.Model):
         elif user.is_auditor:
             admin_orgs = user.audit_orgs.all()
             if not admin_orgs:
-                admin_orgs = [cls.default()]
+                admin_orgs = list(cls.objects.all())
+                admin_orgs.append(cls.default())
         return admin_orgs
 
     @classmethod

apps/perms/forms/asset_permission.py

@@ -39,7 +39,7 @@ class AssetPermissionForm(OrgModelForm):
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
         users_field = self.fields.get('users')
-        users_field.queryset = current_org.get_org_users()
+        users_field.queryset = current_org.get_org_users_exclude_auditors()
 
         nodes_field = self.fields['nodes']
         nodes_field.choices = ((n.id, n.full_value) for n in Node.get_queryset())

apps/perms/forms/remote_app_permission.py

@@ -19,7 +19,7 @@ class RemoteAppPermissionCreateUpdateForm(OrgModelForm):
         super().__init__(*args, **kwargs)
         users_field = self.fields.get('users')
         if hasattr(users_field, 'queryset'):
-            users_field.queryset = current_org.get_org_users()
+            users_field.queryset = current_org.get_org_users_exclude_auditors()
 
     class Meta:
         model = RemoteAppPermission

apps/perms/views/asset_permission.py

@@ -135,7 +135,7 @@ class AssetPermissionUserView(PermissionsMixin,
         context = {
             'app': _('Perms'),
             'action': _('Asset permission user list'),
-            'users_remain': current_org.get_org_users().exclude(
+            'users_remain': current_org.get_org_users_exclude_auditors().exclude(
                 assetpermission=self.object
             ),
             'user_groups_remain': UserGroup.objects.exclude(

apps/perms/views/remote_app_permission.py

@@ -107,7 +107,7 @@ class RemoteAppPermissionUserView(PermissionsMixin,
         context = {
             'app': _('Perms'),
             'action': _('RemoteApp permission user list'),
-            'users_remain': current_org.get_org_users().exclude(
+            'users_remain': current_org.get_org_users_exclude_auditors().exclude(
                 remoteapppermission=self.object
             ),
             'user_groups_remain': UserGroup.objects.exclude(

apps/users/api/user.py

@@ -60,7 +60,7 @@ class UserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
         self.send_created_signal(users)
 
     def get_queryset(self):
-        queryset = current_org.get_org_users().prefetch_related('groups')
+        queryset = current_org.get_org_users_and_auditors().prefetch_related('groups')
         return queryset
 
     def get_permissions(self):

apps/users/forms.py

@@ -66,9 +66,15 @@ class UserCreateUpdateFormMixin(OrgModelForm):
             roles.append((User.ROLE_AUDITOR, dict(User.ROLE_CHOICES).get(User.ROLE_AUDITOR)))
 
         # Org admin user
+        else:
+            user = kwargs.get('instance')
+            # Update
+            if user:
+                role = kwargs.get('instance').role
+                roles.append((role, dict(User.ROLE_CHOICES).get(role)))
+            # Create
             else:
                 roles.append((User.ROLE_USER, dict(User.ROLE_CHOICES).get(User.ROLE_USER)))
-            roles.append((User.ROLE_AUDITOR, dict(User.ROLE_CHOICES).get(User.ROLE_AUDITOR)))
 
         field = self.fields['role']
         field.choices = set(roles)
@@ -329,7 +335,7 @@ class UserGroupForm(OrgModelForm):
             return
         users_field = self.fields.get('users')
         if hasattr(users_field, 'queryset'):
-            users_field.queryset = current_org.get_org_users()
+            users_field.queryset = current_org.get_org_users_exclude_auditors()
 
     def save(self, commit=True):
         group = super().save(commit=commit)

apps/users/serializers/v1.py

@@ -50,7 +50,7 @@ class UserSerializer(BulkSerializerMixin, serializers.ModelSerializer):
 
     def validate_role(self, value):
         request = self.context.get('request')
-        if not request.user.is_org_admin and value != User.ROLE_USER:
+        if not request.user.is_superuser and value != User.ROLE_USER:
             role_display = dict(User.ROLE_CHOICES)[User.ROLE_USER]
             msg = _("Role limit to {}".format(role_display))
             raise serializers.ValidationError(msg)

apps/users/templates/users/user_detail.html

@@ -211,7 +211,7 @@
                                     </table>
                                 </div>
                             </div>
-
+                            {% if not user_object.is_auditor %}
                                 <div class="panel panel-info">
                                     <div class="panel-heading">
                                         <i class="fa fa-info-circle"></i> {% trans 'User group' %}
@@ -250,6 +250,7 @@
                                         </table>
                                     </div>
                                 </div>
+                            {% endif %}
                         </div>
                     </div>
                 </div>

apps/users/views/group.py

@@ -76,7 +76,7 @@ class UserGroupDetailView(PermissionsMixin, DetailView):
     permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
-        users = current_org.get_org_users().exclude(id__in=self.object.users.all())
+        users = current_org.get_org_users_exclude_auditors().exclude(id__in=self.object.users.all())
         context = {
             'app': _('Users'),
             'action': _('User group detail'),

apps/users/views/user.py

@@ -195,7 +195,7 @@ class UserDetailView(PermissionsMixin, DetailView):
 
     def get_queryset(self):
         queryset = super().get_queryset()
-        org_users = current_org.get_org_users().values_list('id', flat=True)
+        org_users = current_org.get_org_users_and_auditors().values_list('id', flat=True)
         queryset = queryset.filter(id__in=org_users)
         return queryset