[Update] 增加审计员权限控制 (#2792)

* [Update] 审计员

* [Update] 增加审计员的权限控制

* [Update] 增加审计员Api全校的控制

* [Update] 优化auditor的api权限控制

* [Update] 优化审计员权限控制

* [Update]优化管理员权限的View

* [Update] 优化超级管理权限的View

* [Update] 添加审计员切换组织查询会话管理数据

* [Update] 前端禁用审计员在线会话终断按钮

* [Update]优化细节问题

apps/applications/hands.py

@@ -11,6 +11,5 @@
 """
 
 
-from common.permissions import AdminUserRequiredMixin
 from common.permissions import IsAppUser, IsOrgAdmin, IsValidUser, IsOrgAdminOrAppUser
 from users.models import User, UserGroup

apps/applications/views/remote_app.py

@@ -10,7 +10,7 @@ from django.contrib.auth.mixins import LoginRequiredMixin
 from django.urls import reverse_lazy
 
 
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 from common.const import create_success_msg, update_success_msg
 
 from ..models import RemoteApp
@@ -23,8 +23,9 @@ __all__ = [
 ]
 
 
-class RemoteAppListView(AdminUserRequiredMixin, TemplateView):
+class RemoteAppListView(PermissionsMixin, TemplateView):
     template_name = 'applications/remote_app_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -35,11 +36,12 @@ class RemoteAppListView(AdminUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class RemoteAppCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView):
+class RemoteAppCreateView(PermissionsMixin, SuccessMessageMixin, CreateView):
     template_name = 'applications/remote_app_create_update.html'
     model = RemoteApp
     form_class = forms.RemoteAppCreateUpdateForm
     success_url = reverse_lazy('applications:remote-app-list')
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -53,11 +55,12 @@ class RemoteAppCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateVie
         return create_success_msg % ({'name': cleaned_data['name']})
 
 
-class RemoteAppUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
+class RemoteAppUpdateView(PermissionsMixin, SuccessMessageMixin, UpdateView):
     template_name = 'applications/remote_app_create_update.html'
     model = RemoteApp
     form_class = forms.RemoteAppCreateUpdateForm
     success_url = reverse_lazy('applications:remote-app-list')
+    permission_classes = [IsOrgAdmin]
 
     def get_initial(self):
         return {k: v for k, v in self.object.params.items()}
@@ -74,10 +77,11 @@ class RemoteAppUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateVie
         return update_success_msg % ({'name': cleaned_data['name']})
 
 
-class RemoteAppDetailView(AdminUserRequiredMixin, DetailView):
+class RemoteAppDetailView(PermissionsMixin, DetailView):
     template_name = 'applications/remote_app_detail.html'
     model = RemoteApp
     context_object_name = 'remote_app'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {

apps/assets/hands.py

@@ -11,6 +11,5 @@
 """
 
 
-from common.permissions import AdminUserRequiredMixin
 from common.permissions import IsAppUser, IsOrgAdmin, IsValidUser, IsOrgAdminOrAppUser
 from users.models import User, UserGroup

apps/assets/views/admin_user.py

@@ -11,7 +11,7 @@ from django.views.generic.detail import DetailView, SingleObjectMixin
 from common.const import create_success_msg, update_success_msg
 from .. import forms
 from ..models import AdminUser, Node
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 
 __all__ = [
     'AdminUserCreateView', 'AdminUserDetailView',
@@ -20,9 +20,10 @@ __all__ = [
 ]
 
 
-class AdminUserListView(AdminUserRequiredMixin, TemplateView):
+class AdminUserListView(PermissionsMixin, TemplateView):
     model = AdminUser
     template_name = 'assets/admin_user_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -33,7 +34,7 @@ class AdminUserListView(AdminUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class AdminUserCreateView(AdminUserRequiredMixin,
+class AdminUserCreateView(PermissionsMixin,
                           SuccessMessageMixin,
                           CreateView):
     model = AdminUser
@@ -41,6 +42,7 @@ class AdminUserCreateView(AdminUserRequiredMixin,
     template_name = 'assets/admin_user_create_update.html'
     success_url = reverse_lazy('assets:admin-user-list')
     success_message = create_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -51,12 +53,13 @@ class AdminUserCreateView(AdminUserRequiredMixin,
         return super().get_context_data(**kwargs)
 
 
-class AdminUserUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
+class AdminUserUpdateView(PermissionsMixin, SuccessMessageMixin, UpdateView):
     model = AdminUser
     form_class = forms.AdminUserForm
     template_name = 'assets/admin_user_create_update.html'
     success_url = reverse_lazy('assets:admin-user-list')
     success_message = update_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -67,11 +70,12 @@ class AdminUserUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateVie
         return super().get_context_data(**kwargs)
 
 
-class AdminUserDetailView(AdminUserRequiredMixin, DetailView):
+class AdminUserDetailView(PermissionsMixin, DetailView):
     model = AdminUser
     template_name = 'assets/admin_user_detail.html'
     context_object_name = 'admin_user'
     object = None
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -83,11 +87,12 @@ class AdminUserDetailView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class AdminUserAssetsView(AdminUserRequiredMixin, SingleObjectMixin, ListView):
+class AdminUserAssetsView(PermissionsMixin, SingleObjectMixin, ListView):
     paginate_by = settings.DISPLAY_PER_PAGE
     template_name = 'assets/admin_user_assets.html'
     context_object_name = 'admin_user'
     object = None
+    permission_classes = [IsOrgAdmin]
 
     def get(self, request, *args, **kwargs):
         self.object = self.get_object(queryset=AdminUser.objects.all())
@@ -108,9 +113,10 @@ class AdminUserAssetsView(AdminUserRequiredMixin, SingleObjectMixin, ListView):
         return super().get_context_data(**kwargs)
 
 
-class AdminUserDeleteView(AdminUserRequiredMixin, DeleteView):
+class AdminUserDeleteView(PermissionsMixin, DeleteView):
     model = AdminUser
     template_name = 'delete_confirm.html'
     success_url = reverse_lazy('assets:admin-user-list')
+    permission_classes = [IsOrgAdmin]
 
 

apps/assets/views/asset.py

@@ -27,7 +27,7 @@ from django.forms.formsets import formset_factory
 
 from common.mixins import JSONResponseMixin
 from common.utils import get_object_or_none, get_logger
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin ,IsOrgAdmin
 from common.const import (
     create_success_msg, update_success_msg, KEY_CACHE_RESOURCES_ID
 )
@@ -43,8 +43,9 @@ __all__ = [
 logger = get_logger(__file__)
 
 
-class AssetListView(AdminUserRequiredMixin, TemplateView):
+class AssetListView(PermissionsMixin, TemplateView):
     template_name = 'assets/asset_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         Node.root()
@@ -58,10 +59,11 @@ class AssetListView(AdminUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class AssetUserListView(AdminUserRequiredMixin, DetailView):
+class AssetUserListView(PermissionsMixin, DetailView):
     model = Asset
     context_object_name = 'asset'
     template_name = 'assets/asset_asset_user_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -85,11 +87,12 @@ class UserAssetListView(LoginRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class AssetCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView):
+class AssetCreateView(PermissionsMixin, SuccessMessageMixin, CreateView):
     model = Asset
     form_class = forms.AssetCreateForm
     template_name = 'assets/asset_create.html'
     success_url = reverse_lazy('assets:asset-list')
+    permission_classes = [IsOrgAdmin]
 
     def get_form(self, form_class=None):
         form = super().get_form(form_class=form_class)
@@ -133,7 +136,7 @@ class AssetCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView):
         return create_success_msg % ({"name": cleaned_data["hostname"]})
 
 
-class AssetBulkUpdateView(AdminUserRequiredMixin, ListView):
+class AssetBulkUpdateView(PermissionsMixin, ListView):
     model = Asset
     form_class = forms.AssetBulkUpdateForm
     template_name = 'assets/asset_bulk_update.html'
@@ -141,6 +144,7 @@ class AssetBulkUpdateView(AdminUserRequiredMixin, ListView):
     success_message = _("Bulk update asset success")
     id_list = None
     form = None
+    permission_classes = [IsOrgAdmin]
 
     def get(self, request, *args, **kwargs):
         spm = request.GET.get('spm', '')
@@ -173,11 +177,12 @@ class AssetBulkUpdateView(AdminUserRequiredMixin, ListView):
         return super().get_context_data(**kwargs)
 
 
-class AssetUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
+class AssetUpdateView(PermissionsMixin, SuccessMessageMixin, UpdateView):
     model = Asset
     form_class = forms.AssetUpdateForm
     template_name = 'assets/asset_update.html'
     success_url = reverse_lazy('assets:asset-list')
+    permission_classes = [IsOrgAdmin]
 
     def get_protocol_formset(self):
         ProtocolFormset = formset_factory(forms.ProtocolForm, extra=0, min_num=1, max_num=5)
@@ -202,10 +207,11 @@ class AssetUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
         return update_success_msg % ({"name": cleaned_data["hostname"]})
 
 
-class AssetDeleteView(AdminUserRequiredMixin, DeleteView):
+class AssetDeleteView(PermissionsMixin, DeleteView):
     model = Asset
     template_name = 'delete_confirm.html'
     success_url = reverse_lazy('assets:asset-list')
+    permission_classes = [IsOrgAdmin]
 
 
 class AssetDetailView(LoginRequiredMixin, DetailView):
@@ -272,8 +278,9 @@ class AssetExportView(LoginRequiredMixin, View):
         return JsonResponse({'redirect': url})
 
 
-class BulkImportAssetView(AdminUserRequiredMixin, JSONResponseMixin, FormView):
+class BulkImportAssetView(PermissionsMixin, JSONResponseMixin, FormView):
     form_class = forms.FileForm
+    permission_classes = [IsOrgAdmin]
 
     def form_valid(self, form):
         node_id = self.request.GET.get("node_id")

apps/assets/views/cmd_filter.py

@@ -8,7 +8,7 @@ from django.utils.translation import ugettext_lazy as _
 from django.urls import reverse_lazy
 from django.shortcuts import get_object_or_404, reverse
 
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 from common.const import create_success_msg, update_success_msg
 from ..models import CommandFilter, CommandFilterRule, SystemUser
 from ..forms import CommandFilterForm, CommandFilterRuleForm
@@ -22,8 +22,9 @@ __all__ = (
 )
 
 
-class CommandFilterListView(AdminUserRequiredMixin, TemplateView):
+class CommandFilterListView(PermissionsMixin, TemplateView):
     template_name = 'assets/cmd_filter_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -34,12 +35,13 @@ class CommandFilterListView(AdminUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class CommandFilterCreateView(AdminUserRequiredMixin, CreateView):
+class CommandFilterCreateView(PermissionsMixin, CreateView):
     model = CommandFilter
     template_name = 'assets/cmd_filter_create_update.html'
     form_class = CommandFilterForm
     success_url = reverse_lazy('assets:cmd-filter-list')
     success_message = create_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -50,12 +52,13 @@ class CommandFilterCreateView(AdminUserRequiredMixin, CreateView):
         return super().get_context_data(**kwargs)
 
 
-class CommandFilterUpdateView(AdminUserRequiredMixin, UpdateView):
+class CommandFilterUpdateView(PermissionsMixin, UpdateView):
     model = CommandFilter
     template_name = 'assets/cmd_filter_create_update.html'
     form_class = CommandFilterForm
     success_url = reverse_lazy('assets:cmd-filter-list')
     success_message = update_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -66,9 +69,10 @@ class CommandFilterUpdateView(AdminUserRequiredMixin, UpdateView):
         return super().get_context_data(**kwargs)
 
 
-class CommandFilterDetailView(AdminUserRequiredMixin, DetailView):
+class CommandFilterDetailView(PermissionsMixin, DetailView):
     model = CommandFilter
     template_name = 'assets/cmd_filter_detail.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         system_users_remain = SystemUser.objects\
@@ -83,10 +87,11 @@ class CommandFilterDetailView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class CommandFilterRuleListView(AdminUserRequiredMixin, SingleObjectMixin, TemplateView):
+class CommandFilterRuleListView(PermissionsMixin, SingleObjectMixin, TemplateView):
     template_name = 'assets/cmd_filter_rule_list.html'
     model = CommandFilter
     object = None
+    permission_classes = [IsOrgAdmin]
 
     def get(self, request, *args, **kwargs):
         self.object = self.get_object(queryset=self.model.objects.all())
@@ -102,12 +107,13 @@ class CommandFilterRuleListView(AdminUserRequiredMixin, SingleObjectMixin, Templ
         return super().get_context_data(**kwargs)
 
 
-class CommandFilterRuleCreateView(AdminUserRequiredMixin, CreateView):
+class CommandFilterRuleCreateView(PermissionsMixin, CreateView):
     template_name = 'assets/cmd_filter_rule_create_update.html'
     model = CommandFilterRule
     form_class = CommandFilterRuleForm
     success_message = create_success_msg
     cmd_filter = None
+    permission_classes = [IsOrgAdmin]
 
     def get_success_url(self):
         return reverse('assets:cmd-filter-rule-list', kwargs={
@@ -135,12 +141,13 @@ class CommandFilterRuleCreateView(AdminUserRequiredMixin, CreateView):
         return super().get_context_data(**kwargs)
 
 
-class CommandFilterRuleUpdateView(AdminUserRequiredMixin, UpdateView):
+class CommandFilterRuleUpdateView(PermissionsMixin, UpdateView):
     template_name = 'assets/cmd_filter_rule_create_update.html'
     model = CommandFilterRule
     form_class = CommandFilterRuleForm
     success_message = create_success_msg
     cmd_filter = None
+    permission_classes = [IsOrgAdmin]
 
     def get_success_url(self):
         return reverse('assets:cmd-filter-rule-list', kwargs={

apps/assets/views/domain.py

@@ -7,7 +7,7 @@ from django.views.generic.detail import SingleObjectMixin
 from django.utils.translation import ugettext_lazy as _
 from django.urls import reverse_lazy, reverse
 
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin ,IsOrgAdmin
 from common.const import create_success_msg, update_success_msg
 from common.utils import get_object_or_none
 from ..models import Domain, Gateway
@@ -21,8 +21,9 @@ __all__ = (
 )
 
 
-class DomainListView(AdminUserRequiredMixin, TemplateView):
+class DomainListView(PermissionsMixin, TemplateView):
     template_name = 'assets/domain_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -33,12 +34,13 @@ class DomainListView(AdminUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class DomainCreateView(AdminUserRequiredMixin, CreateView):
+class DomainCreateView(PermissionsMixin, CreateView):
     model = Domain
     template_name = 'assets/domain_create_update.html'
     form_class = DomainForm
     success_url = reverse_lazy('assets:domain-list')
     success_message = create_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -49,12 +51,13 @@ class DomainCreateView(AdminUserRequiredMixin, CreateView):
         return super().get_context_data(**kwargs)
 
 
-class DomainUpdateView(AdminUserRequiredMixin, UpdateView):
+class DomainUpdateView(PermissionsMixin, UpdateView):
     model = Domain
     template_name = 'assets/domain_create_update.html'
     form_class = DomainForm
     success_url = reverse_lazy('assets:domain-list')
     success_message = update_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -65,9 +68,10 @@ class DomainUpdateView(AdminUserRequiredMixin, UpdateView):
         return super().get_context_data(**kwargs)
 
 
-class DomainDetailView(AdminUserRequiredMixin, DetailView):
+class DomainDetailView(PermissionsMixin, DetailView):
     model = Domain
     template_name = 'assets/domain_detail.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -78,16 +82,18 @@ class DomainDetailView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class DomainDeleteView(AdminUserRequiredMixin, DeleteView):
+class DomainDeleteView(PermissionsMixin, DeleteView):
     model = Domain
     template_name = 'delete_confirm.html'
     success_url = reverse_lazy('assets:domain-list')
+    permission_classes = [IsOrgAdmin]
 
 
-class DomainGatewayListView(AdminUserRequiredMixin, SingleObjectMixin, TemplateView):
+class DomainGatewayListView(PermissionsMixin, SingleObjectMixin, TemplateView):
     template_name = 'assets/domain_gateway_list.html'
     model = Domain
     object = None
+    permission_classes = [IsOrgAdmin]
 
     def get(self, request, *args, **kwargs):
         self.object = self.get_object(queryset=self.model.objects.all())
@@ -103,11 +109,12 @@ class DomainGatewayListView(AdminUserRequiredMixin, SingleObjectMixin, TemplateV
         return super().get_context_data(**kwargs)
 
 
-class DomainGatewayCreateView(AdminUserRequiredMixin, CreateView):
+class DomainGatewayCreateView(PermissionsMixin, CreateView):
     model = Gateway
     template_name = 'assets/gateway_create_update.html'
     form_class = GatewayForm
     success_message = create_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_success_url(self):
         domain = self.object.domain
@@ -130,11 +137,12 @@ class DomainGatewayCreateView(AdminUserRequiredMixin, CreateView):
         return super().get_context_data(**kwargs)
 
 
-class DomainGatewayUpdateView(AdminUserRequiredMixin, UpdateView):
+class DomainGatewayUpdateView(PermissionsMixin, UpdateView):
     model = Gateway
     template_name = 'assets/gateway_create_update.html'
     form_class = GatewayForm
     success_message = update_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_success_url(self):
         domain = self.object.domain

apps/assets/views/label.py

@@ -6,7 +6,7 @@ from django.views.generic import TemplateView, CreateView, \
 from django.utils.translation import ugettext_lazy as _
 from django.urls import reverse_lazy
 
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 from common.const import create_success_msg, update_success_msg
 from ..models import Label
 from ..forms import LabelForm
@@ -18,8 +18,9 @@ __all__ = (
 )
 
 
-class LabelListView(AdminUserRequiredMixin, TemplateView):
+class LabelListView(PermissionsMixin, TemplateView):
     template_name = 'assets/label_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -30,13 +31,14 @@ class LabelListView(AdminUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class LabelCreateView(AdminUserRequiredMixin, CreateView):
+class LabelCreateView(PermissionsMixin, CreateView):
     model = Label
     template_name = 'assets/label_create_update.html'
     form_class = LabelForm
     success_url = reverse_lazy('assets:label-list')
     success_message = create_success_msg
     disable_name = ['draw', 'search', 'limit', 'offset', '_']
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -57,12 +59,13 @@ class LabelCreateView(AdminUserRequiredMixin, CreateView):
         return super().form_valid(form)
 
 
-class LabelUpdateView(AdminUserRequiredMixin, UpdateView):
+class LabelUpdateView(PermissionsMixin, UpdateView):
     model = Label
     template_name = 'assets/label_create_update.html'
     form_class = LabelForm
     success_url = reverse_lazy('assets:label-list')
     success_message = update_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -73,11 +76,12 @@ class LabelUpdateView(AdminUserRequiredMixin, UpdateView):
         return super().get_context_data(**kwargs)
 
 
-class LabelDetailView(AdminUserRequiredMixin, DetailView):
+class LabelDetailView(PermissionsMixin, DetailView):
     pass
 
 
-class LabelDeleteView(AdminUserRequiredMixin, DeleteView):
+class LabelDeleteView(PermissionsMixin, DeleteView):
     model = Label
     template_name = 'delete_confirm.html'
     success_url = reverse_lazy('assets:label-list')
+    permission_classes = [IsOrgAdmin]

apps/assets/views/system_user.py

@@ -10,7 +10,7 @@ from django.views.generic.detail import DetailView
 from common.const import create_success_msg, update_success_msg
 from ..forms import SystemUserForm
 from ..models import SystemUser, Node, CommandFilter
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 
 
 __all__ = [
@@ -20,8 +20,9 @@ __all__ = [
 ]
 
 
-class SystemUserListView(AdminUserRequiredMixin, TemplateView):
+class SystemUserListView(PermissionsMixin, TemplateView):
     template_name = 'assets/system_user_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -32,12 +33,13 @@ class SystemUserListView(AdminUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class SystemUserCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView):
+class SystemUserCreateView(PermissionsMixin, SuccessMessageMixin, CreateView):
     model = SystemUser
     form_class = SystemUserForm
     template_name = 'assets/system_user_create.html'
     success_url = reverse_lazy('assets:system-user-list')
     success_message = create_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -48,12 +50,13 @@ class SystemUserCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateVi
         return super().get_context_data(**kwargs)
 
 
-class SystemUserUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
+class SystemUserUpdateView(PermissionsMixin, SuccessMessageMixin, UpdateView):
     model = SystemUser
     form_class = SystemUserForm
     template_name = 'assets/system_user_update.html'
     success_url = reverse_lazy('assets:system-user-list')
     success_message = update_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -64,10 +67,11 @@ class SystemUserUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateVi
         return super().get_context_data(**kwargs)
 
 
-class SystemUserDetailView(AdminUserRequiredMixin, DetailView):
+class SystemUserDetailView(PermissionsMixin, DetailView):
     template_name = 'assets/system_user_detail.html'
     context_object_name = 'system_user'
     model = SystemUser
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -79,16 +83,18 @@ class SystemUserDetailView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class SystemUserDeleteView(AdminUserRequiredMixin, DeleteView):
+class SystemUserDeleteView(PermissionsMixin, DeleteView):
     model = SystemUser
     template_name = 'delete_confirm.html'
     success_url = reverse_lazy('assets:system-user-list')
+    permission_classes = [IsOrgAdmin]
 
 
-class SystemUserAssetView(AdminUserRequiredMixin, DetailView):
+class SystemUserAssetView(PermissionsMixin, DetailView):
     model = SystemUser
     template_name = 'assets/system_user_asset.html'
     context_object_name = 'system_user'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         nodes_remain = sorted(Node.objects.exclude(systemuser=self.object), reverse=True)

apps/audits/api.py

@@ -3,7 +3,7 @@
 
 from rest_framework import viewsets
 
-from common.permissions import IsOrgAdminOrAppUser
+from common.permissions import IsOrgAdminOrAppUser, IsAuditor
 from .models import FTPLog
 from .serializers import FTPLogSerializer
 
@@ -11,4 +11,4 @@ from .serializers import FTPLogSerializer
 class FTPLogViewSet(viewsets.ModelViewSet):
     queryset = FTPLog.objects.all()
     serializer_class = FTPLogSerializer
-    permission_classes = (IsOrgAdminOrAppUser,)
+    permission_classes = (IsOrgAdminOrAppUser | IsAuditor,)

apps/audits/views.py

@@ -19,7 +19,7 @@ from django.db.models import Q
 
 from audits.utils import get_excel_response, write_content_to_excel
 from common.mixins import DatetimeSearchMixin
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin, IsAuditor
 
 from orgs.utils import current_org
 from ops.views import CommandExecutionListView as UserCommandExecutionListView
@@ -42,12 +42,13 @@ def get_resource_type_list():
     return [model._meta.verbose_name for model in models]
 
 
-class FTPLogListView(AdminUserRequiredMixin, DatetimeSearchMixin, ListView):
+class FTPLogListView(PermissionsMixin, DatetimeSearchMixin, ListView):
     model = FTPLog
     template_name = 'audits/ftp_log_list.html'
     paginate_by = settings.DISPLAY_PER_PAGE
     user = asset = system_user = filename = ''
     date_from = date_to = None
+    permission_classes = [IsOrgAdmin | IsAuditor]
 
     def get_queryset(self):
         self.queryset = super().get_queryset()
@@ -89,13 +90,14 @@ class FTPLogListView(AdminUserRequiredMixin, DatetimeSearchMixin, ListView):
         return super().get_context_data(**kwargs)
 
 
-class OperateLogListView(AdminUserRequiredMixin, DatetimeSearchMixin, ListView):
+class OperateLogListView(PermissionsMixin, DatetimeSearchMixin, ListView):
     model = OperateLog
     template_name = 'audits/operate_log_list.html'
     paginate_by = settings.DISPLAY_PER_PAGE
     user = action = resource_type = ''
     date_from = date_to = None
     actions_dict = dict(OperateLog.ACTION_CHOICES)
+    permission_classes = [IsOrgAdmin | IsAuditor]
 
     def get_queryset(self):
         self.queryset = super().get_queryset()
@@ -124,7 +126,6 @@ class OperateLogListView(AdminUserRequiredMixin, DatetimeSearchMixin, ListView):
             'date_from': self.date_from,
             'date_to': self.date_to,
             'user': self.user,
-            'action': self.action,
             'resource_type': self.resource_type,
             "app": _("Audits"),
             "action": _("Operate log"),
@@ -133,12 +134,13 @@ class OperateLogListView(AdminUserRequiredMixin, DatetimeSearchMixin, ListView):
         return super().get_context_data(**kwargs)
 
 
-class PasswordChangeLogList(AdminUserRequiredMixin, DatetimeSearchMixin, ListView):
+class PasswordChangeLogList(PermissionsMixin, DatetimeSearchMixin, ListView):
     model = PasswordChangeLog
     template_name = 'audits/password_change_log_list.html'
     paginate_by = settings.DISPLAY_PER_PAGE
     user = ''
     date_from = date_to = None
+    permission_classes = [IsOrgAdmin | IsAuditor]
 
     def get_queryset(self):
         users = current_org.get_org_users()
@@ -169,12 +171,13 @@ class PasswordChangeLogList(AdminUserRequiredMixin, DatetimeSearchMixin, ListVie
         return super().get_context_data(**kwargs)
 
 
-class LoginLogListView(AdminUserRequiredMixin, DatetimeSearchMixin, ListView):
+class LoginLogListView(PermissionsMixin, DatetimeSearchMixin, ListView):
     template_name = 'audits/login_log_list.html'
     model = UserLoginLog
     paginate_by = settings.DISPLAY_PER_PAGE
     user = keyword = ""
     date_to = date_from = None
+    permission_classes = [IsOrgAdmin | IsAuditor]
 
     @staticmethod
     def get_org_users():

apps/common/permissions.py

@@ -27,6 +27,12 @@ class IsAppUser(IsValidUser):
             and request.user.is_app
 
 
+class IsAuditor(IsValidUser):
+    def has_permission(self, request, view):
+        return super(IsAuditor, self).has_permission(request, view) \
+               and request.user.is_auditor
+
+
 class IsSuperUser(IsValidUser):
     def has_permission(self, request, view):
         return super(IsSuperUser, self).has_permission(request, view) \
@@ -115,3 +121,14 @@ class WithBootstrapToken(permissions.BasePermission):
             return False
         request_bootstrap_token = authorization.split()[-1]
         return settings.BOOTSTRAP_TOKEN == request_bootstrap_token
+
+
+class PermissionsMixin(UserPassesTestMixin):
+    permission_classes = []
+
+    def test_func(self):
+        permission_classes = self.permission_classes
+        for permission_class in permission_classes:
+            if not permission_class().has_permission(self.request, self):
+                return False
+        return True

apps/jumpserver/views.py

@@ -31,6 +31,8 @@ class IndexView(LoginRequiredMixin, TemplateView):
     def dispatch(self, request, *args, **kwargs):
         if not request.user.is_authenticated:
             return self.handle_no_permission()
+        if request.user.is_auditor:
+            return super(IndexView, self).dispatch(request, *args, **kwargs)
         if not request.user.is_org_admin:
             return redirect('assets:user-asset-list')
         if not current_org or not current_org.can_admin_by(request.user):

apps/ops/views/adhoc.py

@@ -5,7 +5,7 @@ from django.conf import settings
 from django.views.generic import ListView, DetailView
 
 from common.mixins import DatetimeSearchMixin
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 from orgs.utils import current_org
 from ..models import Task, AdHoc, AdHocRunHistory
 
@@ -17,13 +17,14 @@ __all__ = [
 ]
 
 
-class TaskListView(AdminUserRequiredMixin, DatetimeSearchMixin, ListView):
+class TaskListView(PermissionsMixin, DatetimeSearchMixin, ListView):
     paginate_by = settings.DISPLAY_PER_PAGE
     model = Task
     ordering = ('-date_created',)
     context_object_name = 'task_list'
     template_name = 'ops/task_list.html'
     keyword = ''
+    permission_classes = [IsOrgAdmin]
 
     def get_queryset(self):
         queryset = super().get_queryset()
@@ -51,9 +52,10 @@ class TaskListView(AdminUserRequiredMixin, DatetimeSearchMixin, ListView):
         return super().get_context_data(**kwargs)
 
 
-class TaskDetailView(AdminUserRequiredMixin, DetailView):
+class TaskDetailView(PermissionsMixin, DetailView):
     model = Task
     template_name = 'ops/task_detail.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_queryset(self):
         queryset = super().get_queryset()
@@ -73,9 +75,10 @@ class TaskDetailView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class TaskAdhocView(AdminUserRequiredMixin, DetailView):
+class TaskAdhocView(PermissionsMixin, DetailView):
     model = Task
     template_name = 'ops/task_adhoc.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -86,9 +89,10 @@ class TaskAdhocView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class TaskHistoryView(AdminUserRequiredMixin, DetailView):
+class TaskHistoryView(PermissionsMixin, DetailView):
     model = Task
     template_name = 'ops/task_history.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -99,9 +103,10 @@ class TaskHistoryView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class AdHocDetailView(AdminUserRequiredMixin, DetailView):
+class AdHocDetailView(PermissionsMixin, DetailView):
     model = AdHoc
     template_name = 'ops/adhoc_detail.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -112,9 +117,10 @@ class AdHocDetailView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class AdHocHistoryView(AdminUserRequiredMixin, DetailView):
+class AdHocHistoryView(PermissionsMixin, DetailView):
     model = AdHoc
     template_name = 'ops/adhoc_history.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -125,9 +131,10 @@ class AdHocHistoryView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class AdHocHistoryDetailView(AdminUserRequiredMixin, DetailView):
+class AdHocHistoryDetailView(PermissionsMixin, DetailView):
     model = AdHocRunHistory
     template_name = 'ops/adhoc_history_detail.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {

apps/ops/views/celery.py

@@ -2,14 +2,15 @@
 #
 from django.views.generic import TemplateView
 
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin, IsAuditor
 
 
 __all__ = ['CeleryTaskLogView']
 
 
-class CeleryTaskLogView(AdminUserRequiredMixin, TemplateView):
+class CeleryTaskLogView(PermissionsMixin, TemplateView):
     template_name = 'ops/celery_task_log.html'
+    permission_classes = [IsOrgAdmin | IsAuditor]
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)

apps/ops/views/command.py

@@ -5,7 +5,9 @@ from django.utils.translation import ugettext as _
 from django.conf import settings
 from django.views.generic import ListView, TemplateView
 
-from common.permissions import AdminUserRequiredMixin, LoginRequiredMixin
+from common.permissions import (
+    LoginRequiredMixin, PermissionsMixin, IsOrgAdmin, IsAuditor
+)
 from common.mixins import DatetimeSearchMixin
 from ..models import CommandExecution
 from ..forms import CommandExecutionForm
@@ -16,13 +18,14 @@ __all__ = [
 ]
 
 
-class CommandExecutionListView(AdminUserRequiredMixin, DatetimeSearchMixin, ListView):
+class CommandExecutionListView(PermissionsMixin, DatetimeSearchMixin, ListView):
     template_name = 'ops/command_execution_list.html'
     model = CommandExecution
     paginate_by = settings.DISPLAY_PER_PAGE
     ordering = ('-date_created',)
     context_object_name = 'task_list'
     keyword = ''
+    permission_classes = [IsOrgAdmin | IsAuditor]
 
     def _get_queryset(self):
         self.keyword = self.request.GET.get('keyword', '')

apps/orgs/models.py

@@ -96,7 +96,7 @@ class Organization(models.Model):
         admin_orgs = []
         if user.is_anonymous:
             return admin_orgs
-        elif user.is_superuser:
+        elif user.is_superuser or user.is_auditor:
             admin_orgs = list(cls.objects.all())
             admin_orgs.append(cls.default())
         elif user.is_org_admin:

apps/perms/hands.py

 # ~*~ coding: utf-8 ~*~
 #
 
-from common.permissions import AdminUserRequiredMixin
 from users.models import User, UserGroup
 from assets.models import Asset, SystemUser, Node
 from assets.serializers import (

apps/perms/views/asset_permission.py

@@ -8,7 +8,7 @@ from django.views.generic.edit import DeleteView, SingleObjectMixin
 from django.urls import reverse_lazy
 from django.conf import settings
 
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 from orgs.utils import current_org
 from perms.hands import Node, Asset, SystemUser, User, UserGroup
 from perms.models import AssetPermission, Action
@@ -25,8 +25,9 @@ __all__ = [
 ]
 
 
-class AssetPermissionListView(AdminUserRequiredMixin, TemplateView):
+class AssetPermissionListView(PermissionsMixin, TemplateView):
     template_name = 'perms/asset_permission_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -37,11 +38,12 @@ class AssetPermissionListView(AdminUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class AssetPermissionCreateView(AdminUserRequiredMixin, CreateView):
+class AssetPermissionCreateView(PermissionsMixin, CreateView):
     model = AssetPermission
     form_class = AssetPermissionForm
     template_name = 'perms/asset_permission_create_update.html'
     success_url = reverse_lazy('perms:asset-permission-list')
+    permission_classes = [IsOrgAdmin]
 
     def get_form(self, form_class=None):
         form = super().get_form(form_class=form_class)
@@ -69,11 +71,12 @@ class AssetPermissionCreateView(AdminUserRequiredMixin, CreateView):
         return super().get_context_data(**kwargs)
 
 
-class AssetPermissionUpdateView(AdminUserRequiredMixin, UpdateView):
+class AssetPermissionUpdateView(PermissionsMixin, UpdateView):
     model = AssetPermission
     form_class = AssetPermissionForm
     template_name = 'perms/asset_permission_create_update.html'
     success_url = reverse_lazy("perms:asset-permission-list")
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -84,11 +87,12 @@ class AssetPermissionUpdateView(AdminUserRequiredMixin, UpdateView):
         return super().get_context_data(**kwargs)
 
 
-class AssetPermissionDetailView(AdminUserRequiredMixin, DetailView):
+class AssetPermissionDetailView(PermissionsMixin, DetailView):
     model = AssetPermission
     form_class = AssetPermissionForm
     template_name = 'perms/asset_permission_detail.html'
     success_url = reverse_lazy("perms:asset-permission-list")
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -102,19 +106,21 @@ class AssetPermissionDetailView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class AssetPermissionDeleteView(AdminUserRequiredMixin, DeleteView):
+class AssetPermissionDeleteView(PermissionsMixin, DeleteView):
     model = AssetPermission
     template_name = 'delete_confirm.html'
     success_url = reverse_lazy('perms:asset-permission-list')
+    permission_classes = [IsOrgAdmin]
 
 
-class AssetPermissionUserView(AdminUserRequiredMixin,
+class AssetPermissionUserView(PermissionsMixin,
                               SingleObjectMixin,
                               ListView):
     template_name = 'perms/asset_permission_user.html'
     context_object_name = 'asset_permission'
     paginate_by = settings.DISPLAY_PER_PAGE
     object = None
+    permission_classes = [IsOrgAdmin]
 
     def get(self, request, *args, **kwargs):
         self.object = self.get_object(queryset=AssetPermission.objects.all())
@@ -140,13 +146,14 @@ class AssetPermissionUserView(AdminUserRequiredMixin,
         return super().get_context_data(**kwargs)
 
 
-class AssetPermissionAssetView(AdminUserRequiredMixin,
+class AssetPermissionAssetView(PermissionsMixin,
                                SingleObjectMixin,
                                ListView):
     template_name = 'perms/asset_permission_asset.html'
     context_object_name = 'asset_permission'
     paginate_by = settings.DISPLAY_PER_PAGE
     object = None
+    permission_classes = [IsOrgAdmin]
 
     def get(self, request, *args, **kwargs):
         self.object = self.get_object(queryset = AssetPermission.objects.all())

apps/perms/views/remote_app_permission.py

@@ -9,7 +9,7 @@ from django.views.generic import (
 from django.views.generic.edit import SingleObjectMixin
 from django.conf import settings
 
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 from orgs.utils import current_org
 
 from ..hands import RemoteApp, UserGroup
@@ -24,8 +24,9 @@ __all__ = [
 ]
 
 
-class RemoteAppPermissionListView(AdminUserRequiredMixin, TemplateView):
+class RemoteAppPermissionListView(PermissionsMixin, TemplateView):
     template_name = 'perms/remote_app_permission_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -36,11 +37,12 @@ class RemoteAppPermissionListView(AdminUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class RemoteAppPermissionCreateView(AdminUserRequiredMixin, CreateView):
+class RemoteAppPermissionCreateView(PermissionsMixin, CreateView):
     template_name = 'perms/remote_app_permission_create_update.html'
     model = RemoteAppPermission
     form_class = RemoteAppPermissionCreateUpdateForm
     success_url = reverse_lazy('perms:remote-app-permission-list')
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -51,11 +53,12 @@ class RemoteAppPermissionCreateView(AdminUserRequiredMixin, CreateView):
         return super().get_context_data(**kwargs)
 
 
-class RemoteAppPermissionUpdateView(AdminUserRequiredMixin, UpdateView):
+class RemoteAppPermissionUpdateView(PermissionsMixin, UpdateView):
     template_name = 'perms/remote_app_permission_create_update.html'
     model = RemoteAppPermission
     form_class = RemoteAppPermissionCreateUpdateForm
     success_url = reverse_lazy('perms:remote-app-permission-list')
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -66,9 +69,10 @@ class RemoteAppPermissionUpdateView(AdminUserRequiredMixin, UpdateView):
         return super().get_context_data(**kwargs)
 
 
-class RemoteAppPermissionDetailView(AdminUserRequiredMixin, DetailView):
+class RemoteAppPermissionDetailView(PermissionsMixin, DetailView):
     template_name = 'perms/remote_app_permission_detail.html'
     model = RemoteAppPermission
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -79,13 +83,14 @@ class RemoteAppPermissionDetailView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class RemoteAppPermissionUserView(AdminUserRequiredMixin,
+class RemoteAppPermissionUserView(PermissionsMixin,
                                   SingleObjectMixin,
                                   ListView):
     template_name = 'perms/remote_app_permission_user.html'
     context_object_name = 'remote_app_permission'
     paginate_by = settings.DISPLAY_PER_PAGE
     object = None
+    permission_classes = [IsOrgAdmin]
 
     def get(self, request, *args, **kwargs):
         self.object = self.get_object(
@@ -111,13 +116,14 @@ class RemoteAppPermissionUserView(AdminUserRequiredMixin,
         return super().get_context_data(**kwargs)
 
 
-class RemoteAppPermissionRemoteAppView(AdminUserRequiredMixin,
+class RemoteAppPermissionRemoteAppView(PermissionsMixin,
                                        SingleObjectMixin,
                                        ListView):
     template_name = 'perms/remote_app_permission_remote_app.html'
     context_object_name = 'remote_app_permission'
     paginate_by = settings.DISPLAY_PER_PAGE
     object = None
+    permission_classes = [IsOrgAdmin]
 
     def get(self, request, *args, **kwargs):
         self.object = self.get_object(

apps/settings/views.py

@@ -3,15 +3,16 @@ from django.shortcuts import render, redirect
 from django.contrib import messages
 from django.utils.translation import ugettext as _
 
-from common.permissions import SuperUserRequiredMixin
+from common.permissions import PermissionsMixin, IsSuperUser
 from common import utils
 from .forms import EmailSettingForm, LDAPSettingForm, BasicSettingForm, \
     TerminalSettingForm, SecuritySettingForm, EmailContentSettingForm
 
 
-class BasicSettingView(SuperUserRequiredMixin, TemplateView):
+class BasicSettingView(PermissionsMixin, TemplateView):
     form_class = BasicSettingForm
     template_name = "settings/basic_setting.html"
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -35,9 +36,10 @@ class BasicSettingView(SuperUserRequiredMixin, TemplateView):
             return render(request, self.template_name, context)
 
 
-class EmailSettingView(SuperUserRequiredMixin, TemplateView):
+class EmailSettingView(PermissionsMixin, TemplateView):
     form_class = EmailSettingForm
     template_name = "settings/email_setting.html"
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -61,9 +63,10 @@ class EmailSettingView(SuperUserRequiredMixin, TemplateView):
             return render(request, self.template_name, context)
 
 
-class LDAPSettingView(SuperUserRequiredMixin, TemplateView):
+class LDAPSettingView(PermissionsMixin, TemplateView):
     form_class = LDAPSettingForm
     template_name = "settings/ldap_setting.html"
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -87,9 +90,10 @@ class LDAPSettingView(SuperUserRequiredMixin, TemplateView):
             return render(request, self.template_name, context)
 
 
-class TerminalSettingView(SuperUserRequiredMixin, TemplateView):
+class TerminalSettingView(PermissionsMixin, TemplateView):
     form_class = TerminalSettingForm
     template_name = "settings/terminal_setting.html"
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         command_storage = utils.get_command_storage_setting()
@@ -118,8 +122,9 @@ class TerminalSettingView(SuperUserRequiredMixin, TemplateView):
             return render(request, self.template_name, context)
 
 
-class ReplayStorageCreateView(SuperUserRequiredMixin, TemplateView):
+class ReplayStorageCreateView(PermissionsMixin, TemplateView):
     template_name = 'settings/replay_storage_create.html'
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -130,8 +135,9 @@ class ReplayStorageCreateView(SuperUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class CommandStorageCreateView(SuperUserRequiredMixin, TemplateView):
+class CommandStorageCreateView(PermissionsMixin, TemplateView):
     template_name = 'settings/command_storage_create.html'
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -142,9 +148,10 @@ class CommandStorageCreateView(SuperUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class SecuritySettingView(SuperUserRequiredMixin, TemplateView):
+class SecuritySettingView(PermissionsMixin, TemplateView):
     form_class = SecuritySettingForm
     template_name = "settings/security_setting.html"
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -168,9 +175,10 @@ class SecuritySettingView(SuperUserRequiredMixin, TemplateView):
             return render(request, self.template_name, context)
 
 
-class EmailContentSettingView(SuperUserRequiredMixin, TemplateView):
+class EmailContentSettingView(PermissionsMixin, TemplateView):
     template_name = "settings/email_content_setting.html"
     form_class = EmailContentSettingForm
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         context = {

apps/templates/_left_side_bar.html

@@ -4,6 +4,8 @@
             {% include '_user_profile.html' %}
             {% if request.user.is_org_admin and request.COOKIES.IN_ADMIN_PAGE != "No" %}
                 {% include '_nav.html' %}
+            {% elif request.user.is_auditor %}
+                {% include '_nav_audits.html' %}
             {% else %}
                 {% include '_nav_user.html' %}
             {% endif %}

apps/templates/_nav_audits.html

+{% load i18n %}
+<li id="index">
+    <a href="{% url 'index' %}">
+        <i class="fa fa-dashboard" style="width: 14px"></i> <span class="nav-label">{% trans 'Dashboard' %}</span>
+        <span class="label label-info pull-right"></span>
+    </a>
+</li>
+
+<li id="terminal">
+    <a>
+        <i class="fa fa-rocket" style="width: 14px"></i> <span class="nav-label">{% trans 'Sessions' %}</span><span class="fa arrow"></span>
+    </a>
+    <ul class="nav nav-second-level">
+        <li id="session-online"><a href="{% url 'terminal:session-online-list' %}">{% trans 'Session online' %}</a></li>
+        <li id="session-offline"><a href="{% url 'terminal:session-offline-list' %}">{% trans 'Session offline' %}</a></li>
+        <li id="command"><a href="{% url 'terminal:command-list' %}">{% trans 'Commands' %}</a></li>
+    </ul>
+</li>
+
+<li id="audits">
+    <a>
+        <i class="fa fa-history" style="width: 14px"></i> <span class="nav-label">{% trans 'Audits' %}</span><span class="fa arrow"></span>
+    </a>
+    <ul class="nav nav-second-level">
+        <li id="login-log"><a href="{% url 'audits:login-log-list' %}">{% trans 'Login log' %}</a></li>
+        <li id="ftp-log"><a href="{% url 'audits:ftp-log-list' %}">{% trans 'FTP log' %}</a></li>
+        <li id="operate-log"><a href="{% url 'audits:operate-log-list' %}">{% trans 'Operate log' %}</a></li>
+        <li id="password-change-log"><a href="{% url 'audits:password-change-log-list' %}">{% trans 'Password change log' %}</a></li>
+        <li id="command-execution-log"><a href="{% url 'audits:command-execution-log-list' %}">{% trans 'Batch command' %}</a></li>
+    </ul>
+</li>
\ No newline at end of file

apps/terminal/api/session.py

@@ -15,7 +15,7 @@ import jms_storage
 
 
 from common.utils import is_uuid
-from common.permissions import IsOrgAdminOrAppUser
+from common.permissions import IsOrgAdminOrAppUser, IsAuditor
 from ..hands import SystemUser
 from ..models import Terminal, Session
 from .. import serializers
@@ -30,7 +30,7 @@ class SessionViewSet(BulkModelViewSet):
     queryset = Session.objects.all()
     serializer_class = serializers.SessionSerializer
     pagination_class = LimitOffsetPagination
-    permission_classes = (IsOrgAdminOrAppUser,)
+    permission_classes = (IsOrgAdminOrAppUser | IsAuditor, )
 
     def get_queryset(self):
         queryset = super().get_queryset()
@@ -68,7 +68,7 @@ class CommandViewSet(viewsets.ViewSet):
     """
     command_store = get_command_storage()
     serializer_class = SessionCommandSerializer
-    permission_classes = (IsOrgAdminOrAppUser,)
+    permission_classes = (IsOrgAdminOrAppUser | IsAuditor,)
 
     def get_queryset(self):
         self.command_store.filter(**dict(self.request.query_params))

apps/terminal/templates/terminal/session_list.html

@@ -103,7 +103,7 @@
                 {% if session.is_finished %}
                 <a {% if not session.can_replay %} disabled="" {% endif %} onclick="window.open('/luna/replay/{{ session.id }}','luna', 'height=600, width=800, top=400, left=400, toolbar=no, menubar=no, scrollbars=no, location=no, status=no')" class="btn btn-xs btn-warning btn-replay" >{% trans "Replay" %}</a>
                 {% else %}
-                    {% if session.protocol == 'ssh' %}
+                    {% if session.protocol == 'ssh' and request.user.is_org_admin%}
                         <a class="btn btn-xs btn-danger btn-term" value="{{ session.id }}" terminal="{{ session.terminal.id }}" >{% trans "Terminate" %}</a>
                     {% else %}
                         <a class="btn btn-xs btn-danger btn-term" disabled value="{{ session.id }}" terminal="{{ session.terminal.id }}" >{% trans "Terminate" %}</a>
@@ -115,6 +115,7 @@
 {% endblock %}
 
 {% block content_bottom_left %}
+    {% if  request.user.is_org_admin %}
     <div id="actions" {% if type != "online" %} style="display: none" {% endif %}>
         <div class="input-group">
             <select class="form-control m-b" style="width: auto" id="slct_bulk_update">
@@ -128,6 +129,7 @@
             </div>
         </div>
     </div>
+    {% endif %}
 {% endblock %}
 
 {% block custom_foot_js %}

apps/terminal/views/command.py

@@ -9,7 +9,7 @@ from django.template import loader
 import time
 
 from common.mixins import DatetimeSearchMixin
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin, IsAuditor
 from ..models import Command
 from .. import utils
 from ..backends import get_multi_command_storage
@@ -18,13 +18,14 @@ __all__ = ['CommandListView', 'CommandExportView']
 common_storage = get_multi_command_storage()
 
 
-class CommandListView(DatetimeSearchMixin, AdminUserRequiredMixin, ListView):
+class CommandListView(DatetimeSearchMixin, PermissionsMixin, ListView):
     model = Command
     template_name = "terminal/command_list.html"
     context_object_name = 'command_list'
     paginate_by = settings.DISPLAY_PER_PAGE
     command = user = asset = system_user = ""
     date_from = date_to = None
+    permission_classes = [IsOrgAdmin | IsAuditor]
 
     def get_queryset(self):
         self.command = self.request.GET.get('command', '')
@@ -63,10 +64,11 @@ class CommandListView(DatetimeSearchMixin, AdminUserRequiredMixin, ListView):
         return super().get_context_data(**kwargs)
 
 
-class CommandExportView(DatetimeSearchMixin, AdminUserRequiredMixin, View):
+class CommandExportView(DatetimeSearchMixin, PermissionsMixin, View):
     model = Command
     command = user = asset = system_user = action = ''
     date_from = date_to = None
+    permission_classes = [IsOrgAdmin | IsAuditor]
 
     def get(self, request, *args, **kwargs):
         queryset = self.get_queryset()

apps/terminal/views/session.py

@@ -7,7 +7,7 @@ from django.utils.translation import ugettext as _
 from django.utils import timezone
 from django.conf import settings
 
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin, IsAuditor
 from common.mixins import DatetimeSearchMixin
 from ..models import Session, Command, Terminal
 from ..backends import get_multi_command_storage
@@ -20,14 +20,14 @@ __all__ = [
 ]
 
 
-
-class SessionListView(AdminUserRequiredMixin, DatetimeSearchMixin, ListView):
+class SessionListView(PermissionsMixin, DatetimeSearchMixin, ListView):
     model = Session
     template_name = 'terminal/session_list.html'
     context_object_name = 'session_list'
     paginate_by = settings.DISPLAY_PER_PAGE
     user = asset = system_user = ''
     date_from = date_to = None
+    permission_classes = [IsOrgAdmin | IsAuditor]
 
     def get_queryset(self):
         self.queryset = super().get_queryset()
@@ -97,10 +97,11 @@ class SessionOfflineListView(SessionListView):
         return super().get_context_data(**kwargs)
 
 
-class SessionDetailView(SingleObjectMixin, AdminUserRequiredMixin, ListView):
+class SessionDetailView(SingleObjectMixin, PermissionsMixin, ListView):
     template_name = 'terminal/session_detail.html'
     model = Session
     object = None
+    permission_classes = [IsOrgAdmin | IsAuditor]
 
     def get(self, request, *args, **kwargs):
         self.object = self.get_object(queryset=self.model.objects.all())

apps/terminal/views/terminal.py

@@ -10,7 +10,7 @@ from django.urls import reverse_lazy, reverse
 from common.mixins import JSONResponseMixin
 from ..models import Terminal
 from ..forms import TerminalForm
-from common.permissions import SuperUserRequiredMixin
+from common.permissions import PermissionsMixin, IsSuperUser
 
 
 __all__ = [
@@ -20,10 +20,11 @@ __all__ = [
 ]
 
 
-class TerminalListView(SuperUserRequiredMixin, ListView):
+class TerminalListView(PermissionsMixin, ListView):
     model = Terminal
     template_name = 'terminal/terminal_list.html'
     form_class = TerminalForm
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         context = super(TerminalListView, self).get_context_data(**kwargs)
@@ -35,11 +36,12 @@ class TerminalListView(SuperUserRequiredMixin, ListView):
         return context
 
 
-class TerminalUpdateView(SuperUserRequiredMixin, UpdateView):
+class TerminalUpdateView(PermissionsMixin, UpdateView):
     model = Terminal
     form_class = TerminalForm
     template_name = 'terminal/terminal_update.html'
     success_url = reverse_lazy('terminal:terminal-list')
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         context = super(TerminalUpdateView, self).get_context_data(**kwargs)
@@ -47,10 +49,11 @@ class TerminalUpdateView(SuperUserRequiredMixin, UpdateView):
         return context
 
 
-class TerminalDetailView(LoginRequiredMixin, SuperUserRequiredMixin, DetailView):
+class TerminalDetailView(LoginRequiredMixin, PermissionsMixin, DetailView):
     model = Terminal
     template_name = 'terminal/terminal_detail.html'
     context_object_name = 'terminal'
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         context = super(TerminalDetailView, self).get_context_data(**kwargs)
@@ -61,16 +64,18 @@ class TerminalDetailView(LoginRequiredMixin, SuperUserRequiredMixin, DetailView)
         return context
 
 
-class TerminalDeleteView(SuperUserRequiredMixin, DeleteView):
+class TerminalDeleteView(PermissionsMixin, DeleteView):
     model = Terminal
     template_name = 'delete_confirm.html'
     success_url = reverse_lazy('terminal:terminal-list')
+    permission_classes = [IsSuperUser]
 
 
-class TerminalAcceptView(SuperUserRequiredMixin, JSONResponseMixin, UpdateView):
+class TerminalAcceptView(PermissionsMixin, JSONResponseMixin, UpdateView):
     model = Terminal
     form_class = TerminalForm
     template_name = 'terminal/terminal_modal_accept.html'
+    permission_classes = [IsSuperUser]
 
     def form_valid(self, form):
         terminal = form.save()
@@ -92,12 +97,13 @@ class TerminalAcceptView(SuperUserRequiredMixin, JSONResponseMixin, UpdateView):
         return self.render_json_response(data)
 
 
-class TerminalConnectView(LoginRequiredMixin, SuperUserRequiredMixin, DetailView):
+class TerminalConnectView(LoginRequiredMixin, PermissionsMixin, DetailView):
     """
     Abandon
     """
     template_name = 'flash_message_standalone.html'
     model = Terminal
+    permission_classes = [IsSuperUser]
 
     def get_context_data(self, **kwargs):
         if self.object.type == 'Web':

apps/users/forms.py

@@ -62,6 +62,7 @@ class UserCreateUpdateFormMixin(OrgModelForm):
         if self.request.user.is_superuser:
             roles.append((User.ROLE_ADMIN, dict(User.ROLE_CHOICES).get(User.ROLE_ADMIN)))
             roles.append((User.ROLE_USER, dict(User.ROLE_CHOICES).get(User.ROLE_USER)))
+            roles.append((User.ROLE_AUDITOR, dict(User.ROLE_CHOICES).get(User.ROLE_AUDITOR)))
 
         # Org admin user
         else:

apps/users/migrations/0020_auto_20190612_1825.py

+# Generated by Django 2.1.7 on 2019-06-12 10:25
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0019_auto_20190304_1459'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='user',
+            name='role',
+            field=models.CharField(blank=True, choices=[('Admin', 'Administrator'), ('User', 'User'), ('App', 'Application'), ('Auditor', 'Auditor')], default='User', max_length=10, verbose_name='Role'),
+        ),
+    ]

apps/users/models/user.py

@@ -30,11 +30,13 @@ class User(AbstractUser):
     ROLE_ADMIN = 'Admin'
     ROLE_USER = 'User'
     ROLE_APP = 'App'
+    ROLE_AUDITOR = 'Auditor'
 
     ROLE_CHOICES = (
         (ROLE_ADMIN, _('Administrator')),
         (ROLE_USER, _('User')),
-        (ROLE_APP, _('Application'))
+        (ROLE_APP, _('Application')),
+        (ROLE_AUDITOR, _("Auditor"))
     )
     OTP_LEVEL_CHOICES = (
         (0, _('Disable')),
@@ -243,6 +245,10 @@ class User(AbstractUser):
         else:
             return False
 
+    @property
+    def is_auditor(self):
+        return self.role == 'Auditor'
+
     @property
     def is_app(self):
         return self.role == 'App'

apps/users/utils.py

@@ -24,16 +24,6 @@ from .models import User
 logger = logging.getLogger('jumpserver')
 
 
-class AdminUserRequiredMixin(UserPassesTestMixin):
-    def test_func(self):
-        if not self.request.user.is_authenticated:
-            return False
-        elif not self.request.user.is_superuser:
-            self.raise_exception = True
-            return False
-        return True
-
-
 def construct_user_created_email_body(user):
     default_body = _("""
         <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css">

apps/users/views/group.py

@@ -9,7 +9,7 @@ from django.contrib.messages.views import SuccessMessageMixin
 
 from common.utils import get_logger
 from common.const import create_success_msg, update_success_msg
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 from orgs.utils import current_org
 from ..models import User, UserGroup
 from .. import forms
@@ -19,8 +19,9 @@ __all__ = ['UserGroupListView', 'UserGroupCreateView', 'UserGroupDetailView',
 logger = get_logger(__name__)
 
 
-class UserGroupListView(AdminUserRequiredMixin, TemplateView):
+class UserGroupListView(PermissionsMixin, TemplateView):
     template_name = 'users/user_group_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -31,12 +32,13 @@ class UserGroupListView(AdminUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class UserGroupCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView):
+class UserGroupCreateView(PermissionsMixin, SuccessMessageMixin, CreateView):
     model = UserGroup
     form_class = forms.UserGroupForm
     template_name = 'users/user_group_create_update.html'
     success_url = reverse_lazy('users:user-group-list')
     success_message = create_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -47,12 +49,13 @@ class UserGroupCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateVie
         return super().get_context_data(**kwargs)
 
 
-class UserGroupUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
+class UserGroupUpdateView(PermissionsMixin, SuccessMessageMixin, UpdateView):
     model = UserGroup
     form_class = forms.UserGroupForm
     template_name = 'users/user_group_create_update.html'
     success_url = reverse_lazy('users:user-group-list')
     success_message = update_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {
@@ -64,10 +67,11 @@ class UserGroupUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateVie
         return super().get_context_data(**kwargs)
 
 
-class UserGroupDetailView(AdminUserRequiredMixin, DetailView):
+class UserGroupDetailView(PermissionsMixin, DetailView):
     model = UserGroup
     context_object_name = 'user_group'
     template_name = 'users/user_group_detail.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         users = current_org.get_org_users().exclude(id__in=self.object.users.all())
@@ -80,11 +84,12 @@ class UserGroupDetailView(AdminUserRequiredMixin, DetailView):
         return super().get_context_data(**kwargs)
 
 
-class UserGroupGrantedAssetView(AdminUserRequiredMixin, DetailView):
+class UserGroupGrantedAssetView(PermissionsMixin, DetailView):
     model = UserGroup
     template_name = 'users/user_group_granted_asset.html'
     context_object_name = 'user_group'
     object = None
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {

apps/users/views/user.py

@@ -36,7 +36,7 @@ from common.const import (
 )
 from common.mixins import JSONResponseMixin
 from common.utils import get_logger, get_object_or_none, is_uuid, ssh_key_gen
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 from orgs.utils import current_org
 from .. import forms
 from ..models import User, UserGroup
@@ -61,8 +61,9 @@ __all__ = [
 logger = get_logger(__name__)
 
 
-class UserListView(AdminUserRequiredMixin, TemplateView):
+class UserListView(PermissionsMixin, TemplateView):
     template_name = 'users/user_list.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
@@ -73,12 +74,13 @@ class UserListView(AdminUserRequiredMixin, TemplateView):
         return context
 
 
-class UserCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView):
+class UserCreateView(PermissionsMixin, SuccessMessageMixin, CreateView):
     model = User
     form_class = forms.UserCreateForm
     template_name = 'users/user_create.html'
     success_url = reverse_lazy('users:user-list')
     success_message = create_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         check_rules = get_password_check_rules()
@@ -106,13 +108,14 @@ class UserCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView):
         return kwargs
 
 
-class UserUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
+class UserUpdateView(PermissionsMixin, SuccessMessageMixin, UpdateView):
     model = User
     form_class = forms.UserUpdateForm
     template_name = 'users/user_update.html'
     context_object_name = 'user_object'
     success_url = reverse_lazy('users:user-list')
     success_message = update_success_msg
+    permission_classes = [IsOrgAdmin]
 
     def _deny_permission(self):
         obj = self.get_object()
@@ -153,7 +156,7 @@ class UserUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
         return kwargs
 
 
-class UserBulkUpdateView(AdminUserRequiredMixin, TemplateView):
+class UserBulkUpdateView(PermissionsMixin, TemplateView):
     model = User
     form_class = forms.UserBulkUpdateForm
     template_name = 'users/user_bulk_update.html'
@@ -161,6 +164,7 @@ class UserBulkUpdateView(AdminUserRequiredMixin, TemplateView):
     success_message = _("Bulk update user success")
     form = None
     id_list = None
+    permission_classes = [IsOrgAdmin]
 
     def get(self, request, *args, **kwargs):
         spm = request.GET.get('spm', '')
@@ -193,11 +197,12 @@ class UserBulkUpdateView(AdminUserRequiredMixin, TemplateView):
         return super().get_context_data(**kwargs)
 
 
-class UserDetailView(AdminUserRequiredMixin, DetailView):
+class UserDetailView(PermissionsMixin, DetailView):
     model = User
     template_name = 'users/user_detail.html'
     context_object_name = "user_object"
     key_prefix_block = "_LOGIN_BLOCK_{}"
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         user = self.get_object()
@@ -263,8 +268,9 @@ class UserExportView(View):
         return JsonResponse({'redirect': url})
 
 
-class UserBulkImportView(AdminUserRequiredMixin, JSONResponseMixin, FormView):
+class UserBulkImportView(PermissionsMixin, JSONResponseMixin, FormView):
     form_class = forms.FileForm
+    permission_classes = [IsOrgAdmin]
 
     def form_invalid(self, form):
         try:
@@ -359,9 +365,10 @@ class UserBulkImportView(AdminUserRequiredMixin, JSONResponseMixin, FormView):
         return self.render_json_response(data)
 
 
-class UserGrantedAssetView(AdminUserRequiredMixin, DetailView):
+class UserGrantedAssetView(PermissionsMixin, DetailView):
     model = User
     template_name = 'users/user_granted_asset.html'
+    permission_classes = [IsOrgAdmin]
 
     def get_context_data(self, **kwargs):
         context = {