[Update] 审计员分管组织审计

apps/authentication/api/auth.py

@@ -69,6 +69,10 @@ class UserAuthApi(RootOrgViewMixin, APIView):
             logger.info(msg)
             return Response({'msg': msg}, status=401)
 
+        if user.is_auditor:
+            msg = _("Auditors are not authorized to log in")
+            return Response({'msg': msg}, status=401)
+
         if not user.otp_enabled:
             self.send_auth_signal(success=True, user=user)
             # 登陆成功，清除原来的缓存计数

apps/orgs/middleware.py

@@ -13,11 +13,15 @@ class OrgMiddleware:
     def set_permed_org_if_need(request):
         if request.path.startswith('/api'):
             return
-        if not (request.user.is_authenticated and request.user.is_org_admin):
+        if not request.user.is_authenticated:
+            return
+        if not (request.user.is_org_admin or request.user.is_org_auditor):
             return
         org = get_org_from_request(request)
         if org.can_admin_by(request.user):
             return
+        if org.can_auditor_by(request.user):
+            return
         admin_orgs = Organization.get_user_admin_orgs(request.user)
         if admin_orgs:
             request.session['oid'] = str(admin_orgs[0].id)

apps/orgs/models.py

@@ -11,6 +11,7 @@ class Organization(models.Model):
     name = models.CharField(max_length=128, unique=True, verbose_name=_("Name"))
     users = models.ManyToManyField('users.User', related_name='orgs', blank=True)
     admins = models.ManyToManyField('users.User', related_name='admin_orgs', blank=True)
+    auditors = models.ManyToManyField('users.User', related_name='auditor_orgs', blank=True)
     created_by = models.CharField(max_length=32, null=True, blank=True, verbose_name=_('Created by'))
     date_created = models.DateTimeField(auto_now_add=True, null=True, blank=True, verbose_name=_('Date created'))
     comment = models.TextField(max_length=128, default='', blank=True, verbose_name=_('Comment'))
@@ -69,7 +70,7 @@ class Organization(models.Model):
     def get_org_users(self, include_app=False):
         from users.models import User
         if self.is_real():
-            users = self.users.all()
+            users = self.users.all() | self.auditors.all()
         else:
             users = User.objects.all()
         if not include_app:
@@ -81,6 +82,11 @@ class Organization(models.Model):
             return self.admins.all()
         return []
 
+    def get_org_auditors(self):
+        if self.is_real():
+            return self.auditors.all()
+        return []
+
     def can_admin_by(self, user):
         if user.is_superuser:
             return True
@@ -88,6 +94,11 @@ class Organization(models.Model):
             return True
         return False
 
+    def can_auditor_by(self, user):
+        if user in list(self.get_org_auditors()):
+            return True
+        return False
+
     def is_real(self):
         return self.id not in (self.DEFAULT_NAME, self.ROOT_ID)
 
@@ -96,11 +107,15 @@ class Organization(models.Model):
         admin_orgs = []
         if user.is_anonymous:
             return admin_orgs
-        elif user.is_superuser or user.is_auditor:
+        elif user.is_superuser:
             admin_orgs = list(cls.objects.all())
             admin_orgs.append(cls.default())
         elif user.is_org_admin:
             admin_orgs = user.admin_orgs.all()
+        elif user.is_auditor:
+            admin_orgs = user.auditor_orgs.all()
+            if not admin_orgs:
+                admin_orgs = [cls.default()]
         return admin_orgs
 
     @classmethod

apps/users/api/user.py

@@ -52,7 +52,11 @@ class UserViewSet(IDInCacheFilterMixin, BulkModelViewSet):
         if isinstance(users, User):
             users = [users]
         if current_org and current_org.is_real():
-            current_org.users.add(*users)
+            for user in users:
+                if user.is_auditor:
+                    current_org.auditors.add(user)
+                else:
+                    current_org.users.add(user)
         self.send_created_signal(users)
 
     def get_queryset(self):

apps/users/forms.py

@@ -67,14 +67,8 @@ class UserCreateUpdateFormMixin(OrgModelForm):
 
         # Org admin user
         else:
-            user = kwargs.get('instance')
-            # Update
-            if user:
-                role = kwargs.get('instance').role
-                roles.append((role, dict(User.ROLE_CHOICES).get(role)))
-            # Create
-            else:
-                roles.append((User.ROLE_USER, dict(User.ROLE_CHOICES).get(User.ROLE_USER)))
+            roles.append((User.ROLE_USER, dict(User.ROLE_CHOICES).get(User.ROLE_USER)))
+            roles.append((User.ROLE_AUDITOR, dict(User.ROLE_CHOICES).get(User.ROLE_AUDITOR)))
 
         field = self.fields['role']
         field.choices = set(roles)

apps/users/models/user.py

@@ -164,6 +164,18 @@ class RoleMixin:
     def is_auditor(self):
         return self.role == 'Auditor'
 
+    @property
+    def auditor_orgs(self):
+        from orgs.models import Organization
+        return Organization.get_user_admin_orgs(self)
+
+    @property
+    def is_org_auditor(self):
+        if self.is_auditor and self.auditor_orgs.exists():
+            return True
+        else:
+            return False
+
     @property
     def is_common_user(self):
         if self.is_org_admin:

apps/users/serializers/v1.py

@@ -50,7 +50,7 @@ class UserSerializer(BulkSerializerMixin, serializers.ModelSerializer):
 
     def validate_role(self, value):
         request = self.context.get('request')
-        if not request.user.is_superuser and value != User.ROLE_USER:
+        if not request.user.is_org_admin and value != User.ROLE_USER:
             role_display = dict(User.ROLE_CHOICES)[User.ROLE_USER]
             msg = _("Role limit to {}".format(role_display))
             raise serializers.ValidationError(msg)