Skip to content
Projects
Groups
Snippets
Help
Loading...
Sign in
Toggle navigation
J
jumpserver
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
ops
jumpserver
Commits
c816875f
Unverified
Commit
c816875f
authored
Jul 23, 2018
by
老广
Committed by
GitHub
Jul 23, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[Update] 修改permission (#1574)
parent
2208d6d5
Hide whitespace changes
Inline
Side-by-side
Showing
20 changed files
with
93 additions
and
156 deletions
+93
-156
admin_user.py
apps/assets/api/admin_user.py
+5
-5
asset.py
apps/assets/api/asset.py
+6
-6
domain.py
apps/assets/api/domain.py
+6
-6
label.py
apps/assets/api/label.py
+2
-2
node.py
apps/assets/api/node.py
+11
-11
system_user.py
apps/assets/api/system_user.py
+6
-5
hands.py
apps/assets/hands.py
+1
-1
api.py
apps/audits/api.py
+2
-2
api.py
apps/common/api.py
+3
-3
mixins.py
apps/common/mixins.py
+0
-1
permissions.py
apps/common/permissions.py
+9
-9
views.py
apps/common/views.py
+2
-4
settings.py
apps/jumpserver/settings.py
+1
-1
api.py
apps/ops/api.py
+6
-6
hands.py
apps/ops/hands.py
+0
-3
api.py
apps/perms/api.py
+15
-15
api.py
apps/terminal/api.py
+10
-10
hands.py
apps/terminal/hands.py
+0
-4
api.py
apps/users/api.py
+8
-10
permissions.py
apps/users/permissions.py
+0
-52
No files found.
apps/assets/api/admin_user.py
View file @
c816875f
...
...
@@ -20,7 +20,7 @@ from rest_framework_bulk import BulkModelViewSet
from
common.mixins
import
IDInFilterMixin
from
common.utils
import
get_logger
from
..hands
import
Is
SuperUser
from
..hands
import
Is
OrgAdmin
from
..models
import
AdminUser
,
Asset
from
..
import
serializers
from
..tasks
import
test_admin_user_connectability_manual
...
...
@@ -39,19 +39,19 @@ class AdminUserViewSet(IDInFilterMixin, BulkModelViewSet):
"""
queryset
=
AdminUser
.
objects
.
all
()
serializer_class
=
serializers
.
AdminUserSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
class
AdminUserAuthApi
(
generics
.
UpdateAPIView
):
queryset
=
AdminUser
.
objects
.
all
()
serializer_class
=
serializers
.
AdminUserAuthSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
class
ReplaceNodesAdminUserApi
(
generics
.
UpdateAPIView
):
queryset
=
AdminUser
.
objects
.
all
()
serializer_class
=
serializers
.
ReplaceNodeAdminUserSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
def
update
(
self
,
request
,
*
args
,
**
kwargs
):
admin_user
=
self
.
get_object
()
...
...
@@ -75,7 +75,7 @@ class AdminUserTestConnectiveApi(generics.RetrieveAPIView):
Test asset admin user connectivity
"""
queryset
=
AdminUser
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
def
retrieve
(
self
,
request
,
*
args
,
**
kwargs
):
admin_user
=
self
.
get_object
()
...
...
apps/assets/api/asset.py
View file @
c816875f
...
...
@@ -13,7 +13,7 @@ from django.db.models import Q
from
common.mixins
import
IDInFilterMixin
from
common.utils
import
get_logger
from
..hands
import
IsSuperUser
,
IsValidUser
,
IsSuperUser
OrAppUser
from
common.permissions
import
IsOrgAdmin
,
IsAppUser
,
IsOrgAdmin
OrAppUser
from
..models
import
Asset
,
SystemUser
,
AdminUser
,
Node
from
..
import
serializers
from
..tasks
import
update_asset_hardware_info_manual
,
\
...
...
@@ -39,7 +39,7 @@ class AssetViewSet(IDInFilterMixin, LabelFilter, BulkModelViewSet):
queryset
=
Asset
.
objects
.
all
()
serializer_class
=
serializers
.
AssetSerializer
pagination_class
=
LimitOffsetPagination
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
def
get_queryset
(
self
):
queryset
=
super
()
.
get_queryset
()
\
...
...
@@ -79,7 +79,7 @@ class AssetListUpdateApi(IDInFilterMixin, ListBulkCreateUpdateDestroyAPIView):
"""
queryset
=
Asset
.
objects
.
all
()
serializer_class
=
serializers
.
AssetSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
class
AssetRefreshHardwareApi
(
generics
.
RetrieveAPIView
):
...
...
@@ -88,7 +88,7 @@ class AssetRefreshHardwareApi(generics.RetrieveAPIView):
"""
queryset
=
Asset
.
objects
.
all
()
serializer_class
=
serializers
.
AssetSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
def
retrieve
(
self
,
request
,
*
args
,
**
kwargs
):
asset_id
=
kwargs
.
get
(
'pk'
)
...
...
@@ -102,7 +102,7 @@ class AssetAdminUserTestApi(generics.RetrieveAPIView):
Test asset admin user connectivity
"""
queryset
=
Asset
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
def
retrieve
(
self
,
request
,
*
args
,
**
kwargs
):
asset_id
=
kwargs
.
get
(
'pk'
)
...
...
@@ -113,7 +113,7 @@ class AssetAdminUserTestApi(generics.RetrieveAPIView):
class
AssetGatewayApi
(
generics
.
RetrieveAPIView
):
queryset
=
Asset
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
def
retrieve
(
self
,
request
,
*
args
,
**
kwargs
):
asset_id
=
kwargs
.
get
(
'pk'
)
...
...
apps/assets/api/domain.py
View file @
c816875f
...
...
@@ -2,12 +2,12 @@
from
rest_framework_bulk
import
BulkModelViewSet
from
rest_framework.views
import
APIView
,
Response
from
rest_
framework.generics
import
RetrieveAPIView
from
rest_
condition
import
Or
from
django.views.generic.detail
import
SingleObjectMixin
from
common.utils
import
get_logger
from
..hands
import
IsSuperUser
,
IsSuperUserOr
AppUser
from
common.permissions
import
IsOrgAdmin
,
Is
AppUser
from
..models
import
Domain
,
Gateway
from
..utils
import
test_gateway_connectability
from
..
import
serializers
...
...
@@ -19,7 +19,7 @@ __all__ = ['DomainViewSet', 'GatewayViewSet', "GatewayTestConnectionApi"]
class
DomainViewSet
(
BulkModelViewSet
):
queryset
=
Domain
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
serializers
.
DomainSerializer
def
get_serializer_class
(
self
):
...
...
@@ -29,7 +29,7 @@ class DomainViewSet(BulkModelViewSet):
def
get_permissions
(
self
):
if
self
.
request
.
query_params
.
get
(
'gateway'
):
self
.
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
self
.
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
return
super
()
.
get_permissions
()
...
...
@@ -37,12 +37,12 @@ class GatewayViewSet(BulkModelViewSet):
filter_fields
=
(
"domain"
,)
search_fields
=
filter_fields
queryset
=
Gateway
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
serializers
.
GatewaySerializer
class
GatewayTestConnectionApi
(
SingleObjectMixin
,
APIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
model
=
Gateway
object
=
None
...
...
apps/assets/api/label.py
View file @
c816875f
...
...
@@ -17,7 +17,7 @@ from rest_framework_bulk import BulkModelViewSet
from
django.db.models
import
Count
from
common.utils
import
get_logger
from
..hands
import
Is
SuperUser
from
..hands
import
Is
OrgAdmin
from
..models
import
Label
from
..
import
serializers
...
...
@@ -28,7 +28,7 @@ __all__ = ['LabelViewSet']
class
LabelViewSet
(
BulkModelViewSet
):
queryset
=
Label
.
objects
.
annotate
(
asset_count
=
Count
(
"assets"
))
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
serializers
.
LabelSerializer
def
list
(
self
,
request
,
*
args
,
**
kwargs
):
...
...
apps/assets/api/node.py
View file @
c816875f
...
...
@@ -22,7 +22,7 @@ from django.utils.translation import ugettext_lazy as _
from
django.shortcuts
import
get_object_or_404
from
common.utils
import
get_logger
,
get_object_or_none
from
..hands
import
Is
SuperUser
from
..hands
import
Is
OrgAdmin
from
..models
import
Node
from
..tasks
import
update_assets_hardware_info_util
,
test_asset_connectability_util
from
..
import
serializers
...
...
@@ -39,7 +39,7 @@ __all__ = [
class
NodeViewSet
(
viewsets
.
ModelViewSet
):
queryset
=
Node
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
serializers
.
NodeSerializer
def
get_queryset
(
self
):
...
...
@@ -56,7 +56,7 @@ class NodeViewSet(viewsets.ModelViewSet):
# class NodeWithAssetsApi(generics.ListAPIView):
# permission_classes = (Is
SuperUser
,)
# permission_classes = (Is
OrgAdmin
,)
# serializers = serializers.NodeSerializer
#
# def get_node(self):
...
...
@@ -85,7 +85,7 @@ class NodeViewSet(viewsets.ModelViewSet):
class
NodeChildrenApi
(
mixins
.
ListModelMixin
,
generics
.
CreateAPIView
):
queryset
=
Node
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
serializers
.
NodeSerializer
instance
=
None
...
...
@@ -157,7 +157,7 @@ class NodeChildrenApi(mixins.ListModelMixin, generics.CreateAPIView):
class
NodeAssetsApi
(
generics
.
ListAPIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
serializers
.
AssetSerializer
def
get_queryset
(
self
):
...
...
@@ -172,7 +172,7 @@ class NodeAssetsApi(generics.ListAPIView):
class
NodeAddChildrenApi
(
generics
.
UpdateAPIView
):
queryset
=
Node
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
serializers
.
NodeAddChildrenSerializer
instance
=
None
...
...
@@ -190,7 +190,7 @@ class NodeAddChildrenApi(generics.UpdateAPIView):
class
NodeAddAssetsApi
(
generics
.
UpdateAPIView
):
serializer_class
=
serializers
.
NodeAssetsSerializer
queryset
=
Node
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
instance
=
None
def
perform_update
(
self
,
serializer
):
...
...
@@ -202,7 +202,7 @@ class NodeAddAssetsApi(generics.UpdateAPIView):
class
NodeRemoveAssetsApi
(
generics
.
UpdateAPIView
):
serializer_class
=
serializers
.
NodeAssetsSerializer
queryset
=
Node
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
instance
=
None
def
perform_update
(
self
,
serializer
):
...
...
@@ -218,7 +218,7 @@ class NodeRemoveAssetsApi(generics.UpdateAPIView):
class
NodeReplaceAssetsApi
(
generics
.
UpdateAPIView
):
serializer_class
=
serializers
.
NodeAssetsSerializer
queryset
=
Node
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
instance
=
None
def
perform_update
(
self
,
serializer
):
...
...
@@ -229,7 +229,7 @@ class NodeReplaceAssetsApi(generics.UpdateAPIView):
class
RefreshNodeHardwareInfoApi
(
APIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
model
=
Node
def
get
(
self
,
request
,
*
args
,
**
kwargs
):
...
...
@@ -242,7 +242,7 @@ class RefreshNodeHardwareInfoApi(APIView):
class
TestNodeConnectiveApi
(
APIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
model
=
Node
def
get
(
self
,
request
,
*
args
,
**
kwargs
):
...
...
apps/assets/api/system_user.py
View file @
c816875f
...
...
@@ -16,8 +16,9 @@
from
rest_framework
import
generics
from
rest_framework.response
import
Response
from
rest_framework_bulk
import
BulkModelViewSet
from
common.utils
import
get_logger
from
..hands
import
IsSuperUser
,
IsSuperUser
OrAppUser
from
common.permissions
import
IsOrgAdmin
,
IsOrgAdmin
OrAppUser
from
..models
import
SystemUser
from
..
import
serializers
from
..tasks
import
push_system_user_to_assets_manual
,
\
...
...
@@ -37,7 +38,7 @@ class SystemUserViewSet(BulkModelViewSet):
"""
queryset
=
SystemUser
.
objects
.
all
()
serializer_class
=
serializers
.
SystemUserSerializer
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
class
SystemUserAuthInfoApi
(
generics
.
RetrieveUpdateDestroyAPIView
):
...
...
@@ -45,7 +46,7 @@ class SystemUserAuthInfoApi(generics.RetrieveUpdateDestroyAPIView):
Get system user auth info
"""
queryset
=
SystemUser
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
serializer_class
=
serializers
.
SystemUserAuthSerializer
def
destroy
(
self
,
request
,
*
args
,
**
kwargs
):
...
...
@@ -59,7 +60,7 @@ class SystemUserPushApi(generics.RetrieveAPIView):
Push system user to cluster assets api
"""
queryset
=
SystemUser
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
def
retrieve
(
self
,
request
,
*
args
,
**
kwargs
):
system_user
=
self
.
get_object
()
...
...
@@ -75,7 +76,7 @@ class SystemUserTestConnectiveApi(generics.RetrieveAPIView):
Push system user to cluster assets api
"""
queryset
=
SystemUser
.
objects
.
all
()
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
def
retrieve
(
self
,
request
,
*
args
,
**
kwargs
):
system_user
=
self
.
get_object
()
...
...
apps/assets/hands.py
View file @
c816875f
...
...
@@ -12,5 +12,5 @@
from
common.permissions
import
AdminUserRequiredMixin
from
common.permissions
import
IsAppUser
,
Is
SuperUser
,
IsValidUser
,
IsSuperUser
OrAppUser
from
common.permissions
import
IsAppUser
,
Is
OrgAdmin
,
IsValidUser
,
IsOrgAdmin
OrAppUser
from
users.models
import
User
,
UserGroup
apps/audits/api.py
View file @
c816875f
...
...
@@ -3,7 +3,7 @@
from
rest_framework
import
viewsets
from
common.permissions
import
Is
SuperUser
OrAppUser
from
common.permissions
import
Is
OrgAdmin
OrAppUser
from
.models
import
FTPLog
from
.serializers
import
FTPLogSerializer
...
...
@@ -11,4 +11,4 @@ from .serializers import FTPLogSerializer
class
FTPLogViewSet
(
viewsets
.
ModelViewSet
):
queryset
=
FTPLog
.
objects
.
all
()
serializer_class
=
FTPLogSerializer
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
apps/common/api.py
View file @
c816875f
...
...
@@ -8,12 +8,12 @@ from django.core.mail import get_connection, send_mail
from
django.utils.translation
import
ugettext_lazy
as
_
from
django.conf
import
settings
from
.permissions
import
Is
SuperUser
from
.permissions
import
Is
OrgAdmin
from
.serializers
import
MailTestSerializer
,
LDAPTestSerializer
class
MailTestingAPI
(
APIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
MailTestSerializer
success_message
=
_
(
"Test mail sent to {}, please check"
)
...
...
@@ -37,7 +37,7 @@ class MailTestingAPI(APIView):
class
LDAPTestingAPI
(
APIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
LDAPTestSerializer
success_message
=
_
(
"Test ldap success"
)
...
...
apps/common/mixins.py
View file @
c816875f
...
...
@@ -6,7 +6,6 @@ from django.utils import timezone
from
django.utils.translation
import
ugettext_lazy
as
_
class
NoDeleteQuerySet
(
models
.
query
.
QuerySet
):
def
delete
(
self
):
...
...
apps/common/permissions.py
View file @
c816875f
...
...
@@ -23,29 +23,29 @@ class IsAppUser(IsValidUser):
and
request
.
user
.
is_app
class
Is
SuperUser
(
IsValidUser
):
class
Is
OrgAdmin
(
IsValidUser
):
"""Allows access only to superuser"""
def
has_permission
(
self
,
request
,
view
):
return
super
(
Is
SuperUser
,
self
)
.
has_permission
(
request
,
view
)
\
and
request
.
user
.
is_superuser
return
super
(
Is
OrgAdmin
,
self
)
.
has_permission
(
request
,
view
)
\
and
current_org
.
can_admin_by
(
request
.
user
)
class
Is
SuperUser
OrAppUser
(
IsValidUser
):
class
Is
OrgAdmin
OrAppUser
(
IsValidUser
):
"""Allows access between superuser and app user"""
def
has_permission
(
self
,
request
,
view
):
return
super
(
Is
SuperUser
OrAppUser
,
self
)
.
has_permission
(
request
,
view
)
\
and
(
request
.
user
.
is_superuser
or
request
.
user
.
is_app
)
return
super
(
Is
OrgAdmin
OrAppUser
,
self
)
.
has_permission
(
request
,
view
)
\
and
(
current_org
.
can_admin_by
(
request
.
user
)
or
request
.
user
.
is_app
)
class
Is
SuperUserOrAppUserOrUserReadonly
(
IsSuperUser
OrAppUser
):
class
Is
OrgAdminOrAppUserOrUserReadonly
(
IsOrgAdmin
OrAppUser
):
def
has_permission
(
self
,
request
,
view
):
if
IsValidUser
.
has_permission
(
self
,
request
,
view
)
\
and
request
.
method
in
permissions
.
SAFE_METHODS
:
return
True
else
:
return
Is
SuperUser
OrAppUser
.
has_permission
(
self
,
request
,
view
)
return
Is
OrgAdmin
OrAppUser
.
has_permission
(
self
,
request
,
view
)
class
IsCurrentUserOrReadOnly
(
permissions
.
BasePermission
):
...
...
@@ -59,7 +59,7 @@ class AdminUserRequiredMixin(UserPassesTestMixin):
def
test_func
(
self
):
if
not
self
.
request
.
user
.
is_authenticated
:
return
False
elif
not
self
.
request
.
user
:
elif
not
current_org
.
can_admin_by
(
self
.
request
.
user
)
:
self
.
raise_exception
=
True
return
False
return
True
apps/common/views.py
View file @
c816875f
from
django.core.cache
import
cache
from
django.views.generic
import
TemplateView
,
View
,
DetailView
from
django.shortcuts
import
render
,
redirect
,
Http404
,
reverse
from
django.views.generic
import
TemplateView
from
django.shortcuts
import
render
,
redirect
from
django.contrib
import
messages
from
django.utils.translation
import
ugettext
as
_
from
django.conf
import
settings
...
...
apps/jumpserver/settings.py
View file @
c816875f
...
...
@@ -291,7 +291,7 @@ REST_FRAMEWORK = {
# Use Django's standard `django.contrib.auth` permissions,
# or allow read-only access for unauthenticated users.
'DEFAULT_PERMISSION_CLASSES'
:
(
'
users.permissions.IsSuperUser
'
,
'
common.permissions.IsOrgAdmin
'
,
),
'DEFAULT_AUTHENTICATION_CLASSES'
:
(
'users.authentication.AccessKeyAuthentication'
,
...
...
apps/ops/api.py
View file @
c816875f
...
...
@@ -8,7 +8,7 @@ from django.utils.translation import ugettext as _
from
rest_framework
import
viewsets
,
generics
from
rest_framework.views
import
Response
from
.hands
import
IsSuperUser
from
common.permissions
import
IsOrgAdmin
from
.models
import
Task
,
AdHoc
,
AdHocRunHistory
,
CeleryTask
from
.serializers
import
TaskSerializer
,
AdHocSerializer
,
\
AdHocRunHistorySerializer
...
...
@@ -18,13 +18,13 @@ from .tasks import run_ansible_task
class
TaskViewSet
(
viewsets
.
ModelViewSet
):
queryset
=
Task
.
objects
.
all
()
serializer_class
=
TaskSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
class
TaskRun
(
generics
.
RetrieveAPIView
):
queryset
=
Task
.
objects
.
all
()
serializer_class
=
TaskViewSet
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
def
retrieve
(
self
,
request
,
*
args
,
**
kwargs
):
task
=
self
.
get_object
()
...
...
@@ -35,7 +35,7 @@ class TaskRun(generics.RetrieveAPIView):
class
AdHocViewSet
(
viewsets
.
ModelViewSet
):
queryset
=
AdHoc
.
objects
.
all
()
serializer_class
=
AdHocSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
def
get_queryset
(
self
):
task_id
=
self
.
request
.
query_params
.
get
(
'task'
)
...
...
@@ -48,7 +48,7 @@ class AdHocViewSet(viewsets.ModelViewSet):
class
AdHocRunHistorySet
(
viewsets
.
ModelViewSet
):
queryset
=
AdHocRunHistory
.
objects
.
all
()
serializer_class
=
AdHocRunHistorySerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
def
get_queryset
(
self
):
task_id
=
self
.
request
.
query_params
.
get
(
'task'
)
...
...
@@ -65,7 +65,7 @@ class AdHocRunHistorySet(viewsets.ModelViewSet):
class
CeleryTaskLogApi
(
generics
.
RetrieveAPIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
buff_size
=
1024
*
10
end
=
False
queryset
=
CeleryTask
.
objects
.
all
()
...
...
apps/ops/hands.py
View file @
c816875f
# ~*~ coding: utf-8 ~*~
from
users.permissions
import
IsSuperUser
from
common.permissions
import
AdminUserRequiredMixin
\ No newline at end of file
apps/perms/api.py
View file @
c816875f
...
...
@@ -7,7 +7,7 @@ from rest_framework.generics import ListAPIView, get_object_or_404, RetrieveUpda
from
rest_framework
import
viewsets
from
common.utils
import
set_or_append_attr_bulk
,
get_object_or_none
from
users.permissions
import
IsValidUser
,
IsSuperUser
,
IsSuperUser
OrAppUser
from
common.permissions
import
IsValidUser
,
IsOrgAdmin
,
IsOrgAdmin
OrAppUser
from
.utils
import
AssetPermissionUtil
from
.models
import
AssetPermission
from
.hands
import
AssetGrantedSerializer
,
User
,
UserGroup
,
Asset
,
Node
,
\
...
...
@@ -21,7 +21,7 @@ class AssetPermissionViewSet(viewsets.ModelViewSet):
"""
queryset
=
AssetPermission
.
objects
.
all
()
serializer_class
=
serializers
.
AssetPermissionCreateUpdateSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
def
get_serializer_class
(
self
):
if
self
.
action
in
(
"list"
,
'retrieve'
):
...
...
@@ -58,7 +58,7 @@ class UserGrantedAssetsApi(ListAPIView):
"""
用户授权的所有资产
"""
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
serializer_class
=
AssetGrantedSerializer
def
get_queryset
(
self
):
...
...
@@ -87,7 +87,7 @@ class UserGrantedAssetsApi(ListAPIView):
class
UserGrantedNodesApi
(
ListAPIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
NodeSerializer
def
get_queryset
(
self
):
...
...
@@ -107,7 +107,7 @@ class UserGrantedNodesApi(ListAPIView):
class
UserGrantedNodesWithAssetsApi
(
ListAPIView
):
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
serializer_class
=
NodeGrantedSerializer
def
get_queryset
(
self
):
...
...
@@ -139,7 +139,7 @@ class UserGrantedNodesWithAssetsApi(ListAPIView):
class
UserGrantedNodeAssetsApi
(
ListAPIView
):
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
serializer_class
=
AssetGrantedSerializer
def
get_queryset
(
self
):
...
...
@@ -165,7 +165,7 @@ class UserGrantedNodeAssetsApi(ListAPIView):
class
UserGroupGrantedAssetsApi
(
ListAPIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
AssetGrantedSerializer
def
get_queryset
(
self
):
...
...
@@ -185,7 +185,7 @@ class UserGroupGrantedAssetsApi(ListAPIView):
class
UserGroupGrantedNodesApi
(
ListAPIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
NodeSerializer
def
get_queryset
(
self
):
...
...
@@ -201,7 +201,7 @@ class UserGroupGrantedNodesApi(ListAPIView):
class
UserGroupGrantedNodesWithAssetsApi
(
ListAPIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
NodeGrantedSerializer
def
get_queryset
(
self
):
...
...
@@ -224,7 +224,7 @@ class UserGroupGrantedNodesWithAssetsApi(ListAPIView):
class
UserGroupGrantedNodeAssetsApi
(
ListAPIView
):
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
serializer_class
=
AssetGrantedSerializer
def
get_queryset
(
self
):
...
...
@@ -242,7 +242,7 @@ class UserGroupGrantedNodeAssetsApi(ListAPIView):
class
ValidateUserAssetPermissionView
(
APIView
):
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
@staticmethod
def
get
(
request
):
...
...
@@ -266,7 +266,7 @@ class AssetPermissionRemoveUserApi(RetrieveUpdateAPIView):
"""
将用户从授权中移除,Detail页面会调用
"""
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
serializers
.
AssetPermissionUpdateUserSerializer
queryset
=
AssetPermission
.
objects
.
all
()
...
...
@@ -283,7 +283,7 @@ class AssetPermissionRemoveUserApi(RetrieveUpdateAPIView):
class
AssetPermissionAddUserApi
(
RetrieveUpdateAPIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
serializers
.
AssetPermissionUpdateUserSerializer
queryset
=
AssetPermission
.
objects
.
all
()
...
...
@@ -303,7 +303,7 @@ class AssetPermissionRemoveAssetApi(RetrieveUpdateAPIView):
"""
将用户从授权中移除,Detail页面会调用
"""
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
serializers
.
AssetPermissionUpdateAssetSerializer
queryset
=
AssetPermission
.
objects
.
all
()
...
...
@@ -320,7 +320,7 @@ class AssetPermissionRemoveAssetApi(RetrieveUpdateAPIView):
class
AssetPermissionAddAssetApi
(
RetrieveUpdateAPIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
serializer_class
=
serializers
.
AssetPermissionUpdateAssetSerializer
queryset
=
AssetPermission
.
objects
.
all
()
...
...
apps/terminal/api.py
View file @
c816875f
...
...
@@ -24,8 +24,8 @@ from common.utils import get_object_or_none
from
.models
import
Terminal
,
Status
,
Session
,
Task
from
.serializers
import
TerminalSerializer
,
StatusSerializer
,
\
SessionSerializer
,
TaskSerializer
,
ReplaySerializer
from
.hands
import
IsSuperUserOrAppUser
,
Is
AppUser
,
\
Is
SuperUser
OrAppUserOrUserReadonly
from
common.permissions
import
IsOrgAdmin
,
IsAppUser
,
IsOrgAdminOr
AppUser
,
\
Is
OrgAdmin
OrAppUserOrUserReadonly
from
.backends
import
get_command_storage
,
get_multi_command_storage
,
\
SessionCommandSerializer
...
...
@@ -35,7 +35,7 @@ logger = logging.getLogger(__file__)
class
TerminalViewSet
(
viewsets
.
ModelViewSet
):
queryset
=
Terminal
.
objects
.
filter
(
is_deleted
=
False
)
serializer_class
=
TerminalSerializer
permission_classes
=
(
Is
SuperUser
OrAppUserOrUserReadonly
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUserOrUserReadonly
,)
def
create
(
self
,
request
,
*
args
,
**
kwargs
):
name
=
request
.
data
.
get
(
'name'
)
...
...
@@ -104,7 +104,7 @@ class TerminalTokenApi(APIView):
class
StatusViewSet
(
viewsets
.
ModelViewSet
):
queryset
=
Status
.
objects
.
all
()
serializer_class
=
StatusSerializer
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
session_serializer_class
=
SessionSerializer
task_serializer_class
=
TaskSerializer
...
...
@@ -176,7 +176,7 @@ class StatusViewSet(viewsets.ModelViewSet):
class
SessionViewSet
(
viewsets
.
ModelViewSet
):
queryset
=
Session
.
objects
.
all
()
serializer_class
=
SessionSerializer
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
def
get_queryset
(
self
):
terminal_id
=
self
.
kwargs
.
get
(
"terminal"
,
None
)
...
...
@@ -194,11 +194,11 @@ class SessionViewSet(viewsets.ModelViewSet):
class
TaskViewSet
(
BulkModelViewSet
):
queryset
=
Task
.
objects
.
all
()
serializer_class
=
TaskSerializer
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
class
KillSessionAPI
(
APIView
):
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
model
=
Task
def
post
(
self
,
request
,
*
args
,
**
kwargs
):
...
...
@@ -230,7 +230,7 @@ class CommandViewSet(viewsets.ViewSet):
command_store
=
get_command_storage
()
multi_command_storage
=
get_multi_command_storage
()
serializer_class
=
SessionCommandSerializer
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
def
get_queryset
(
self
):
self
.
command_store
.
filter
(
**
dict
(
self
.
request
.
query_params
))
...
...
@@ -256,7 +256,7 @@ class CommandViewSet(viewsets.ViewSet):
class
SessionReplayViewSet
(
viewsets
.
ViewSet
):
serializer_class
=
ReplaySerializer
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
session
=
None
upload_to
=
'replay'
# 仅添加到本地存储中
...
...
@@ -341,7 +341,7 @@ class SessionReplayViewSet(viewsets.ViewSet):
class
SessionReplayV2ViewSet
(
SessionReplayViewSet
):
serializer_class
=
ReplaySerializer
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
session
=
None
def
retrieve
(
self
,
request
,
*
args
,
**
kwargs
):
...
...
apps/terminal/hands.py
View file @
c816875f
...
...
@@ -2,6 +2,3 @@
#
from
users.models
import
User
from
users.permissions
import
IsSuperUserOrAppUser
,
IsAppUser
,
\
IsSuperUserOrAppUserOrUserReadonly
from
common.permissions
import
AdminUserRequiredMixin
\ No newline at end of file
apps/users/api.py
View file @
c816875f
...
...
@@ -16,12 +16,10 @@ from .serializers import UserSerializer, UserGroupSerializer, \
UserUpdateGroupSerializer
,
ChangeUserPasswordSerializer
from
.tasks
import
write_login_log_async
from
.models
import
User
,
UserGroup
,
LoginLog
from
.permissions
import
IsSuperUser
,
IsValidUser
,
IsCurrentUserOrReadOnly
,
\
IsSuperUserOrAppUser
from
.utils
import
check_user_valid
,
generate_token
,
get_login_ip
,
\
check_otp_code
,
set_user_login_failed_count_to_cache
,
is_block_login
from
orgs.utils
import
current_org
from
orgs.mixins
import
OrgViewGenericMixin
from
common.permissions
import
IsOrgAdmin
,
IsCurrentUserOrReadOnly
,
IsOrgAdminOrAppUser
from
common.mixins
import
IDInFilterMixin
from
common.utils
import
get_logger
...
...
@@ -32,7 +30,7 @@ logger = get_logger(__name__)
class
UserViewSet
(
IDInFilterMixin
,
BulkModelViewSet
):
queryset
=
User
.
objects
.
exclude
(
role
=
"App"
)
serializer_class
=
UserSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
filter_fields
=
(
'username'
,
'email'
,
'name'
,
'id'
)
def
get_queryset
(
self
):
...
...
@@ -43,12 +41,12 @@ class UserViewSet(IDInFilterMixin, BulkModelViewSet):
def
get_permissions
(
self
):
if
self
.
action
==
"retrieve"
:
self
.
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
self
.
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
return
super
()
.
get_permissions
()
class
ChangeUserPasswordApi
(
generics
.
RetrieveUpdateAPIView
):
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
queryset
=
User
.
objects
.
all
()
serializer_class
=
ChangeUserPasswordSerializer
...
...
@@ -61,7 +59,7 @@ class ChangeUserPasswordApi(generics.RetrieveUpdateAPIView):
class
UserUpdateGroupApi
(
generics
.
RetrieveUpdateAPIView
):
queryset
=
User
.
objects
.
all
()
serializer_class
=
UserUpdateGroupSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
class
UserResetPasswordApi
(
generics
.
UpdateAPIView
):
...
...
@@ -106,13 +104,13 @@ class UserUpdatePKApi(generics.UpdateAPIView):
class
UserGroupViewSet
(
BulkModelViewSet
):
queryset
=
UserGroup
.
objects
.
all
()
serializer_class
=
UserGroupSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
class
UserGroupUpdateUserApi
(
generics
.
RetrieveUpdateAPIView
):
queryset
=
UserGroup
.
objects
.
all
()
serializer_class
=
UserGroupUpdateMemeberSerializer
permission_classes
=
(
Is
SuperUser
,)
permission_classes
=
(
Is
OrgAdmin
,)
class
UserToken
(
APIView
):
...
...
@@ -288,7 +286,7 @@ class UserAuthApi(APIView):
class
UserConnectionTokenApi
(
APIView
):
permission_classes
=
(
Is
SuperUser
OrAppUser
,)
permission_classes
=
(
Is
OrgAdmin
OrAppUser
,)
def
post
(
self
,
request
):
user_id
=
request
.
data
.
get
(
'user'
,
''
)
...
...
apps/users/permissions.py
deleted
100644 → 0
View file @
2208d6d5
#!/usr/bin/env python
# -*- coding: utf-8 -*-
from
rest_framework
import
permissions
class
IsValidUser
(
permissions
.
IsAuthenticated
,
permissions
.
BasePermission
):
"""Allows access to valid user, is active and not expired"""
def
has_permission
(
self
,
request
,
view
):
return
super
(
IsValidUser
,
self
)
.
has_permission
(
request
,
view
)
\
and
request
.
user
.
is_valid
class
IsAppUser
(
IsValidUser
):
"""Allows access only to app user """
def
has_permission
(
self
,
request
,
view
):
return
super
(
IsAppUser
,
self
)
.
has_permission
(
request
,
view
)
\
and
request
.
user
.
is_app
class
IsSuperUser
(
IsValidUser
):
"""Allows access only to superuser"""
def
has_permission
(
self
,
request
,
view
):
return
super
(
IsSuperUser
,
self
)
.
has_permission
(
request
,
view
)
\
and
request
.
user
.
is_superuser
class
IsSuperUserOrAppUser
(
IsValidUser
):
"""Allows access between superuser and app user"""
def
has_permission
(
self
,
request
,
view
):
return
super
(
IsSuperUserOrAppUser
,
self
)
.
has_permission
(
request
,
view
)
\
and
(
request
.
user
.
is_superuser
or
request
.
user
.
is_app
)
class
IsSuperUserOrAppUserOrUserReadonly
(
IsSuperUserOrAppUser
):
def
has_permission
(
self
,
request
,
view
):
if
IsValidUser
.
has_permission
(
self
,
request
,
view
)
\
and
request
.
method
in
permissions
.
SAFE_METHODS
:
return
True
else
:
return
IsSuperUserOrAppUser
.
has_permission
(
self
,
request
,
view
)
class
IsCurrentUserOrReadOnly
(
permissions
.
BasePermission
):
def
has_object_permission
(
self
,
request
,
view
,
obj
):
if
request
.
method
in
permissions
.
SAFE_METHODS
:
return
True
return
obj
==
request
.
user
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment