From 4b23630bb2bb89c5fd4e5067e5d13f0a85c5ffe2 Mon Sep 17 00:00:00 2001 From: Timmy Date: Tue, 9 Apr 2024 11:54:21 +0800 Subject: [PATCH] feat: system manager add manger action permission (#2604) --- saas/backend/account/views.py | 2 +- saas/backend/apps/approval/views.py | 6 +++++- saas/backend/apps/role/constants.py | 2 ++ saas/backend/apps/role/views/permission_audit.py | 12 +++++++++++- 4 files changed, 19 insertions(+), 3 deletions(-) diff --git a/saas/backend/account/views.py b/saas/backend/account/views.py index bd82a668f..977274b32 100644 --- a/saas/backend/account/views.py +++ b/saas/backend/account/views.py @@ -41,7 +41,7 @@ def retrieve(self, request, *args, **kwargs): { "timestamp": timestamp, "username": user.username, - "role": {"type": role.type, "id": role.id, "name": role.name}, + "role": {"type": role.type, "id": role.id, "name": role.name, "code": role.code}, "timezone": user.get_property("time_zone"), "name": u.display_name if u else "", } diff --git a/saas/backend/apps/approval/views.py b/saas/backend/apps/approval/views.py index a3c35b874..fc6e30690 100644 --- a/saas/backend/apps/approval/views.py +++ b/saas/backend/apps/approval/views.py @@ -26,7 +26,7 @@ from backend.common.error_codes import error_codes from backend.common.serializers import SystemQuerySLZ from backend.service.action import ActionService -from backend.service.constants import PermissionCodeEnum +from backend.service.constants import PermissionCodeEnum, RoleType from .audit import ( ActionSensitivityLevelAuditProvider, @@ -253,6 +253,10 @@ def create(self, request, *args, **kwargs): system_id = actions[0]["system_id"] action_ids = [a["id"] for a in actions] + # 校验系统管理员权限 + if request.role.type == RoleType.SYSTEM_MANAGER.value and request.role.code != system_id: + raise error_codes.FORBIDDEN + self.biz.batch_create_or_update_action_sensitivity_level( system_id, action_ids, sensitivity_level, request.user.username ) diff --git a/saas/backend/apps/role/constants.py b/saas/backend/apps/role/constants.py index cc8e263cb..65d91bc90 100644 --- a/saas/backend/apps/role/constants.py +++ b/saas/backend/apps/role/constants.py @@ -35,6 +35,8 @@ PermissionCodeEnum.MANAGE_COMMON_ACTION.value, PermissionCodeEnum.MANAGE_SYSTEM_MANAGER_MEMBER.value, PermissionCodeEnum.MANAGE_ROLE_GROUP_MEMBER.value, + PermissionCodeEnum.VIEW_AUTHORIZED_SUBJECTS.value, + PermissionCodeEnum.MANAGE_SENSITIVITY_LEVEL.value, ], RoleType.GRADE_MANAGER.value: [ PermissionCodeEnum.MANAGE_GROUP.value, diff --git a/saas/backend/apps/role/views/permission_audit.py b/saas/backend/apps/role/views/permission_audit.py index 92e7e455c..3cfddca8b 100644 --- a/saas/backend/apps/role/views/permission_audit.py +++ b/saas/backend/apps/role/views/permission_audit.py @@ -16,7 +16,8 @@ from backend.account.permissions import RolePermission from backend.apps.role.serializers import AuthorizedSubjectsSLZ, QueryAuthorizedSubjectsSLZ from backend.biz.permission_audit import QueryAuthorizedSubjects -from backend.service.constants import PermissionCodeEnum +from backend.common import error_codes +from backend.service.constants import PermissionCodeEnum, RoleType from backend.util.time import format_localtime @@ -38,6 +39,11 @@ def post(self, request, *args, **kwargs): serializer = QueryAuthorizedSubjectsSLZ(data=request.data) serializer.is_valid(raise_exception=True) data = serializer.validated_data + + # 校验系统管理员权限 + if request.role.type == RoleType.SYSTEM_MANAGER.value and request.role.code != data["system_id"]: + raise error_codes.FORBIDDEN + subjects = QueryAuthorizedSubjects(data).query_by_permission_type() return Response(subjects) @@ -52,6 +58,10 @@ def export(self, request, *args, **kwargs): serializer.is_valid(raise_exception=True) data = serializer.validated_data + # 校验系统管理员权限 + if request.role.type == RoleType.SYSTEM_MANAGER.value and request.role.code != data["system_id"]: + raise error_codes.FORBIDDEN + exported_file_name = f'{data["system_id"]}_{format_localtime()}' response = QueryAuthorizedSubjects(data).export(exported_file_name)