Skip to content

Commit

Permalink
Fixes
Browse files Browse the repository at this point in the history 
- Race condition in admin_user
- More restrictive permission check in AccountView
  • Loading branch information
@taoky
taoky committed Oct 15, 2023
1 parent dd2caa3 commit 50ca579
Show file tree
Hide file tree
Showing 2 changed files with 23 additions and 25 deletions.
27 changes: 13 additions & 14 deletions frontend/templates/admin_user.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,15 +23,15 @@ <h2 v-else>正在创建</h2>
<div class="form-row">
<a :href="`/admin/auth/user/${opened.pk}/change`">跳转到 Django 用户模型页面(配置权限)……</a>
</div>
<div class="form-row" v-if="account_pks.length > 0">
<a :href="`/admin/frontend/account/${account}/change`" v-for="account in account_pks">跳转到 Account 模型页面(查看登录方式信息)……</a>
<div class="form-row" v-if="account_pks[opened.pk]">
<a :href="`/admin/frontend/account/${account}/change`" v-for="account in account_pks[opened.pk]">跳转到 Account 模型页面(查看登录方式信息)……</a>
</div>
<div class="form-row" v-if="account_pks.length > 0">
<a @click.prevent="get_accountlog" href="#">显示 AccountLog 记录</a>
<ul v-if="accountlog && accountlog.length > 0">
<li v-for="log in accountlog">{{ log.content_type }}: {{ log.contents }}</li>
<div class="form-row" v-if="account_pks[opened.pk] && account_pks[opened.pk].length > 0">
<a @click.prevent="get_accountlog" href="#">获取 AccountLog 记录</a>
<ul v-if="accountlog[opened.pk] && accountlog[opened.pk].length > 0">
<li v-for="log in accountlog[opened.pk]">{{ log.content_type }}: {{ log.contents }}</li>
</ul>
<p v-else-if="accountlog">(无结果)</p>
<p v-else-if="accountlog[opened.pk]">(无结果)</p>
</div>
<div class="form-row">
<label for="form-name">姓名:</label>
Expand Down Expand Up @@ -176,8 +176,8 @@ <h2 v-else>正在创建</h2>
filters: {
group: null,
},
account_pks: [],
accountlog: undefined,
account_pks: {},
accountlog: {},
},
created() {
this.refresh();
Expand All @@ -204,11 +204,9 @@ <h2 v-else>正在创建</h2>
},
open(obj) {
this.opened = {...obj};
this.account_pks = [];
this.accountlog = undefined;
axios.post('/account/', {method: 'account_pk', user: obj.pk})
.then(({data: {value}}) => {
this.account_pks = value;
this.$set(this.account_pks, obj.pk, value)
})
.catch(({response: {data: {error}}}) => {
alert(error && error.message);
Expand All @@ -229,9 +227,10 @@ <h2 v-else>正在创建</h2>
});
},
get_accountlog() {
axios.post('/account/', {method: 'accountlog', user: this.opened.pk})
const pk = this.opened.pk;
axios.post('/account/', {method: 'accountlog', user: pk})
.then(({data: {value}}) => {
this.accountlog = value;
this.$set(this.accountlog, pk, value);
})
.catch(({response: {data: {error}}}) => {
alert(error && error.message);
Expand Down
21 changes: 10 additions & 11 deletions frontend/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -272,21 +272,20 @@ def post(self, request):
body = json.loads(request.body)
method = body['method']
user_pk = body['user']
# Check permission
try:
context = Context.from_request(request)
target_user = User.get(context, user_pk)
User.test_permission(context, 'user.full', 'user.view', f'user.view_{target_user.group}')
except PermissionRequired as e:
j = e.json
j['message'] = '您目前没有权限查看此项'
return JsonResponse({'error': j}, status=400)

accounts = Account.objects.filter(user__pk=user_pk)
if method == "account_pk":
return JsonResponse({'value': [i.pk for i in accounts]})
elif method == "accountlog":
# Check permission
try:
context = Context.from_request(request)
if request.user.pk is None:
raise PermissionRequired()
target_user = User.get(context, user_pk)
User.test_permission(context, 'user.full', 'user.view', f'user.view_{target_user.group}')
except PermissionRequired as e:
j = e.json
j['message'] = '您目前没有权限查看此项'
return JsonResponse({'error': j}, status=400)
logs = list(AccountLog.objects.filter(account__in=accounts).values('content_type', 'contents'))
return JsonResponse({'value': logs})

Expand Down

0 comments on commit 50ca579

Please sign in to comment.