From 50ca579396a19e6184cb1c6eb7f2685159b800d7 Mon Sep 17 00:00:00 2001
From: taoky <me@taoky.moe>
Date: Sun, 15 Oct 2023 15:03:42 +0800
Subject: [PATCH] Fixes

- Race condition in admin_user
- More restrictive permission check in AccountView
---
 frontend/templates/admin_user.html | 27 +++++++++++++--------------
 frontend/views.py                  | 21 ++++++++++-----------
 2 files changed, 23 insertions(+), 25 deletions(-)

diff --git a/frontend/templates/admin_user.html b/frontend/templates/admin_user.html
index bf49b6a..d77bf7a 100644
--- a/frontend/templates/admin_user.html
+++ b/frontend/templates/admin_user.html
@@ -23,15 +23,15 @@ <h2 v-else>正在创建</h2>
                 <div class="form-row">
                     <a :href="`/admin/auth/user/${opened.pk}/change`">跳转到 Django 用户模型页面（配置权限）……</a>
                 </div>
-                <div class="form-row" v-if="account_pks.length > 0">
-                    <a :href="`/admin/frontend/account/${account}/change`" v-for="account in account_pks">跳转到 Account 模型页面（查看登录方式信息）……</a>
+                <div class="form-row" v-if="account_pks[opened.pk]">
+                    <a :href="`/admin/frontend/account/${account}/change`" v-for="account in account_pks[opened.pk]">跳转到 Account 模型页面（查看登录方式信息）……</a>
                 </div>
-                <div class="form-row" v-if="account_pks.length > 0">
-                    <a @click.prevent="get_accountlog" href="#">显示 AccountLog 记录</a>
-                    <ul v-if="accountlog && accountlog.length > 0">
-                        <li v-for="log in accountlog">{{ log.content_type }}: {{ log.contents }}</li>
+                <div class="form-row" v-if="account_pks[opened.pk] && account_pks[opened.pk].length > 0">
+                    <a @click.prevent="get_accountlog" href="#">获取 AccountLog 记录</a>
+                    <ul v-if="accountlog[opened.pk] && accountlog[opened.pk].length > 0">
+                        <li v-for="log in accountlog[opened.pk]">{{ log.content_type }}: {{ log.contents }}</li>
                     </ul>
-                    <p v-else-if="accountlog">（无结果）</p>
+                    <p v-else-if="accountlog[opened.pk]">（无结果）</p>
                 </div>
                 <div class="form-row">
                     <label for="form-name">姓名:</label>
@@ -176,8 +176,8 @@ <h2 v-else>正在创建</h2>
             filters: {
                 group: null,
             },
-            account_pks: [],
-            accountlog: undefined,
+            account_pks: {},
+            accountlog: {},
         },
         created() {
             this.refresh();
@@ -204,11 +204,9 @@ <h2 v-else>正在创建</h2>
             },
             open(obj) {
                 this.opened = {...obj};
-                this.account_pks = [];
-                this.accountlog = undefined;
                 axios.post('/account/', {method: 'account_pk', user: obj.pk})
                     .then(({data: {value}}) => {
-                        this.account_pks = value;
+                        this.$set(this.account_pks, obj.pk, value)
                     })
                     .catch(({response: {data: {error}}}) => {
                         alert(error && error.message);
@@ -229,9 +227,10 @@ <h2 v-else>正在创建</h2>
                     });
             },
             get_accountlog() {
-                axios.post('/account/', {method: 'accountlog', user: this.opened.pk})
+                const pk = this.opened.pk;
+                axios.post('/account/', {method: 'accountlog', user: pk})
                     .then(({data: {value}}) => {
-                        this.accountlog = value;
+                        this.$set(this.accountlog, pk, value);
                     })
                     .catch(({response: {data: {error}}}) => {
                         alert(error && error.message);
diff --git a/frontend/views.py b/frontend/views.py
index f3d1412..197387b 100644
--- a/frontend/views.py
+++ b/frontend/views.py
@@ -272,21 +272,20 @@ def post(self, request):
         body = json.loads(request.body)
         method = body['method']
         user_pk = body['user']
+        # Check permission
+        try:
+            context = Context.from_request(request)
+            target_user = User.get(context, user_pk)
+            User.test_permission(context, 'user.full', 'user.view', f'user.view_{target_user.group}')
+        except PermissionRequired as e:
+            j = e.json
+            j['message'] = '您目前没有权限查看此项'
+            return JsonResponse({'error': j}, status=400)
+
         accounts = Account.objects.filter(user__pk=user_pk)
         if method == "account_pk":
             return JsonResponse({'value': [i.pk for i in accounts]})
         elif method == "accountlog":
-            # Check permission
-            try:
-                context = Context.from_request(request)
-                if request.user.pk is None:
-                    raise PermissionRequired()
-                target_user = User.get(context, user_pk)
-                User.test_permission(context, 'user.full', 'user.view', f'user.view_{target_user.group}')
-            except PermissionRequired as e:
-                j = e.json
-                j['message'] = '您目前没有权限查看此项'
-                return JsonResponse({'error': j}, status=400)
             logs = list(AccountLog.objects.filter(account__in=accounts).values('content_type', 'contents'))
             return JsonResponse({'value': logs})