15308555518/ MaxKB
1
0
Fork 0
mirror of https://github.com/1Panel-dev/MaxKB.git synced 2025-12-30 09:42:48 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

fix: A user with a custom regular user role grants a folder to another user, including all sub-resources, but the sub-resources are not successfully authorized after the grant.

This commit is contained in:
zhangzhanwei 2025-12-30 15:53:58 +08:00 committed by zhanweizhang7
parent 83524c053c
commit 018f4763ea
2 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
apps/folders/serializers/folder.py
View File

@ -25,6 +25,20 @@ from tools.serializers.tool_folder import ToolFolderTreeSerializer
from users.serializers.user import is_workspace_manage
def has_exact_permission_by_role(user_id: str, workspace_id: str, permission_id: str):
workspace_user_role_mapping_model = DatabaseModelManage.get_model("workspace_user_role_mapping")
role_permission_mapping_model = DatabaseModelManage.get_model("role_permission_mapping_model")
is_x_pack_ee = workspace_user_role_mapping_model is not None and role_permission_mapping_model is not None
if is_x_pack_ee:
return QuerySet(workspace_user_role_mapping_model).select_related('role', 'user').filter(
Q(role__rolepermission__permission_id=permission_id) | Q(role__internal=True),
workspace_id=workspace_id,
user_id=user_id,
role__type=RoleConstants.USER.value.__str__(),
).exists()
return False
def get_source_type(source):
if source == Group.TOOL.name:
return Tool
@ -338,7 +352,7 @@ class FolderTreeSerializer(serializers.Serializer):
if name is not None:
base_q &= Q(name__contains=name)
if not workspace_manage:
having_read_permission_by_role = self._having_read_permission_by_role(user_id, workspace_id, source)
having_read_permission_by_role = has_exact_permission_by_role(user_id, workspace_id, f"{source}_FOLDER:READ")
permission_condition = ['VIEW']
if having_read_permission_by_role:
permission_condition = ['VIEW', 'ROLE']

15
apps/system_manage/serializers/user_resource_permission.py
View File

@ -446,7 +446,7 @@ class ResourceUserPermissionSerializer(serializers.Serializer):
))
return resource_user_permission_page_list
def get_has_manage_permission_resource_under_folders(self, current_user_id, folder_ids):
def get_has_manage_permission_resource_under_folders(self, current_user_id, folder_ids, has_role_exact_permission:bool):
workspace_id = self.data.get("workspace_id")
auth_target_type = self.data.get("auth_target_type")
@ -459,12 +459,16 @@ class ResourceUserPermissionSerializer(serializers.Serializer):
id_str=Cast('id', TextField())
).values_list("id_str", flat=True)
else:
permission_list = ['MANAGE']
if has_role_exact_permission:
permission_list = ['MANAGE','ROLE']
current_user_managed_resources_ids = QuerySet(WorkspaceUserResourcePermission).filter(
workspace_id=workspace_id, user_id=current_user_id, auth_target_type=auth_target_type,
target__in=QuerySet(resource_model).filter(workspace_id=workspace_id, folder__in=folder_ids).annotate(
id_str=Cast('id', TextField())
).values_list("id_str", flat=True),
permission_list__contains=['MANAGE']).values_list('target', flat=True)
permission_list__overlap= permission_list).values_list('target', flat=True)
return current_user_managed_resources_ids
@ -485,8 +489,13 @@ class ResourceUserPermissionSerializer(serializers.Serializer):
# 删除已存在的对应的用户在该资源下的权限
if include_children:
from folders.serializers.folder import has_exact_permission_by_role
permission_id = f"{auth_target_type}:READ+AUTH"
has_user_role_exact_permission = has_exact_permission_by_role(current_user_id,workspace_id,permission_id)
managed_resource_ids = list(
self.get_has_manage_permission_resource_under_folders(current_user_id, folder_ids)) + folder_ids
self.get_has_manage_permission_resource_under_folders(current_user_id, folder_ids,has_user_role_exact_permission)) + folder_ids
else:
managed_resource_ids = [target]