diff --git a/apps/folders/serializers/folder.py b/apps/folders/serializers/folder.py index 3b8f66591..fdfef4368 100644 --- a/apps/folders/serializers/folder.py +++ b/apps/folders/serializers/folder.py @@ -25,6 +25,20 @@ from tools.serializers.tool_folder import ToolFolderTreeSerializer from users.serializers.user import is_workspace_manage +def has_exact_permission_by_role(user_id: str, workspace_id: str, permission_id: str): + workspace_user_role_mapping_model = DatabaseModelManage.get_model("workspace_user_role_mapping") + role_permission_mapping_model = DatabaseModelManage.get_model("role_permission_mapping_model") + is_x_pack_ee = workspace_user_role_mapping_model is not None and role_permission_mapping_model is not None + if is_x_pack_ee: + return QuerySet(workspace_user_role_mapping_model).select_related('role', 'user').filter( + Q(role__rolepermission__permission_id=permission_id) | Q(role__internal=True), + workspace_id=workspace_id, + user_id=user_id, + role__type=RoleConstants.USER.value.__str__(), + ).exists() + + return False + def get_source_type(source): if source == Group.TOOL.name: return Tool @@ -338,7 +352,7 @@ class FolderTreeSerializer(serializers.Serializer): if name is not None: base_q &= Q(name__contains=name) if not workspace_manage: - having_read_permission_by_role = self._having_read_permission_by_role(user_id, workspace_id, source) + having_read_permission_by_role = has_exact_permission_by_role(user_id, workspace_id, f"{source}_FOLDER:READ") permission_condition = ['VIEW'] if having_read_permission_by_role: permission_condition = ['VIEW', 'ROLE'] diff --git a/apps/system_manage/serializers/user_resource_permission.py b/apps/system_manage/serializers/user_resource_permission.py index 093f75457..282988a48 100644 --- a/apps/system_manage/serializers/user_resource_permission.py +++ b/apps/system_manage/serializers/user_resource_permission.py @@ -446,7 +446,7 @@ class ResourceUserPermissionSerializer(serializers.Serializer): )) return resource_user_permission_page_list - def get_has_manage_permission_resource_under_folders(self, current_user_id, folder_ids): + def get_has_manage_permission_resource_under_folders(self, current_user_id, folder_ids, has_role_exact_permission:bool): workspace_id = self.data.get("workspace_id") auth_target_type = self.data.get("auth_target_type") @@ -459,12 +459,16 @@ class ResourceUserPermissionSerializer(serializers.Serializer): id_str=Cast('id', TextField()) ).values_list("id_str", flat=True) else: + permission_list = ['MANAGE'] + if has_role_exact_permission: + permission_list = ['MANAGE','ROLE'] + current_user_managed_resources_ids = QuerySet(WorkspaceUserResourcePermission).filter( workspace_id=workspace_id, user_id=current_user_id, auth_target_type=auth_target_type, target__in=QuerySet(resource_model).filter(workspace_id=workspace_id, folder__in=folder_ids).annotate( id_str=Cast('id', TextField()) ).values_list("id_str", flat=True), - permission_list__contains=['MANAGE']).values_list('target', flat=True) + permission_list__overlap= permission_list).values_list('target', flat=True) return current_user_managed_resources_ids @@ -485,8 +489,13 @@ class ResourceUserPermissionSerializer(serializers.Serializer): # 删除已存在的对应的用户在该资源下的权限 if include_children: + from folders.serializers.folder import has_exact_permission_by_role + + permission_id = f"{auth_target_type}:READ+AUTH" + has_user_role_exact_permission = has_exact_permission_by_role(current_user_id,workspace_id,permission_id) + managed_resource_ids = list( - self.get_has_manage_permission_resource_under_folders(current_user_id, folder_ids)) + folder_ids + self.get_has_manage_permission_resource_under_folders(current_user_id, folder_ids,has_user_role_exact_permission)) + folder_ids else: managed_resource_ids = [target]