From 4205dc902fba41f94f5b64b330c7c1ba5ccdd218 Mon Sep 17 00:00:00 2001 From: shaohuzhang1 <80892890+shaohuzhang1@users.noreply.github.com> Date: Wed, 18 Jun 2025 13:33:49 +0800 Subject: [PATCH] fix: permission (#3292) --- apps/common/auth/handle/impl/user_token.py | 27 +++++++++++++--------- apps/users/views/user.py | 4 ++-- ui/src/router/modules/system.ts | 2 +- 3 files changed, 19 insertions(+), 14 deletions(-) diff --git a/apps/common/auth/handle/impl/user_token.py b/apps/common/auth/handle/impl/user_token.py index 42821ed04..1da6ef2c9 100644 --- a/apps/common/auth/handle/impl/user_token.py +++ b/apps/common/auth/handle/impl/user_token.py @@ -151,13 +151,13 @@ def get_permission_list(user, workspace_user_role_mapping_list = QuerySet(workspace_user_role_mapping_model).filter(user_id=user_id) workspace_user_role_mapping_dict = group_by(workspace_user_role_mapping_list, lambda item: item.workspace_id) + role_id_list = list(set([workspace_user_role_mapping.role_id for workspace_user_role_mapping in + workspace_user_role_mapping_list])) # 获取角色权限映射数据 role_permission_mapping_list = QuerySet(role_permission_mapping_model).filter( - role_id__in=[workspace_user_role_mapping.role_id for workspace_user_role_mapping in - workspace_user_role_mapping_list]) - system_role_permission_mapping_list = get_default_role_permission_mapping_list() + role_id__in=role_id_list) role_permission_mapping_dict = group_by( - [*role_permission_mapping_list, *system_role_permission_mapping_list], lambda item: item.role_id) + role_permission_mapping_list, lambda item: item.role_id) workspace_user_permission_list = QuerySet(WorkspaceUserResourcePermission).filter( workspace_id__in=[workspace_user_role.workspace_id for workspace_user_role in @@ -170,11 +170,15 @@ def get_permission_list(user, workspace_permission_list = get_workspace_permission_list(role_permission_mapping_dict, workspace_user_role_mapping_list) + system_role_permission_mapping_list = list(set([role_permission.permission_id for role_permission in + get_default_role_permission_mapping_list() if + role_id_list.__contains__(role_permission.role_id)])) # 系统权限 system_permission_list = [role_permission_mapping.permission_id for role_permission_mapping in role_permission_mapping_list] # 合并权限 - permission_list = system_permission_list + workspace_permission_list + workspace_resource_permission_list + permission_list = system_permission_list + workspace_permission_list + workspace_resource_permission_list + system_role_permission_mapping_list + permission_list = list(set(permission_list)) cache.set(key, permission_list, version=version) else: workspace_id_list = ['default'] @@ -199,6 +203,7 @@ def get_permission_list(user, [user.role].__contains__(role_permission_mapping.role_id)] # 合并权限 permission_list = system_permission_list + workspace_permission_list + workspace_resource_permission_list + permission_list = list(set(permission_list)) cache.set(key, permission_list, version=version) return permission_list @@ -220,13 +225,13 @@ def get_role_list(user, if is_query_model: # 获取工作空间 用户 角色映射数据 workspace_user_role_mapping_list = QuerySet(workspace_user_role_mapping_model).filter(user_id=user.id) - workspace_list = [ - f"{workspace_user_role_mapping.role_id}:/WORKSPACE/{workspace_user_role_mapping.workspace_id}" - for - workspace_user_role_mapping in - workspace_user_role_mapping_list] + [user.role] + role_list = [ + f"{workspace_user_role_mapping.role_id}:/WORKSPACE/{workspace_user_role_mapping.workspace_id}" + for + workspace_user_role_mapping in + workspace_user_role_mapping_list] + [user.role] cache.set(key, workspace_list, version=version) - return workspace_list + return role_list else: role_list = [user.role] if user.role == RoleConstants.ADMIN.value.__str__(): diff --git a/apps/users/views/user.py b/apps/users/views/user.py index f753ddfeb..f99e8be44 100644 --- a/apps/users/views/user.py +++ b/apps/users/views/user.py @@ -16,7 +16,7 @@ from rest_framework.views import APIView from common.auth.authenticate import TokenAuth from common.auth.authentication import has_permissions from common.constants.cache_version import Cache_Version -from common.constants.permission_constants import PermissionConstants, Permission, Group, Operate +from common.constants.permission_constants import PermissionConstants, Permission, Group, Operate, RoleConstants from common.log.log import log from common.result import result from maxkb.const import CONFIG @@ -164,7 +164,7 @@ class UserManage(APIView): tags=[_("User Management")], # type: ignore request=UserProfileAPI.get_request(), responses=UserProfileAPI.get_response()) - @has_permissions(PermissionConstants.USER_CREATE) + @has_permissions(PermissionConstants.USER_CREATE, RoleConstants.ADMIN) @log(menu='User management', operate='Add user', get_operation_object=lambda r, k: {'name': r.data.get('username', None)}) def post(self, request: Request): diff --git a/ui/src/router/modules/system.ts b/ui/src/router/modules/system.ts index 4c4786793..26cc54798 100644 --- a/ui/src/router/modules/system.ts +++ b/ui/src/router/modules/system.ts @@ -2,7 +2,7 @@ import { PermissionConst, EditionConst, RoleConst } from '@/utils/permission/dat const systemRouter = { path: '/system', name: 'system', - meta: { title: 'views.system.title', permission: 'USER_MANAGEMENT:READ' }, + meta: { title: 'views.system.title' }, hidden: true, component: () => import('@/layout/layout-template/SystemMainLayout.vue'), children: [