Skip to content

Commit

Permalink
feat: grademanager user can switch to subsetmanger (#2086)
Browse files Browse the repository at this point in the history
  • Loading branch information
@zhu327
zhu327 authored Jul 13, 2023
1 parent 8435ad4 commit b7014af
Show file tree
Hide file tree
Showing 6 changed files with 23 additions and 7 deletions.
5 changes: 3 additions & 2 deletions saas/backend/account/role_auth.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,8 @@
specific language governing permissions and limitations under the License.
"""

from backend.apps.role.models import AnonymousRole, Role, RoleUser
from backend.apps.role.models import AnonymousRole, Role
from backend.biz.role import can_user_manage_role

ROLE_SESSION_KEY = "_auth_role_id"

Expand All @@ -24,7 +25,7 @@ def authenticate(request=None, role_id=0):
return AnonymousRole()

# 2. 用户的角色不存在, 返回staff
if role_id == 0 or not RoleUser.objects.user_role_exists(request.user.username, role_id):
if role_id == 0 or not can_user_manage_role(request.user.username, role_id):
return AnonymousRole()

# 3. 对于用户与角色关系认证通过的,返回对应的分级管理员(超级管理员和系统管理员是两类特殊的分级管理员)
Expand Down
1 change: 1 addition & 0 deletions saas/backend/account/urls.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,5 +14,6 @@

urlpatterns = [
path("user/", views.UserViewSet.as_view({"get": "retrieve"}), name="account.retrieve_user"),
# TODO 等前端替换为我的管理空间相关接口后, 这个list接口下掉
path("user/roles/", views.RoleViewSet.as_view({"get": "list", "post": "create"}), name="account.user_role"),
]
5 changes: 2 additions & 3 deletions saas/backend/account/views.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,7 @@
from rest_framework.viewsets import GenericViewSet

from backend.apps.organization.models import User
from backend.apps.role.models import RoleUser
from backend.biz.role import RoleBiz
from backend.biz.role import RoleBiz, can_user_manage_role
from backend.common.error_codes import error_codes

from .role_auth import ROLE_SESSION_KEY
Expand Down Expand Up @@ -76,7 +75,7 @@ def create(self, request, *args, **kwargs):
role_id = serializer.validated_data["id"]

# 切换为管理员时, 如果不存在对应的关系, 越权
if role_id != 0 and not RoleUser.objects.user_role_exists(request.user.username, role_id):
if role_id != 0 and not can_user_manage_role(request.user.username, role_id):
raise error_codes.FORBIDDEN.format(_("您没有该角色权限,无法切换到该角色"), True)

# 修改session
Expand Down
3 changes: 1 addition & 2 deletions saas/backend/apps/role/serializers.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -266,8 +266,7 @@ def get_has_subset_manager(self, obj):
if not subset_manager_ids:
return False

# 查询子集管理员中是否有当前用户
return bool(set(subset_manager_ids) & set(self.user_role_ids))
return self.get_is_member(obj) # 如果是成员, 可以看到所有二级管理员


class GradeMangerDetailSLZ(BaseGradeMangerSLZ):
Expand Down
4 changes: 4 additions & 0 deletions saas/backend/apps/role/views/role.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -924,6 +924,10 @@ def get_queryset(self):
if not subset_manager_ids:
return Role.objects.none()

# 如果用户是分级管理员成员返回所有的二级管理员
if RoleUser.objects.user_role_exists(self.request.user.username, grade_manager_id):
return self.queryset.filter(id__in=subset_manager_ids)

# 筛选出用户加入的子集管理员id
role_ids = list(
RoleUser.objects.filter(role_id__in=subset_manager_ids, username=self.request.user.username).values_list(
Expand Down
12 changes: 12 additions & 0 deletions saas/backend/biz/role.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1227,3 +1227,15 @@ def _diff_conditions(
return False # 循环正常结束, tc不满足sc中的任意一条

return True


def can_user_manage_role(username: str, role_id: int) -> bool:
"""是否用户能管理角色"""
if RoleUser.objects.user_role_exists(username, role_id):
return True

relation = RoleRelation.objects.filter(role_id=role_id).first()
if not relation:
return False

return RoleUser.objects.user_role_exists(username, relation.parent_id)

0 comments on commit b7014af

Please sign in to comment.