feat: system manager add manger action permission (TencentBlueKing#2604)

Canway-shiisa · Apr 9, 2024 · 4b23630 · 4b23630
1 parent 6344356
commit 4b23630
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 3 deletions.
diff --git a/saas/backend/account/views.py b/saas/backend/account/views.py
@@ -41,7 +41,7 @@ def retrieve(self, request, *args, **kwargs):
             {
                 "timestamp": timestamp,
                 "username": user.username,
-                "role": {"type": role.type, "id": role.id, "name": role.name},
+                "role": {"type": role.type, "id": role.id, "name": role.name, "code": role.code},
                 "timezone": user.get_property("time_zone"),
                 "name": u.display_name if u else "",
             }

diff --git a/saas/backend/apps/approval/views.py b/saas/backend/apps/approval/views.py
@@ -26,7 +26,7 @@
 from backend.common.error_codes import error_codes
 from backend.common.serializers import SystemQuerySLZ
 from backend.service.action import ActionService
-from backend.service.constants import PermissionCodeEnum
+from backend.service.constants import PermissionCodeEnum, RoleType
 
 from .audit import (
     ActionSensitivityLevelAuditProvider,
@@ -253,6 +253,10 @@ def create(self, request, *args, **kwargs):
         system_id = actions[0]["system_id"]
         action_ids = [a["id"] for a in actions]
 
+        # 校验系统管理员权限
+        if request.role.type == RoleType.SYSTEM_MANAGER.value and request.role.code != system_id:
+            raise error_codes.FORBIDDEN
+
         self.biz.batch_create_or_update_action_sensitivity_level(
             system_id, action_ids, sensitivity_level, request.user.username
         )

diff --git a/saas/backend/apps/role/constants.py b/saas/backend/apps/role/constants.py
@@ -35,6 +35,8 @@
         PermissionCodeEnum.MANAGE_COMMON_ACTION.value,
         PermissionCodeEnum.MANAGE_SYSTEM_MANAGER_MEMBER.value,
         PermissionCodeEnum.MANAGE_ROLE_GROUP_MEMBER.value,
+        PermissionCodeEnum.VIEW_AUTHORIZED_SUBJECTS.value,
+        PermissionCodeEnum.MANAGE_SENSITIVITY_LEVEL.value,
     ],
     RoleType.GRADE_MANAGER.value: [
         PermissionCodeEnum.MANAGE_GROUP.value,

diff --git a/saas/backend/apps/role/views/permission_audit.py b/saas/backend/apps/role/views/permission_audit.py
@@ -16,7 +16,8 @@
 from backend.account.permissions import RolePermission
 from backend.apps.role.serializers import AuthorizedSubjectsSLZ, QueryAuthorizedSubjectsSLZ
 from backend.biz.permission_audit import QueryAuthorizedSubjects
-from backend.service.constants import PermissionCodeEnum
+from backend.common import error_codes
+from backend.service.constants import PermissionCodeEnum, RoleType
 from backend.util.time import format_localtime
 
 
@@ -38,6 +39,11 @@ def post(self, request, *args, **kwargs):
         serializer = QueryAuthorizedSubjectsSLZ(data=request.data)
         serializer.is_valid(raise_exception=True)
         data = serializer.validated_data
+
+        # 校验系统管理员权限
+        if request.role.type == RoleType.SYSTEM_MANAGER.value and request.role.code != data["system_id"]:
+            raise error_codes.FORBIDDEN
+
         subjects = QueryAuthorizedSubjects(data).query_by_permission_type()
         return Response(subjects)
 
@@ -52,6 +58,10 @@ def export(self, request, *args, **kwargs):
         serializer.is_valid(raise_exception=True)
         data = serializer.validated_data
 
+        # 校验系统管理员权限
+        if request.role.type == RoleType.SYSTEM_MANAGER.value and request.role.code != data["system_id"]:
+            raise error_codes.FORBIDDEN
+
         exported_file_name = f'{data["system_id"]}_{format_localtime()}'
         response = QueryAuthorizedSubjects(data).export(exported_file_name)