fix: 移除TICKET_ENABLED配置;系统设置API限制权限

wangtianguoa · Mar 11, 2022 · 8e2471c · 8e2471c
1 parent 224a9fb
commit 8e2471c
Show file tree

Hide file tree

Showing 5 changed files with 32 additions and 4 deletions.
diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py
@@ -390,7 +390,6 @@ class Config(dict):
         'HELP_DOCUMENT_URL': 'http://docs.jumpserver.org',
         'HELP_SUPPORT_URL': 'http://www.jumpserver.org/support/',
 
-        'TICKETS_ENABLED': True,
         'FORGOT_PASSWORD_URL': '',
         'HEALTH_CHECK_TOKEN': '',
     }

diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py
@@ -119,7 +119,6 @@
 
 DATETIME_DISPLAY_FORMAT = '%Y-%m-%d %H:%M:%S'
 
-TICKETS_ENABLED = CONFIG.TICKETS_ENABLED
 REFERER_CHECK_ENABLED = CONFIG.REFERER_CHECK_ENABLED
 
 CONNECTION_TOKEN_ENABLED = CONFIG.CONNECTION_TOKEN_ENABLED

diff --git a/apps/settings/api/public.py b/apps/settings/api/public.py
@@ -43,7 +43,6 @@ def get_object(self):
                 "XPACK_LICENSE_INFO": get_xpack_license_info(),
                 "LOGIN_TITLE": self.get_login_title(),
                 "LOGO_URLS": self.get_logo_urls(),
-                "TICKETS_ENABLED": settings.TICKETS_ENABLED,
                 "PASSWORD_RULE": {
                     'SECURITY_PASSWORD_MIN_LENGTH': settings.SECURITY_PASSWORD_MIN_LENGTH,
                     'SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH': settings.SECURITY_ADMIN_USER_PASSWORD_MIN_LENGTH,

diff --git a/apps/settings/api/settings.py b/apps/settings/api/settings.py
@@ -41,9 +41,41 @@ class SettingsApi(generics.RetrieveUpdateAPIView):
         'tencent': serializers.TencentSMSSettingSerializer,
     }
 
+    rbac_category_permissions = {
+        # 'all': 'change_setting',
+        'basic': 'change_basic',
+        'terminal': 'change_terminal',
+        'security': 'change_security',
+        'ldap': 'change_auth',
+        'email': 'change_email',
+        'email_content': 'change_email',
+        'wecom': 'change_auth',
+        'dingtalk': 'change_auth',
+        'feishu': 'change_auth',
+        'auth': 'change_auth',
+        'oidc': 'change_auth',
+        'keycloak': 'change_auth',
+        'radius': 'change_auth',
+        'cas': 'change_auth',
+        'sso': 'change_auth',
+        'saml2': 'change_auth',
+        'clean': 'change_clean',
+        'other': 'change_other',
+        'sms': 'change_sms',
+        'alibaba': 'change_sms',
+        'tencent': 'change_sms',
+    }
+
     def get_queryset(self):
         return Setting.objects.all()
 
+    def check_permissions(self, request):
+        category = request.query_params.get('category', 'basic')
+        require_perm = self.rbac_category_permissions.get(category)
+        if not request.user.has_perm(require_perm):
+            self.permission_denied(request)
+        return super().check_permissions(request)
+
     def get_serializer_class(self):
         category = self.request.query_params.get('category', 'basic')
         default = serializers.BasicSettingSerializer

diff --git a/apps/settings/serializers/basic.py b/apps/settings/serializers/basic.py
@@ -41,7 +41,6 @@ class BasicSettingSerializer(serializers.Serializer):
         required=False, max_length=1024, allow_blank=True, allow_null=True, label=_("Global organization name"),
         help_text=_('The name of global organization to display')
     )
-    TICKETS_ENABLED = serializers.BooleanField(required=False, default=True, label=_("Enable tickets"))
     ANNOUNCEMENT_ENABLED = serializers.BooleanField(label=_('Enable announcement'), default=True)
     ANNOUNCEMENT = AnnouncementSerializer(label=_("Announcement"))