From 2cce2d5cf28520efbe5030ae0674852145121d82 Mon Sep 17 00:00:00 2001
From: pycook <pycook@126.com>
Date: Fri, 13 Mar 2020 10:30:21 +0800
Subject: [PATCH] Fix: permission management

---
 README.md                             | 10 +++++++++-
 cmdb-api/api/lib/perm/acl/resource.py |  3 +++
 cmdb-api/api/lib/perm/acl/role.py     |  9 ++++++---
 cmdb-api/api/lib/perm/acl/user.py     |  3 +++
 4 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index 62cabd2..3b7aadf 100644
--- a/README.md
+++ b/README.md
@@ -55,7 +55,7 @@ There are various ways of installing CMDB.
 - cache: redis
 - python: python2.7, >=python3.6
 
-### install
+### Install
 - Start mysql, redis
 - Create mysql database: cmdb
 - Pull code
@@ -101,6 +101,14 @@ There are various ways of installing CMDB.
     - start API: ```make api```
     - start UI: ```make ui```
     - start worker: ```make worker```
+    
+## Contributing
+
+1. Fork it
+1. Create your feature branch (`git checkout -b my-feature`)
+1. Commit your changes (`git commit -am 'Add some feature'`)
+1. Push to the branch (`git push origin my-feature`)
+1. Create new Pull Request
 
 
 ## DEMO
diff --git a/cmdb-api/api/lib/perm/acl/resource.py b/cmdb-api/api/lib/perm/acl/resource.py
index 977824b..4484f04 100644
--- a/cmdb-api/api/lib/perm/acl/resource.py
+++ b/cmdb-api/api/lib/perm/acl/resource.py
@@ -68,6 +68,9 @@ class ResourceTypeCRUD(object):
     def delete(cls, rt_id):
         rt = ResourceType.get_by_id(rt_id) or abort(404, "ResourceType <{0}> is not found".format(rt_id))
 
+        if Resource.get_by(resource_type_id=rt_id):
+            return abort(400, "At least one instance of this type exists and cannot be deleted")
+
         cls.update_perms(rt_id, [], rt.app_id)
 
         rt.soft_delete()
diff --git a/cmdb-api/api/lib/perm/acl/role.py b/cmdb-api/api/lib/perm/acl/role.py
index 08f58da..f19257c 100644
--- a/cmdb-api/api/lib/perm/acl/role.py
+++ b/cmdb-api/api/lib/perm/acl/role.py
@@ -47,7 +47,7 @@ class RoleRelationCRUD(object):
     def get_child_ids(rid):
         res = RoleRelation.get_by(parent_id=rid, to_dict=False)
 
-        return [i.parent_id for i in res]
+        return [i.child_id for i in res]
 
     @classmethod
     def recursive_parent_ids(cls, rid):
@@ -77,10 +77,13 @@ class RoleRelationCRUD(object):
 
         return all_child_ids
 
-    @staticmethod
-    def add(parent_id, child_id):
+    @classmethod
+    def add(cls, parent_id, child_id):
         RoleRelation.get_by(parent_id=parent_id, child_id=child_id) and abort(400, "It's already existed")
 
+        if parent_id in cls.recursive_child_ids(child_id):
+            return abort(400, "Circulation inheritance!!!")
+
         RoleRelationCache.clean(parent_id)
         RoleRelationCache.clean(child_id)
 
diff --git a/cmdb-api/api/lib/perm/acl/user.py b/cmdb-api/api/lib/perm/acl/user.py
index 7549236..778a852 100644
--- a/cmdb-api/api/lib/perm/acl/user.py
+++ b/cmdb-api/api/lib/perm/acl/user.py
@@ -75,6 +75,9 @@ class UserCRUD(object):
 
     @classmethod
     def delete(cls, uid):
+        if uid == g.user.uid:
+            return abort(400, "You cannot delete yourself")
+
         user = User.get_by(uid=uid, to_dict=False, first=True) or abort(404, "User <{0}> does not exist".format(uid))
 
         UserCache.clean(user)