diff --git a/api/lib/cmdb/ci_type.py b/api/lib/cmdb/ci_type.py index 6f858af..3af4ebf 100644 --- a/api/lib/cmdb/ci_type.py +++ b/api/lib/cmdb/ci_type.py @@ -112,7 +112,7 @@ class CITypeManager(object): def delete(cls, type_id): ci_type = cls.check_is_existed(type_id) - if CI.get_by(type_id=type_id, first=True, to_dict=False): + if CI.get_by(type_id=type_id, first=True, to_dict=False) is not None: return abort(400, "cannot delete, because CI instance exists") for item in CITypeRelation.get_by(parent_id=type_id, to_dict=False): diff --git a/api/lib/perm/acl/acl.py b/api/lib/perm/acl/acl.py index 7bc183e..e40a9bd 100644 --- a/api/lib/perm/acl/acl.py +++ b/api/lib/perm/acl/acl.py @@ -120,12 +120,15 @@ def has_perm(resources, resource_type, perm): return decorator_has_perm -def is_app_admin(): +def is_app_admin(app=None): if RoleEnum.CONFIG in session.get("acl", {}).get("parentRoles", []): return True + app = app or 'cmdb' + app_id = AppCache.get(app).id + for role in session.get("acl", {}).get("parentRoles", []): - if RoleCache.get(role).is_app_admin: + if RoleCache.get_by_name(app_id, role).is_app_admin: return True return False @@ -162,7 +165,7 @@ def role_required(role_name): return if current_app.config.get("USE_ACL"): - if role_name not in session.get("acl", {}).get("parentRoles", []): + if role_name not in session.get("acl", {}).get("parentRoles", []) and not is_app_admin(): return abort(403, "Role {0} is required".format(role_name)) return func(*args, **kwargs) diff --git a/api/tasks/cmdb.py b/api/tasks/cmdb.py index 357ddc0..36853eb 100644 --- a/api/tasks/cmdb.py +++ b/api/tasks/cmdb.py @@ -46,6 +46,8 @@ def ci_delete(ci_id): @celery.task(name="cmdb.ci_relation_cache", queue=CMDB_QUEUE) def ci_relation_cache(parent_id, child_id): + db.session.close() + children = rd.get([parent_id], REDIS_PREFIX_CI_RELATION)[0] children = json.loads(children) if children is not None else {}