fix(api): topology view read permission

2024-05-29 11:34:02 +08:00 · 2024-05-29 11:34:02 +08:00 · 49bc5d94a9
parent 39354e1293
commit 49bc5d94a9
2 changed files with 8 additions and 4 deletions
--- a/cmdb-api/api/views/cmdb/topology.py
+++ b/cmdb-api/api/views/cmdb/topology.py
@ -127,10 +127,14 @@ class TopologyOrderView(APIView):
 class TopologyViewPreview(APIView):
    url_prefix = ('/topology_views/preview', '/topology_views/<int:_id>/view')

-    @perms_role_required(app_cli.app_name, app_cli.resource_type_name, app_cli.op.TopologyView,
-                         app_cli.op.read, app_cli.admin_name)
    def get(self, _id=None):
        if _id is not None:
+            acl = ACLManager('cmdb')
+            resource_name = TopologyViewManager.get_name_by_id(_id)
+            if (not acl.has_permission(resource_name, ResourceTypeEnum.TOPOLOGY_VIEW, PermEnum.READ) and
+                    not is_app_admin('cmdb')):
+                return abort(403, ErrFormat.no_permission.format(resource_name, PermEnum.READ))
+
            return self.jsonify(TopologyViewManager().topology_view(view_id=_id))
        else:
            return self.jsonify(TopologyViewManager().topology_view(preview=request.values))
--- a/cmdb-api/requirements.txt
+++ b/cmdb-api/requirements.txt
@ -1,7 +1,7 @@
 -i https://mirrors.aliyun.com/pypi/simple
 alembic==1.7.7
 bs4==0.0.1
-celery>=5.3.1
+celery==5.3.1
 celery-once==3.0.1
 click==8.1.3
 elasticsearch==7.17.9
@ -53,4 +53,4 @@ shamir~=17.12.0
 pycryptodomex>=3.19.0
 colorama>=0.4.6
 lz4>=4.3.2
-python-magic==0.4.27
+python-magic==0.4.27