Merge pull request #529 from veops/fix_decorator_perms_role_required

fix: decorator_perms_role_required
2024-06-04 19:23:58 +08:00 · 2024-06-04 19:23:58 +08:00 · 5358fb41b2
parent df3dc7cb1b b7a6484579
commit 5358fb41b2
1 changed files with 3 additions and 2 deletions
--- a/cmdb-api/api/lib/common_setting/decorator.py
+++ b/cmdb-api/api/lib/common_setting/decorator.py
@ -3,6 +3,7 @@ import functools
 from flask import abort, session
 from api.lib.common_setting.acl import ACLManager
 from api.lib.common_setting.resp_format import ErrFormat
+from api.lib.perm.acl.acl import is_app_admin


 def perms_role_required(app_name, resource_type_name, resource_name, perm, role_name=None):
@ -16,7 +17,7 @@ def perms_role_required(app_name, resource_type_name, resource_name, perm, role_
            except Exception as e:
                # resource_type not exist, continue check role
                if role_name:
-                    if role_name not in session.get("acl", {}).get("parentRoles", []):
+                    if role_name not in session.get("acl", {}).get("parentRoles", []) and not is_app_admin(app_name):
                        abort(403, ErrFormat.role_required.format(role_name))

                    return func(*args, **kwargs)
@ -25,7 +26,7 @@ def perms_role_required(app_name, resource_type_name, resource_name, perm, role_

            if not has_perms:
                if role_name:
-                    if role_name not in session.get("acl", {}).get("parentRoles", []):
+                    if role_name not in session.get("acl", {}).get("parentRoles", []) and not is_app_admin(app_name):
                        abort(403, ErrFormat.role_required.format(role_name))
                else:
                    abort(403, ErrFormat.resource_no_permission.format(resource_name, perm))