From b7a648457994554c49d7aeade268347a5680c29b Mon Sep 17 00:00:00 2001
From: simontigers <47096077+simontigers@users.noreply.github.com>
Date: Tue, 4 Jun 2024 19:23:22 +0800
Subject: [PATCH] fix: decorator_perms_role_required

---
 cmdb-api/api/lib/common_setting/decorator.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/cmdb-api/api/lib/common_setting/decorator.py b/cmdb-api/api/lib/common_setting/decorator.py
index 6ff3d5f..30106e1 100644
--- a/cmdb-api/api/lib/common_setting/decorator.py
+++ b/cmdb-api/api/lib/common_setting/decorator.py
@@ -3,6 +3,7 @@ import functools
 from flask import abort, session
 from api.lib.common_setting.acl import ACLManager
 from api.lib.common_setting.resp_format import ErrFormat
+from api.lib.perm.acl.acl import is_app_admin
 
 
 def perms_role_required(app_name, resource_type_name, resource_name, perm, role_name=None):
@@ -16,7 +17,7 @@ def perms_role_required(app_name, resource_type_name, resource_name, perm, role_
             except Exception as e:
                 # resource_type not exist, continue check role
                 if role_name:
-                    if role_name not in session.get("acl", {}).get("parentRoles", []):
+                    if role_name not in session.get("acl", {}).get("parentRoles", []) and not is_app_admin(app_name):
                         abort(403, ErrFormat.role_required.format(role_name))
 
                     return func(*args, **kwargs)
@@ -25,7 +26,7 @@ def perms_role_required(app_name, resource_type_name, resource_name, perm, role_
 
             if not has_perms:
                 if role_name:
-                    if role_name not in session.get("acl", {}).get("parentRoles", []):
+                    if role_name not in session.get("acl", {}).get("parentRoles", []) and not is_app_admin(app_name):
                         abort(403, ErrFormat.role_required.format(role_name))
                 else:
                     abort(403, ErrFormat.resource_no_permission.format(resource_name, perm))