[update] delete roles, users, attributes

cmdb-api/api/lib/cmdb/attribute.py

@@ -8,6 +8,7 @@ from flask_login import current_user
 
 from api.extensions import db
 from api.lib.cmdb.cache import AttributeCache
+from api.lib.cmdb.cache import CITypeCache
 from api.lib.cmdb.const import CITypeOperateType
 from api.lib.cmdb.const import PermEnum, ResourceTypeEnum, RoleEnum
 from api.lib.cmdb.const import ValueTypeEnum
@@ -319,7 +320,12 @@ class AttributeManager(object):
         if CIType.get_by(unique_id=attr.id, first=True, to_dict=False) is not None:
             return abort(400, ErrFormat.attribute_is_unique_id)
 
-        if attr.uid and attr.uid != current_user.uid:
+        ref = CITypeAttribute.get_by(attr_id=_id, to_dict=False, first=True)
+        if ref is not None:
+            ci_type = CITypeCache.get(ref.type_id)
+            return abort(400, ErrFormat.attribute_is_ref_by_type.format(ci_type.alias))
+
+        if attr.uid != current_user.uid and not is_app_admin('cmdb'):
             return abort(403, ErrFormat.cannot_delete_attribute)
 
         if attr.is_choice:
@@ -331,9 +337,6 @@ class AttributeManager(object):
 
         attr.soft_delete()
 
-        for i in CITypeAttribute.get_by(attr_id=_id, to_dict=False):
-            i.soft_delete()
-
         for i in PreferenceShowAttributes.get_by(attr_id=_id, to_dict=False):
             i.soft_delete()
 

cmdb-api/api/lib/cmdb/ci.py

@@ -38,8 +38,8 @@ from api.lib.decorator import kwargs_required
 from api.lib.perm.acl.acl import ACLManager
 from api.lib.perm.acl.acl import is_app_admin
 from api.lib.perm.acl.acl import validate_permission
-from api.lib.utils import handle_arg_list
 from api.lib.utils import Lock
+from api.lib.utils import handle_arg_list
 from api.models.cmdb import CI
 from api.models.cmdb import CIRelation
 from api.models.cmdb import CITypeAttribute
@@ -49,6 +49,8 @@ from api.tasks.cmdb import ci_delete
 from api.tasks.cmdb import ci_relation_cache
 from api.tasks.cmdb import ci_relation_delete
 
+PRIVILEGED_USERS = {"worker", "cmdb_agent", "agent"}
+
 
 class CIManager(object):
     """ manage CI interface
@@ -316,7 +318,7 @@ class CIManager(object):
         ci_attr2type_attr = {type_attr.attr_id: type_attr for type_attr, _ in attrs}
 
         ci = None
-        need_lock = current_user.username not in ("worker", "cmdb_agent", "agent")
+        need_lock = current_user.username not in current_app.config.get('PRIVILEGED_USERS', PRIVILEGED_USERS)
         with Lock(ci_type_name, need_lock=need_lock):
             existed = cls.ci_is_exist(unique_key, unique_value, ci_type.id)
             if existed is not None:
@@ -411,7 +413,7 @@ class CIManager(object):
 
         limit_attrs = self._valid_ci_for_no_read(ci) if not _is_admin else {}
 
-        need_lock = current_user.username not in ("worker", "cmdb_agent", "agent")
+        need_lock = current_user.username not in current_app.config.get('PRIVILEGED_USERS', PRIVILEGED_USERS)
         with Lock(ci.ci_type.name, need_lock=need_lock):
             self._valid_unique_constraint(ci.type_id, ci_dict, ci_id)
 

cmdb-api/api/lib/cmdb/resp_format.py

@@ -11,6 +11,7 @@ class ErrFormat(CommonErrFormat):
 
     attribute_not_found = "属性 {} 不存在!"
     attribute_is_unique_id = "该属性是模型的唯一标识，不能被删除!"
+    attribute_is_ref_by_type = "该属性被模型 {} 引用, 不能删除!"
     attribute_value_type_cannot_change = "属性的值类型不允许修改!"
     attribute_list_value_cannot_change = "多值不被允许修改!"
     attribute_index_cannot_change = "修改索引 非管理员不被允许!"
@@ -20,7 +21,7 @@ class ErrFormat(CommonErrFormat):
     add_attribute_failed = "创建属性 {} 失败!"
     update_attribute_failed = "修改属性 {} 失败!"
     cannot_edit_attribute = "您没有权限修改该属性!"
-    cannot_delete_attribute = "您没有权限删除该属性!"
+    cannot_delete_attribute = "目前只允许 属性创建人、管理员 删除属性!"
     attribute_name_cannot_be_builtin = "属性字段名不能是内置字段: id, _id, ci_id, type, _type, ci_type"
 
     ci_not_found = "CI {} 不存在"