fix(acl): add relation

cmdb-api/api/lib/perm/acl/cache.py

@@ -3,9 +3,9 @@
 
 import msgpack
 import redis_lock
-from flask import current_app
 
 from api.extensions import cache
+from api.extensions import db
 from api.extensions import rd
 from api.lib.decorator import flush_db
 from api.models.acl import App
@@ -161,6 +161,7 @@ class RoleRelationCache(object):
     def get_parent_ids(cls, rid, app_id, force=False):
         parent_ids = cache.get(cls.PREFIX_PARENT.format(rid, app_id))
         if not parent_ids or force:
+            db.session.commit()
             from api.lib.perm.acl.role import RoleRelationCRUD
             parent_ids = RoleRelationCRUD.get_parent_ids(rid, app_id)
             cache.set(cls.PREFIX_PARENT.format(rid, app_id), parent_ids, timeout=0)
@@ -171,6 +172,7 @@ class RoleRelationCache(object):
     def get_child_ids(cls, rid, app_id, force=False):
         child_ids = cache.get(cls.PREFIX_CHILDREN.format(rid, app_id))
         if not child_ids or force:
+            db.session.commit()
             from api.lib.perm.acl.role import RoleRelationCRUD
             child_ids = RoleRelationCRUD.get_child_ids(rid, app_id)
             cache.set(cls.PREFIX_CHILDREN.format(rid, app_id), child_ids, timeout=0)
@@ -187,6 +189,7 @@ class RoleRelationCache(object):
         """
         resources = cache.get(cls.PREFIX_RESOURCES.format(rid, app_id))
         if not resources or force:
+            db.session.commit()
             from api.lib.perm.acl.role import RoleCRUD
             resources = RoleCRUD.get_resources(rid, app_id)
             if resources['id2perms'] or resources['group2perms']:
@@ -198,6 +201,7 @@ class RoleRelationCache(object):
     def get_resources2(cls, rid, app_id, force=False):
         r_g = cache.get(cls.PREFIX_RESOURCES2.format(rid, app_id))
         if not r_g or force:
+            db.session.commit()
             res = cls.get_resources(rid, app_id)
             id2perms = res['id2perms']
             group2perms = res['group2perms']

cmdb-api/api/lib/perm/acl/resource.py

@@ -315,9 +315,12 @@ class ResourceCRUD(object):
         return resource
 
     @staticmethod
-    def delete(_id, rebuild=True):
+    def delete(_id, rebuild=True, app_id=None):
         resource = Resource.get_by_id(_id) or abort(404, ErrFormat.resource_not_found.format("id={}".format(_id)))
 
+        if app_id is not None and resource.app_id != app_id:
+            return abort(404, ErrFormat.resource_not_found.format("id={}".format(_id)))
+
         origin = resource.to_dict()
         resource.soft_delete()
 

cmdb-api/api/lib/perm/acl/role.py

@@ -154,19 +154,19 @@ class RoleRelationCRUD(object):
                 if existed:
                     continue
 
-                RoleRelationCache.clean(parent_id, app_id)
-                RoleRelationCache.clean(child_id, app_id)
-
                 if parent_id in cls.recursive_child_ids(child_id, app_id):
                     return abort(400, ErrFormat.inheritance_dead_loop)
 
+                result.append(RoleRelation.create(parent_id=parent_id, child_id=child_id, app_id=app_id).to_dict())
+
+                RoleRelationCache.clean(parent_id, app_id)
+                RoleRelationCache.clean(child_id, app_id)
+
                 if app_id is None:
                     for app in AppCRUD.get_all():
                         if app.name != "acl":
                             RoleRelationCache.clean(child_id, app.id)
 
-                result.append(RoleRelation.create(parent_id=parent_id, child_id=child_id, app_id=app_id).to_dict())
-
         AuditCRUD.add_role_log(app_id, AuditOperateType.role_relation_add,
                                AuditScope.role_relation, role.id, {}, {},
                                {'child_ids': list(child_ids), 'parent_ids': [parent_id], }