Fix: permission management

cmdb-api/api/lib/perm/acl/resource.py

@@ -68,6 +68,9 @@ class ResourceTypeCRUD(object):
     def delete(cls, rt_id):
         rt = ResourceType.get_by_id(rt_id) or abort(404, "ResourceType <{0}> is not found".format(rt_id))
 
+        if Resource.get_by(resource_type_id=rt_id):
+            return abort(400, "At least one instance of this type exists and cannot be deleted")
+
         cls.update_perms(rt_id, [], rt.app_id)
 
         rt.soft_delete()

cmdb-api/api/lib/perm/acl/role.py

@@ -47,7 +47,7 @@ class RoleRelationCRUD(object):
     def get_child_ids(rid):
         res = RoleRelation.get_by(parent_id=rid, to_dict=False)
 
-        return [i.parent_id for i in res]
+        return [i.child_id for i in res]
 
     @classmethod
     def recursive_parent_ids(cls, rid):
@@ -77,10 +77,13 @@ class RoleRelationCRUD(object):
 
         return all_child_ids
 
-    @staticmethod
-    def add(parent_id, child_id):
+    @classmethod
+    def add(cls, parent_id, child_id):
         RoleRelation.get_by(parent_id=parent_id, child_id=child_id) and abort(400, "It's already existed")
 
+        if parent_id in cls.recursive_child_ids(child_id):
+            return abort(400, "Circulation inheritance!!!")
+
         RoleRelationCache.clean(parent_id)
         RoleRelationCache.clean(child_id)
 

cmdb-api/api/lib/perm/acl/user.py

@@ -75,6 +75,9 @@ class UserCRUD(object):
 
     @classmethod
     def delete(cls, uid):
+        if uid == g.user.uid:
+            return abort(400, "You cannot delete yourself")
+
         user = User.get_by(uid=uid, to_dict=False, first=True) or abort(404, "User <{0}> does not exist".format(uid))
 
         UserCache.clean(user)