diff --git a/itsm/component/drf/permissions.py b/itsm/component/drf/permissions.py index 8b109a42..98dd8ff1 100644 --- a/itsm/component/drf/permissions.py +++ b/itsm/component/drf/permissions.py @@ -297,11 +297,15 @@ def has_object_permission(self, request, view, obj): class IamAuthProjectViewPermit(IamAuthPermit): def has_object_permission(self, request, view, obj): + apply_actions = self.get_view_iam_actions(view) + if hasattr(obj, "project_key"): project_key = obj.project_key - apply_actions = ["project_view"] - if view.action in ["create", "update", "destroy"]: + if not apply_actions and view.action in ["create", "update", "destroy"]: apply_actions = ["system_settings_manage"] + + # 项目管理必须有查看权限 + apply_actions.append("project_view") return self.has_project_view_permission(request, project_key, apply_actions) return True diff --git a/itsm/project/models/project.py b/itsm/project/models/project.py index 28a3927f..98465f73 100644 --- a/itsm/project/models/project.py +++ b/itsm/project/models/project.py @@ -64,11 +64,10 @@ class Project(Model): "field_create", "user_group_create", "triggers_create", - "settings_view", - "settings_manage", "catalog_create", "catalog_edit", "catalog_delete", + "system_settings_manage" ] auth_resource = {"resource_type": "project", "resource_type_name": "项目"} diff --git a/itsm/service/models.py b/itsm/service/models.py index 15bf0c5c..fafe3e3f 100644 --- a/itsm/service/models.py +++ b/itsm/service/models.py @@ -524,7 +524,7 @@ class ServiceCatalog(BaseMpttModel): objects = managers.ServiceCatalogManager() auth_resource = {"resource_type": "project", "resource_name": _("项目")} - resource_operations = ["system_settings_manage"] + resource_operations = ["catalog_create", "catalog_edit", "catalog_delete"] class Meta: app_label = "service" diff --git a/itsm/service/views.py b/itsm/service/views.py index 0f8e695d..526c7917 100644 --- a/itsm/service/views.py +++ b/itsm/service/views.py @@ -150,7 +150,11 @@ class ServiceCatalogViewSet(component_viewsets.ModelViewSet): "-create_at", "level" ) permission_classes = (perm.IamAuthProjectViewPermit,) - permission_action_default = "system_settings_manage" + permission_action_mapping = { + "create": "catalog_create", + "update": "catalog_edit", + "destroy": "catalog_delete", + } filter_fields = { "id": ["exact", "in"],