权限控制bug

2021-05-13 09:25:33 +08:00 · 2021-05-13 09:25:33 +08:00 · a360299bc2
parent 627d506712
commit a360299bc2
3 changed files with 14 additions and 4 deletions
--- a/client_mp/pages/inspectrecord/recorddetail.vue
+++ b/client_mp/pages/inspectrecord/recorddetail.vue
@ -68,7 +68,6 @@
 				this.$u.api.getInspectRecord(id).then(res => {
 					this.form = res.data
 					let fileList = []
-					console.log(this.vuex_token)
 					for (var i = 0; i < res.data.imgs_.length; i++) {
 						fileList.push(res.data.imgs_[i].file + '?token='+ this.vuex_token)
 					}
--- a/server/apps/quality/permission.py
+++ b/server/apps/quality/permission.py
@ -3,13 +3,16 @@ from .models import *

 class IsSubInspectTaskLeader(RbacPermission):
    def has_object_permission(self, request, view, obj):
+        print(obj, request.user.name)
        if InspectTeam.objects.filter(subtask=obj.subtask, type='组长').first().member == request.user:
            # 如果是组长
            return True
        return False

 class IsInspectRecordChecker(RbacPermission):
+    
    def has_object_permission(self, request, view, obj):
+        print(2, obj, request.user.name)
        if obj.checker == request.user or obj.checker == None:
            return True
        return False
--- a/server/apps/quality/views.py
+++ b/server/apps/quality/views.py
@ -7,6 +7,7 @@ from django.shortcuts import render
 from django.utils import timezone
 from rest_framework import status
 from rest_framework.decorators import action, permission_classes
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.mixins import CreateModelMixin, DestroyModelMixin, ListModelMixin, RetrieveModelMixin
 from rest_framework.permissions import IsAdminUser
 from rest_framework.response import Response
@ -275,8 +276,7 @@ class InspectRecordViewSet(OptimizationMixin, PageOrNot, ModelViewSet):
            return InspectRecordDetailSerializer
        return InspectRecordListSerializer

-    @action(methods=['post'], detail=False, perms_map = {'post':'inspectrecord_update'},
-            permission_classes=[IsAdminUser|IsSubInspectTaskLeader])
+    @action(methods=['post'], detail=False, perms_map = {'post':'inspectrecord_update'})
    def appoint(self, request, *args, **kwargs):
        """
        检查项目指派
@ -284,10 +284,15 @@ class InspectRecordViewSet(OptimizationMixin, PageOrNot, ModelViewSet):
        """
        data = request.data
        records = InspectRecord.objects.filter(id__in=data['records'])
+        subtask = records.first().subtask
+        if request.user == InspectTeam.objects.get(subtask=subtask, type='组长').member:
+            pass
+        else:
+            raise PermissionDenied
        checker = User.objects.get(pk=data['checker'])
        records.filter(checked=False).update(checker=checker)
        # 子任务下未分配检查项目按该逻辑分配
-        subtask = records.first().subtask
+        
        items = records.values_list('item', flat=True)
        InspectRecord.objects.filter(item__in=items, subtask=subtask, checker__isnull=True, checked= False).update(checker=checker)
        return Response(status=status.HTTP_200_OK)
@ -299,6 +304,9 @@ class InspectRecordViewSet(OptimizationMixin, PageOrNot, ModelViewSet):
        提交单条记录检查结果
        """
        instance = self.get_object()
+        leader = InspectTeam.objects.get(subtask=instance.subtask, type='组长').member
+        if request.user == instance.checker or request.user == None or request.user == leader:
+            raise PermissionDenied
        if instance.subtask.state == '执行中':
            serializer = InspectRecordCheckSerializer(instance, data=request.data)
            serializer.is_valid(raise_exception=True)