权限控制bug

client_mp/pages/inspectrecord/recorddetail.vue

@@ -68,7 +68,6 @@
 				this.$u.api.getInspectRecord(id).then(res => {
 					this.form = res.data
 					let fileList = []
-					console.log(this.vuex_token)
 					for (var i = 0; i < res.data.imgs_.length; i++) {
 						fileList.push(res.data.imgs_[i].file + '?token='+ this.vuex_token)
 					}

server/apps/quality/permission.py

@@ -3,13 +3,16 @@ from .models import *
 
 class IsSubInspectTaskLeader(RbacPermission):
     def has_object_permission(self, request, view, obj):
+        print(obj, request.user.name)
         if InspectTeam.objects.filter(subtask=obj.subtask, type='组长').first().member == request.user:
             # 如果是组长
             return True
         return False
 
 class IsInspectRecordChecker(RbacPermission):
+    
     def has_object_permission(self, request, view, obj):
+        print(2, obj, request.user.name)
         if obj.checker == request.user or obj.checker == None:
             return True
         return False

server/apps/quality/views.py

@@ -7,6 +7,7 @@ from django.shortcuts import render
 from django.utils import timezone
 from rest_framework import status
 from rest_framework.decorators import action, permission_classes
+from rest_framework.exceptions import PermissionDenied
 from rest_framework.mixins import CreateModelMixin, DestroyModelMixin, ListModelMixin, RetrieveModelMixin
 from rest_framework.permissions import IsAdminUser
 from rest_framework.response import Response
@@ -275,8 +276,7 @@ class InspectRecordViewSet(OptimizationMixin, PageOrNot, ModelViewSet):
             return InspectRecordDetailSerializer
         return InspectRecordListSerializer
 
-    @action(methods=['post'], detail=False, perms_map = {'post':'inspectrecord_update'},
+    @action(methods=['post'], detail=False, perms_map = {'post':'inspectrecord_update'})
-            permission_classes=[IsAdminUser|IsSubInspectTaskLeader])
     def appoint(self, request, *args, **kwargs):
         """
         检查项目指派
@@ -284,10 +284,15 @@ class InspectRecordViewSet(OptimizationMixin, PageOrNot, ModelViewSet):
         """
         data = request.data
         records = InspectRecord.objects.filter(id__in=data['records'])
+        subtask = records.first().subtask
+        if request.user == InspectTeam.objects.get(subtask=subtask, type='组长').member:
+            pass
+        else:
+            raise PermissionDenied
         checker = User.objects.get(pk=data['checker'])
         records.filter(checked=False).update(checker=checker)
         # 子任务下未分配检查项目按该逻辑分配
-        subtask = records.first().subtask
+        
         items = records.values_list('item', flat=True)
         InspectRecord.objects.filter(item__in=items, subtask=subtask, checker__isnull=True, checked= False).update(checker=checker)
         return Response(status=status.HTTP_200_OK)
@@ -299,6 +304,9 @@ class InspectRecordViewSet(OptimizationMixin, PageOrNot, ModelViewSet):
         提交单条记录检查结果
         """
         instance = self.get_object()
+        leader = InspectTeam.objects.get(subtask=instance.subtask, type='组长').member
+        if request.user == instance.checker or request.user == None or request.user == leader:
+            raise PermissionDenied
         if instance.subtask.state == '执行中':
             serializer = InspectRecordCheckSerializer(instance, data=request.data)
             serializer.is_valid(raise_exception=True)