diff --git a/apps/rpm/views.py b/apps/rpm/views.py index ae9111b9..77f8b8d2 100644 --- a/apps/rpm/views.py +++ b/apps/rpm/views.py @@ -32,8 +32,9 @@ class RpartyViewSet(CustomModelViewSet): def get_queryset(self): queryset = super().get_queryset() # 防止越权,加入的逻辑,可以通过岗位控权实现 - if self.request.user.type == 'remployee': - queryset = queryset.filter(dept=self.request.user.belong_dept) + user = self.request.user + if user.is_authenticated and user.type == 'remployee': + queryset = queryset.filter(dept=user.belong_dept) return queryset @action(methods=['post'], detail=True, perms_map={'post': 'rparty:assgin'}, serializer_class=RpartyAssignSerializer) @@ -88,8 +89,9 @@ class RfileViewSet(ListModelMixin, CustomGenericViewSet): def get_queryset(self): queryset = super().get_queryset() # 防止越权,加入的逻辑,可以通过岗位控权实现 - if self.request.user.type == 'remployee': - queryset = queryset.filter(rparty__dept=self.request.user.belong_dept) + user = self.request.user + if user.is_authenticated and user.type == 'remployee': + queryset = queryset.filter(rparty__dept=user.belong_dept) return queryset @@ -107,8 +109,9 @@ class RemployeeViewSet(CustomModelViewSet): def get_queryset(self): queryset = super().get_queryset() - if self.request.user.type == 'remployee': - queryset = queryset.filter(rparty__dept=self.request.user.belong_dept) + user = self.request.user + if user.is_authenticated and user.type == 'remployee': + queryset = queryset.filter(rparty__dept=user.belong_dept) return queryset @transaction.atomic @@ -147,8 +150,9 @@ class RcertificateViewSet(CustomModelViewSet): def get_queryset(self): queryset = super().get_queryset() - if self.request.user.type == 'remployee': - queryset = queryset.filter(remployee__rparty__dept=self.request.user.belong_dept) + user = self.request.user + if user.is_authenticated and user.type == 'remployee': + queryset = queryset.filter(remployee__rparty__dept=user.belong_dept) return queryset @@ -166,8 +170,9 @@ class RpjViewSet(CustomModelViewSet): def get_queryset(self): queryset = super().get_queryset() - if self.request.user.type == 'remployee': - queryset = queryset.filter(rparty__dept=self.request.user.belong_dept) + user = self.request.user + if user.is_authenticated and user.type == 'remployee': + queryset = queryset.filter(rparty__dept=user.belong_dept) return queryset @transaction.atomic diff --git a/apps/utils/permission.py b/apps/utils/permission.py index 5e885284..df1efb50 100755 --- a/apps/utils/permission.py +++ b/apps/utils/permission.py @@ -33,7 +33,7 @@ def get_user_perms_map(user): user_perms_map[code][dept_id] = data_range else: user_perms_map[code] = {dept_id: pr.data_range} - cache.set('perms_' + user.id, user_perms_map, timeout=None) + cache.set('perms_' + str(user.id), user_perms_map, timeout=None) return user_perms_map diff --git a/apps/utils/viewsets.py b/apps/utils/viewsets.py index 0b8ca375..5161aece 100755 --- a/apps/utils/viewsets.py +++ b/apps/utils/viewsets.py @@ -59,11 +59,10 @@ class CustomGenericViewSet(MyLoggingMixin, GenericViewSet): if self.prefetch_related_fields: queryset = queryset.prefetch_related(*self.prefetch_related_fields) if self.data_filter: - if self.request.user.is_superuser: - return queryset - # if hasattr(queryset.model, 'belong_dept'): user = self.request.user - user_perms_map = cache.get('perms_' + user.id, None) + if user.is_superuser: + return queryset + user_perms_map = cache.get('perms_' + str(user.id), None) if user_perms_map is None: user_perms_map = get_user_perms_map(self.request.user) if isinstance(user_perms_map, dict): diff --git a/apps/vm/views.py b/apps/vm/views.py index 25f295d2..b6dd082e 100644 --- a/apps/vm/views.py +++ b/apps/vm/views.py @@ -35,7 +35,7 @@ class VisitViewSet(CustomModelViewSet): def get_queryset(self): user = self.request.user queryset = super().get_queryset() - if user.type != 'employee': + if user.is_authenticated and user.type != 'employee': queryset = queryset.filter(create_by=user) return queryset