fix: permission (#3292)

apps/common/auth/handle/impl/user_token.py

@@ -151,13 +151,13 @@ def get_permission_list(user,
             workspace_user_role_mapping_list = QuerySet(workspace_user_role_mapping_model).filter(user_id=user_id)
             workspace_user_role_mapping_dict = group_by(workspace_user_role_mapping_list,
                                                         lambda item: item.workspace_id)
+            role_id_list = list(set([workspace_user_role_mapping.role_id for workspace_user_role_mapping in
+                                     workspace_user_role_mapping_list]))
             # 获取角色权限映射数据
             role_permission_mapping_list = QuerySet(role_permission_mapping_model).filter(
-                role_id__in=[workspace_user_role_mapping.role_id for workspace_user_role_mapping in
+                role_id__in=role_id_list)
-                             workspace_user_role_mapping_list])
-            system_role_permission_mapping_list = get_default_role_permission_mapping_list()
             role_permission_mapping_dict = group_by(
-                [*role_permission_mapping_list, *system_role_permission_mapping_list], lambda item: item.role_id)
+                role_permission_mapping_list, lambda item: item.role_id)
 
             workspace_user_permission_list = QuerySet(WorkspaceUserResourcePermission).filter(
                 workspace_id__in=[workspace_user_role.workspace_id for workspace_user_role in
@@ -170,11 +170,15 @@ def get_permission_list(user,
 
             workspace_permission_list = get_workspace_permission_list(role_permission_mapping_dict,
                                                                       workspace_user_role_mapping_list)
+            system_role_permission_mapping_list = list(set([role_permission.permission_id for role_permission in
+                                                            get_default_role_permission_mapping_list() if
+                                                            role_id_list.__contains__(role_permission.role_id)]))
             # 系统权限
             system_permission_list = [role_permission_mapping.permission_id for role_permission_mapping in
                                       role_permission_mapping_list]
             # 合并权限
-            permission_list = system_permission_list + workspace_permission_list + workspace_resource_permission_list
+            permission_list = system_permission_list + workspace_permission_list + workspace_resource_permission_list + system_role_permission_mapping_list
+            permission_list = list(set(permission_list))
             cache.set(key, permission_list, version=version)
         else:
             workspace_id_list = ['default']
@@ -199,6 +203,7 @@ def get_permission_list(user,
                                       [user.role].__contains__(role_permission_mapping.role_id)]
             # 合并权限
             permission_list = system_permission_list + workspace_permission_list + workspace_resource_permission_list
+            permission_list = list(set(permission_list))
             cache.set(key, permission_list, version=version)
     return permission_list
 
@@ -220,13 +225,13 @@ def get_role_list(user,
         if is_query_model:
             # 获取工作空间 用户 角色映射数据
             workspace_user_role_mapping_list = QuerySet(workspace_user_role_mapping_model).filter(user_id=user.id)
-            workspace_list = [
+            role_list = [
                             f"{workspace_user_role_mapping.role_id}:/WORKSPACE/{workspace_user_role_mapping.workspace_id}"
                             for
                             workspace_user_role_mapping in
                             workspace_user_role_mapping_list] + [user.role]
             cache.set(key, workspace_list, version=version)
-            return workspace_list
+            return role_list
         else:
             role_list = [user.role]
             if user.role == RoleConstants.ADMIN.value.__str__():

apps/users/views/user.py

@@ -16,7 +16,7 @@ from rest_framework.views import APIView
 from common.auth.authenticate import TokenAuth
 from common.auth.authentication import has_permissions
 from common.constants.cache_version import Cache_Version
-from common.constants.permission_constants import PermissionConstants, Permission, Group, Operate
+from common.constants.permission_constants import PermissionConstants, Permission, Group, Operate, RoleConstants
 from common.log.log import log
 from common.result import result
 from maxkb.const import CONFIG
@@ -164,7 +164,7 @@ class UserManage(APIView):
                    tags=[_("User Management")],  # type: ignore
                    request=UserProfileAPI.get_request(),
                    responses=UserProfileAPI.get_response())
-    @has_permissions(PermissionConstants.USER_CREATE)
+    @has_permissions(PermissionConstants.USER_CREATE, RoleConstants.ADMIN)
     @log(menu='User management', operate='Add user',
          get_operation_object=lambda r, k: {'name': r.data.get('username', None)})
     def post(self, request: Request):

ui/src/router/modules/system.ts

@@ -2,7 +2,7 @@ import { PermissionConst, EditionConst, RoleConst } from '@/utils/permission/dat
 const systemRouter = {
   path: '/system',
   name: 'system',
-  meta: { title: 'views.system.title', permission: 'USER_MANAGEMENT:READ' },
+  meta: { title: 'views.system.title' },
   hidden: true,
   component: () => import('@/layout/layout-template/SystemMainLayout.vue'),
   children: [