def update_project(self, request, project_id):
perm_ctx = ProjectPermCtx(username=request.user.username, project_id=project_id)
self.iam_perm.can_edit(perm_ctx)
req_data = request.data.copy()
req_data["updator"] = request.user.username
serializer = serializers.UpdateNavProjectSLZ(data=req_data)
serializer.is_valid(raise_exception=True)
project = Project.update_project(request.user.token.access_token, project_id, serializer.validated_data)
return Response(project)
def _can_update_bound_biz(self, request, project_id):
"""判断是否允许修改项目
- 项目下有集群,不允许更改项目的绑定业务
- 非管理员权限,不允许修改项目
"""
if self._has_cluster(request.user.token.access_token, project_id):
return False
perm_ctx = ProjectPermCtx(username=request.user.username, project_id=project_id)
if not ProjectPermission().can_edit(perm_ctx, raise_exception=False):
return False
return True
def has_permission(self, request, view):
if request.user.is_superuser:
return True
access_token = request.user.token.access_token
project_id_or_code = view.kwargs.get('project_id') or view.kwargs.get(
'project_id_or_code')
project_id = self._get_project_id(access_token, project_id_or_code)
if not project_id:
return False
perm_ctx = ProjectPermCtx(username=request.user.username,
project_id=project_id)
return ProjectPermission().can_view(perm_ctx, raise_exception=False)
def test_can_edit_not_view(self, project_permission_obj, project_id):
"""测试场景:有项目编辑权限(同时无项目查看权限)"""
username = roles.PROJECT_NO_VIEW_USER
perm_ctx = ProjectPermCtx(username=username, project_id=project_id)
with pytest.raises(PermissionDeniedError) as exec:
project_permission_obj.can_edit(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id],
),
],
)
def create_project(self, request):
username = request.user.username
perm_ctx = ProjectPermCtx(username=username)
self.iam_perm.can_create(perm_ctx)
req_data = request.data.copy()
req_data["creator"] = username
serializer = serializers.CreateNavProjectSLZ(data=req_data)
serializer.is_valid(raise_exception=True)
project = Project.create_project(request.user.token.access_token, serializer.validated_data)
self.iam_perm.grant_resource_creator_actions(
ProjectCreatorAction(name=project["project_name"], project_id=project["project_id"], creator=username),
)
return Response(project)
def test_can_not_create(self, project_permission_obj):
"""测试场景:无项目创建权限"""
# 无权限不抛出异常
username = roles.NO_PROJECT_USER
perm_ctx = ProjectPermCtx(username=username)
assert not project_permission_obj.can_create(perm_ctx,
raise_exception=False)
# 无权限抛出异常
with pytest.raises(PermissionDeniedError) as exec:
project_permission_obj.can_create(perm_ctx)
assert exec.value.code == PermissionDeniedError.code
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
action_request_list=[
ActionResourcesRequest(ProjectAction.CREATE,
resource_type=ResourceType.Project)
],
)
def test_can_not_view(self, project_permission_obj, project_id):
"""测试场景:无项目查看权限"""
# 无权限不抛出异常
username = roles.NO_PROJECT_USER
perm_ctx = ProjectPermCtx(username=username, project_id=project_id)
assert not project_permission_obj.can_view(perm_ctx,
raise_exception=False)
# 无权限抛出异常
with pytest.raises(PermissionDeniedError) as exec:
project_permission_obj.can_view(perm_ctx)
assert exec.value.code == PermissionDeniedError.code
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id],
)
],
)
def test_can_view(self, project_permission_obj, project_id):
"""测试场景:有项目查看权限"""
perm_ctx = ProjectPermCtx(username=roles.ADMIN_USER,
project_id=project_id)
assert project_permission_obj.can_view(perm_ctx)
def test_can_create(self, project_permission_obj):
"""测试场景:有项目创建权限"""
perm_ctx = ProjectPermCtx(username=roles.ADMIN_USER)
assert project_permission_obj.can_create(perm_ctx)