這是jumpserver二次開發系列第三篇,主要實現用戶權限的自主申請、審批和授權功能。有兩種方式申請權限:
1、加入用戶組,擁有與該用戶組相同的權限;
2、按資產、資產組及系統用戶申請相應權限。
一、數據庫模型設計
其中用戶、用戶組、資產、資產組及系統用戶為原來各模塊已設計的表
二、model代碼
權限申請表與用戶、用戶組、資產、資產組及系統用戶使用ManyToManyField定義關系
class Checker(models.Model): checker_um = models.CharField(max_length=50, unique=True) checker_name = models.CharField(max_length=50, null=True) checker_role = models.CharField(max_length=100, null=True) def __unicode__(self): return self.checker_name class CheckOrder(models.Model): check_order = models.IntegerField(unique=True) checker = models.ForeignKey(Checker, related_name='check_order') check_desc = models.CharField(max_length=100, null=True) class RightApply(models.Model): app_name = models.CharField(max_length=100, unique=True) app_desc = models.CharField(max_length=100, null=True) insert_time = models.TimeField(auto_now=True) finish_time = models.TimeField(null=True) checkorder = models.ForeignKey(CheckOrder, related_name='right_app') asset = models.ManyToManyField(Asset, related_name='right_app') asset_group = models.ManyToManyField(AssetGroup, related_name='right_app') user = models.ManyToManyField(User, related_name='right_app') user_group = models.ManyToManyField(UserGroup, related_name='right_app') role = models.ManyToManyField(PermRole, related_name='right_app') APP_TYPE_CHOICES = ( ('ZCQX', u'資產權限申請'), ('GPQX', u'用戶組權限申請') ) app_type = models.CharField(max_length=8, choices=APP_TYPE_CHOICES, default='ZCQX') def __unicode__(self): return self.app_name class CheckList(models.Model): rightapply = models.ForeignKey(RightApply, related_name='check_list') checkorder = models.ForeignKey(CheckOrder, related_name='check_list') insert_time = models.TimeField(auto_now=True) finish_time = models.TimeField(null=True) check_status = models.NullBooleanField(null=True) check_if = models.NullBooleanField(default=False) check_desc = models.TextField(null=True)
三、URLS
urlpatterns = patterns('rightapply.views', url(r'^apply/list/$', 'apply_list', name='app_list'), url(r'^apply/add/$', 'apply_add', name='app_add'), url(r'^apply/add_by_gpqx/$', 'add_by_gpqx', name='add_by_gpqx'), url(r'^apply/check_list/$', 'check_list', name='check_list'), url(r'^apply/check_app/$', 'check_app', name='check_app'), url(r'^apply/follow/$', 'follow_app', name='follow_app'), url(r'^apply/app_detail/$', 'app_detail', name='app_detail'), url(r'^apply/del/$', 'apply_del', name='app_del'), url(r'^apply/rule_list/$', 'app_rule_list', name='app_rule_list'), url(r'^apply/rule_detail/$', 'app_rule_detail', name='app_rule_detail'), )
四、授權添加接口及郵件發送功能
def perm_rule_add(assets_obj, asset_groups_obj, users_obj, user_groups_obj, roles_obj, rule_name, rule_comment): """ add rule page 添加授權API,參數為object 如:users_obj = [User.objects.get(id=user_id) for user_id in users_select] """ try: rule = PermRule(name=rule_name, comment=rule_comment) rule.save() rule.user = users_obj rule.user_group = user_groups_obj rule.asset = assets_obj rule.asset_group = asset_groups_obj rule.role = roles_obj rule.save() msg = u"添加授權規則:%s" % rule.name res = {'result': True, 'Msg': msg} return json.dumps(res) except ServerError, e: error = e logger.info(error) res = {'result': False, 'Msg': error} return json.dumps(res) def app_send_mail(user, app, check_res, mail_type, host_url): """ check app send mail 發送審批郵件 mail_type == "user" or "checker" """ if mail_type == "user": mail_title = u'堡壘機權限申請審批結果' url = host_url+reverse('follow_app') mail_msg = u""" Hi, %s 您的堡壘機權限申請: %s, %s, 請登錄系統查看: %s """ % (user.name, app.app_name, check_res, url) else: mail_title = u'堡壘機權限申請審批' url = host_url+reverse('check_app') mail_msg = u""" Hi, %s 堡壘機權限申請: %s, 請您登錄系統審批: %s """ % (user.name, app.app_name, url) send_mail(mail_title, mail_msg, MAIL_FROM, [user.email], fail_silently=False)
五、主要功能部分代碼