feat: grademanager user can switch to subsetmanger

saas/backend/account/role_auth.py

@@ -9,7 +9,8 @@
 specific language governing permissions and limitations under the License.
 """
 
-from backend.apps.role.models import AnonymousRole, Role, RoleUser
+from backend.apps.role.models import AnonymousRole, Role
+from backend.biz.role import can_user_manage_role
 
 ROLE_SESSION_KEY = "_auth_role_id"
 
@@ -24,7 +25,7 @@ def authenticate(request=None, role_id=0):
         return AnonymousRole()
 
     # 2. 用户的角色不存在, 返回staff
-    if role_id == 0 or not RoleUser.objects.user_role_exists(request.user.username, role_id):
+    if role_id == 0 or not can_user_manage_role(request.user.username, role_id):
         return AnonymousRole()
 
     # 3. 对于用户与角色关系认证通过的，返回对应的分级管理员(超级管理员和系统管理员是两类特殊的分级管理员)

saas/backend/account/urls.py

@@ -14,5 +14,6 @@
 
 urlpatterns = [
     path("user/", views.UserViewSet.as_view({"get": "retrieve"}), name="account.retrieve_user"),
+    # TODO 等前端替换为我的管理空间相关接口后, 这个list接口下掉
     path("user/roles/", views.RoleViewSet.as_view({"get": "list", "post": "create"}), name="account.user_role"),
 ]

saas/backend/account/views.py

@@ -17,8 +17,7 @@
 from rest_framework.viewsets import GenericViewSet
 
 from backend.apps.organization.models import User
-from backend.apps.role.models import RoleUser
-from backend.biz.role import RoleBiz
+from backend.biz.role import RoleBiz, can_user_manage_role
 from backend.common.error_codes import error_codes
 
 from .role_auth import ROLE_SESSION_KEY
@@ -76,7 +75,7 @@ def create(self, request, *args, **kwargs):
         role_id = serializer.validated_data["id"]
 
         # 切换为管理员时, 如果不存在对应的关系, 越权
-        if role_id != 0 and not RoleUser.objects.user_role_exists(request.user.username, role_id):
+        if role_id != 0 and not can_user_manage_role(request.user.username, role_id):
             raise error_codes.FORBIDDEN.format(_("您没有该角色权限，无法切换到该角色"), True)
 
         # 修改session

saas/backend/apps/role/serializers.py

@@ -266,8 +266,7 @@ def get_has_subset_manager(self, obj):
         if not subset_manager_ids:
             return False
 
-        # 查询子集管理员中是否有当前用户
-        return bool(set(subset_manager_ids) & set(self.user_role_ids))
+        return self.get_is_member(obj)  # 如果是成员, 可以看到所有二级管理员
 
 
 class GradeMangerDetailSLZ(BaseGradeMangerSLZ):

saas/backend/apps/role/views/role.py

@@ -924,6 +924,10 @@ def get_queryset(self):
         if not subset_manager_ids:
             return Role.objects.none()
 
+        # 如果用户是分级管理员成员返回所有的二级管理员
+        if RoleUser.objects.user_role_exists(self.request.user.username, grade_manager_id):
+            return self.queryset.filter(id__in=subset_manager_ids)
+
         # 筛选出用户加入的子集管理员id
         role_ids = list(
             RoleUser.objects.filter(role_id__in=subset_manager_ids, username=self.request.user.username).values_list(

saas/backend/biz/role.py

@@ -1227,3 +1227,15 @@ def _diff_conditions(
                 return False  # 循环正常结束, tc不满足sc中的任意一条
 
         return True
+
+
+def can_user_manage_role(username: str, role_id: int) -> bool:
+    """是否用户能管理角色"""
+    if RoleUser.objects.user_role_exists(username, role_id):
+        return True
+
+    relation = RoleRelation.objects.filter(role_id=role_id).first()
+    if not relation:
+        return False
+
+    return RoleUser.objects.user_role_exists(username, relation.parent_id)