From cef6e681feb6cc84b6f268073bf26d921b8082fc Mon Sep 17 00:00:00 2001 From: delphid <31184311+delphid@users.noreply.github.com> Date: Tue, 31 Jan 2023 14:51:48 +0800 Subject: [PATCH] add config for ban_self_audit (#2040) --- common/templates/config.html | 15 +++++++++ .../test_instance_test_archery.html | 18 ++++++++++ sql/utils/tests.py | 33 +++++++++++++++++++ sql/utils/workflow_audit.py | 21 ++++++++++++ 4 files changed, 87 insertions(+) create mode 100644 downloads/dictionary/test_instance_test_archery.html diff --git a/common/templates/config.html b/common/templates/config.html index 6050dc7561..f6bb4f0f40 100755 --- a/common/templates/config.html +++ b/common/templates/config.html @@ -264,6 +264,21 @@
SQL上线
+
+ +
+
+ +
+
+
SQL查询
注:开启脱敏功能必须要配置goInception信息,用于SQL语法解析
diff --git a/downloads/dictionary/test_instance_test_archery.html b/downloads/dictionary/test_instance_test_archery.html new file mode 100644 index 0000000000..900ff1f413 --- /dev/null +++ b/downloads/dictionary/test_instance_test_archery.html @@ -0,0 +1,18 @@ + + + 数据库表结构说明文档 + + + +

test_archery 数据字典 (共 0 个表)

+

生成时间:2023-01-31 14:41:33

+ + + diff --git a/sql/utils/tests.py b/sql/utils/tests.py index 404fb4c356..95167ef33e 100644 --- a/sql/utils/tests.py +++ b/sql/utils/tests.py @@ -862,6 +862,19 @@ def setUp(self): db_name="some_db", syntax_type=1, ) + self.own_wf = SqlWorkflow.objects.create( + workflow_name="some_name", + group_id=1, + group_name="g1", + engineer=self.user.username, + audit_auth_groups="some_audit_group", + create_time=datetime.datetime.now(), + status="workflow_timingtask", + is_backup=True, + instance=self.ins, + db_name="some_db", + syntax_type=1, + ) SqlWorkflowContent.objects.create( workflow=self.wf, sql_content="some_sql", execute_result="" ) @@ -1234,6 +1247,26 @@ def test_can_review_sql_review(self, _detail_by_workflow_id, _auth_group_users): ) self.assertEqual(r, True) + @patch("sql.utils.workflow_audit.auth_group_users") + @patch("sql.utils.workflow_audit.Audit.detail_by_workflow_id") + def test_cannot_review_self_sql_review( + self, _detail_by_workflow_id, _auth_group_users + ): + """测试确认用户不能审核自己提交的上线工单,非管理员拥有权限""" + self.sys_config.set("ban_self_audit", "true") + sql_review = Permission.objects.get(codename="sql_review") + self.user.user_permissions.add(sql_review) + aug = Group.objects.create(name="auth_group") + _detail_by_workflow_id.return_value.current_audit = aug.id + _auth_group_users.return_value.filter.exists = True + self.audit.workflow_type = WorkflowDict.workflow_type["sqlreview"] + self.audit.workflow_id = self.own_wf.id + self.audit.save() + r = Audit.can_review( + self.user, self.audit.workflow_id, self.audit.workflow_type + ) + self.assertEqual(r, False) + @patch("sql.utils.workflow_audit.auth_group_users") @patch("sql.utils.workflow_audit.Audit.detail_by_workflow_id") def test_can_review_query_review(self, _detail_by_workflow_id, _auth_group_users): diff --git a/sql/utils/workflow_audit.py b/sql/utils/workflow_audit.py index b684328218..c79efc401e 100644 --- a/sql/utils/workflow_audit.py +++ b/sql/utils/workflow_audit.py @@ -384,6 +384,27 @@ def can_review(user, workflow_id, workflow_type): ) group_id = audit_info.group_id result = False + + def get_workflow_applicant(workflow_id, workflow_type): + user = "" + if workflow_type == 1: + workflow = QueryPrivilegesApply.objects.get(apply_id=workflow_id) + user = workflow.user_name + elif workflow_type == 2: + workflow = SqlWorkflow.objects.get(id=workflow_id) + user = workflow.engineer + elif workflow_type == 3: + workflow = ArchiveConfig.objects.get(id=workflow_id) + user = workflow.user_name + return user + + applicant = get_workflow_applicant(workflow_id, workflow_type) + if ( + user.username == applicant + and not user.is_superuser + and SysConfig().get("ban_self_audit") + ): + return result # 只有待审核状态数据才可以审核 if audit_info.current_status == WorkflowDict.workflow_status["audit_wait"]: try: