fix: 修复AuthSelectModelAdmin权限校验逻辑

amisadmin · amisadmin · commit c361789c1736 · 2023-08-24T16:55:04.000+08:00
diff --git a/fastapi_user_auth/mixins/admin.py b/fastapi_user_auth/mixins/admin.py
@@ -271,10 +271,15 @@ async def has_select_permission(self, request: Request, name: str) -> bool:
 
     async def get_select(self, request: Request) -> Select:
         sel = await super().get_select(request)
+        subject = await self.site.auth.get_current_user_identity(request)
+        if subject == SystemUserEnum.ROOT:
+            return sel
         for permission in self.select_permissions:
+            if not isinstance(permission, SelectPerm):
+                continue
             effect = await self.has_select_permission(request, permission.name)
             # 如果权限为反向权限,则判断用户是否没有权限
-            if effect or (permission.reverse and not effect):
+            if permission.reverse ^ effect:
                 sel = permission.call(self, request, sel)
                 if asyncio.iscoroutine(sel):
                     sel = await sel
diff --git a/fastapi_user_auth/mixins/schemas.py b/fastapi_user_auth/mixins/schemas.py
@@ -28,6 +28,8 @@ class SelectPerm:
     call: SelectPermCallable = None
 
     def __post_init__(self):
+        if self.call is None and hasattr(self, "_call"):
+            self.call = self._call
         assert self.call is not None, "call must be set"
 
 
@@ -42,7 +44,7 @@ def __post_init__(self):
         # 如果td为int,则表示秒数
         self.td = timedelta(seconds=self.td) if isinstance(self.td, int) else self.td
 
-    async def call(self, admin: ModelAdmin, request: Request, sel: Select) -> Select:
+    async def _call(self, admin: ModelAdmin, request: Request, sel: Select) -> Select:
         column = getattr(admin.model, self.time_column)
         return sel.where(column > datetime.now() - self.td)
 
@@ -53,7 +55,7 @@ class UserSelectPerm(SelectPerm):
 
     user_column: str = "user_id"
 
-    async def call(self, admin: ModelAdmin, request: Request, sel: Select) -> Select:
+    async def _call(self, admin: ModelAdmin, request: Request, sel: Select) -> Select:
         user_id = await admin.site.auth.get_current_user_identity(request, name="id")
         if not user_id:  # 未登录
             return sel.where(False)
@@ -68,7 +70,7 @@ class SimpleSelectPerm(SelectPerm):
     values: Union[List[str], List[int]] = None
     column: str = "status"
 
-    async def call(self, admin: ModelAdmin, request: Request, sel: Select) -> Select:
+    async def _call(self, admin: ModelAdmin, request: Request, sel: Select) -> Select:
         if not self.values:
             return sel
         column = getattr(admin.model, self.column)
@@ -83,7 +85,7 @@ class FilterSelectPerm(SelectPerm):
 
     filters: list = None
 
-    async def call(self, admin: ModelAdmin, request: Request, sel: Select) -> Select:
+    async def _call(self, admin: ModelAdmin, request: Request, sel: Select) -> Select:
         if not self.filters:
             return sel
         return sel.filter(*self.filters)
