TencentBlueKing · benero · Oct 10, 2024 · Oct 10, 2024
diff --git a/itsm/role/serializers.py b/itsm/role/serializers.py
@@ -87,8 +87,9 @@ class UserRoleSerializer(DynamicFieldsModelSerializer):
     class Meta:
         model = UserRole
         fields = (
-        "id", "role_type", "name", "members", "project_key", "owners", "access", "desc", "role_key",
-        "creator", "is_builtin")
+            "id", "role_type", "name", "members", "project_key", "owners", "access", 
+            "desc", "role_key", "creator", "is_builtin")
+        create_only_fields = ("project_key", "is_builtin", "creator")
 
     def __init__(self, *args, **kwargs):
         super(UserRoleSerializer, self).__init__(*args, **kwargs)

diff --git a/itsm/ticket/models/ticket.py b/itsm/ticket/models/ticket.py
@@ -2179,10 +2179,6 @@ def can_supervise(self, username):
         )
 
     def iam_ticket_manage_auth(self, username):
-        # 本地开发环境，不校验单据管理权限
-        if settings.ENVIRONMENT == "dev":
-            return True
-
         iam_client = IamRequest(username=username)
         resource_info = {
             "resource_id": str(self.service_id),

diff --git a/itsm/ticket/permissions.py b/itsm/ticket/permissions.py
@@ -90,7 +90,6 @@ def has_object_permission(self, request, view, obj):
             "send_sms",
             "send_email",
             "master_or_slave",
-            "add_follower",
             "can_exception_distribute",
             "get_ticket_output",
             "get_step_process_info",
@@ -155,10 +154,6 @@ def has_object_permission(self, request, view, obj):
         return any([obj.can_operate(username)])
 
     def iam_ticket_manage_auth(self, request, obj):
-        # 本地开发环境，不校验单据管理权限
-        if settings.ENVIRONMENT == "dev":
-            return True
-
         iam_client = IamRequest(request)
         resource_info = {
             "resource_id": str(obj.service_id),

diff --git a/itsm/ticket_status/permissions.py b/itsm/ticket_status/permissions.py
@@ -59,7 +59,11 @@ def has_object_permission(self, request, view, obj):
 
 class TicketStatusPermit(IamAuthPermit):
     def has_permission(self, request, view):
-        if view.action == "get_configs":
+        # 关联实例的请求，需要针对对象进行鉴权
+        if view.action in getattr(view, "permission_free_actions", []):
+            return True
+
+        if view.action in ["get_configs"]:
             apply_actions = ["ticket_state_view", "platform_manage_access"]
         elif view.action in ["overall_ticket_statuses", "list", "next_over_status"]:
             return True

diff --git a/itsm/ticket_status/views.py b/itsm/ticket_status/views.py
@@ -201,6 +201,8 @@ def overall_ticket_statuses(self, request, *args, **kwargs):
 class StatusTransitViewSet(ModelViewSet):
     serializer_class = StatusTransitSerializer
     queryset = StatusTransit.objects.all()
+    permission_classes = (TicketStatusPermit,)
+    permission_free_actions = ["is_auto", "get_auto_detail"]
     pagination_class = None
 
     filter_fields = {

diff --git a/itsm/workflow/serializers/field.py b/itsm/workflow/serializers/field.py
@@ -173,7 +173,7 @@ class Meta:
             "project_key",
         ) + model.FIELDS
         read_only_fields = ("is_builtin", "key") + model.FIELDS
-        create_only_fields = ("is_builtin", "key", )
+        create_only_fields = ("is_builtin", "key", "project_key", )
 
     def __init__(self, *args, **kwargs):
         validator_class = kwargs.pop("validator_class", TemplateFieldValidator)