TencentBlueKing · piglei · Jul 22, 2024 · Jul 19, 2024
diff --git a/apiserver/paasng/paasng/infras/accounts/permissions/application.py b/apiserver/paasng/paasng/infras/accounts/permissions/application.py
@@ -17,7 +17,7 @@
 
 import logging
 import time
-from typing import Type, Union
+from typing import Dict, Optional, Type, Union
 
 from django.conf import settings
 from iam.exceptions import AuthAPIError
@@ -75,6 +75,38 @@ def has_object_permission(self, request, view, obj: Union[Application, Module]):
     return AppModulePermission
 
 
+def app_view_actions_perm(
+    view_action_map: Dict[str, AppAction], default_action: Optional[AppAction] = None
+) -> Type[BasePermission]:
+    """Create a permission class for application view, it allows using different
+    application action for different view actions.
+
+    :param view_action_map: A map from view action to application action.
+    :param default_action: Optional, the default application action if the view action
+        is not found.
+    :return: Application permission class.
+    """
+
+    class AppViewActionsPermission(BaseAppPermission):
+        """The permission class for application and module."""
+
+        def has_object_permission(self, request, view, obj: Union[Application, Module]):
+            # Get the action from the view action map, if not found, use the default action.
+            action = view_action_map.get(view.action, default_action)
+            if not action:
+                raise ValueError('No app action found for view action "%s".' % view.action)
+
+            if isinstance(obj, Application):
+                return user_has_app_action_perm(request.user, obj, action)
+            elif isinstance(obj, Module):
+                return user_has_app_action_perm(request.user, obj.application, action)
+            else:
+                logger.error("Application permission checked on incorrect object, type: %s", type(obj))
+                return False
+
+    return AppViewActionsPermission
+
+
 def check_application_perm(user, application: Application, action: AppAction):
     """检查指定用户是否对应用的某个操作具有权限。"""
     if not user_has_app_action_perm(user, application, action):

diff --git a/apiserver/paasng/paasng/platform/environments/views.py b/apiserver/paasng/paasng/platform/environments/views.py
@@ -15,12 +15,13 @@
 # We undertake not to change the open source license (MIT license) applicable
 # to the current version of the project delivered to anyone in the future.
 
+
 from drf_yasg.utils import swagger_auto_schema
 from rest_framework import viewsets
 from rest_framework.permissions import IsAuthenticated
 from rest_framework.response import Response
 
-from paasng.infras.accounts.permissions.application import application_perm_class
+from paasng.infras.accounts.permissions.application import app_view_actions_perm
 from paasng.infras.iam.permissions.resources.application import AppAction
 from paasng.platform.applications.mixins import ApplicationCodeInPathMixin
 from paasng.platform.environments.utils import batch_save_protections
@@ -33,13 +34,15 @@
 class ModuleEnvRoleProtectionViewSet(ApplicationCodeInPathMixin, viewsets.GenericViewSet):
     queryset = EnvRoleProtection.objects.all()
     serializer_class = serializers.EnvRoleProtectionSLZ
-    permission_classes = [IsAuthenticated, application_perm_class(AppAction.MANAGE_ENV_PROTECTION)]
-
-    def get_permissions(self):
-        if self.action in ["list"]:
-            return [IsAuthenticated()]
-        else:
-            return [permission() for permission in self.permission_classes]
+    permission_classes = [
+        IsAuthenticated,
+        app_view_actions_perm(
+            {
+                "list": AppAction.VIEW_BASIC_INFO,
+            },
+            default_action=AppAction.MANAGE_ENV_PROTECTION,
+        ),
+    ]
 
     def get_envs(self, module_name, env):
         application = self.get_application()