feat: Backend permissions for resource authorization

2025-12-26 01:33:05 +00:00 · 2025-08-18 16:34:36 +08:00 · 2025-08-18 16:34:36 +08:00 · 795db14c75
parent ed424428ac
commit 795db14c75
4 changed files with 41 additions and 13 deletions
--- a/apps/locales/en_US/LC_MESSAGES/django.po
+++ b/apps/locales/en_US/LC_MESSAGES/django.po
@ -8659,5 +8659,5 @@ msgstr ""
 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
 msgstr ""

-msgid "Resource authorization"
+msgid "resource authorization"
 msgstr ""
--- a/apps/locales/zh_CN/LC_MESSAGES/django.po
+++ b/apps/locales/zh_CN/LC_MESSAGES/django.po
@ -8785,5 +8785,5 @@ msgstr "如果未传递，默认值为 这段音频在说什么，只回答音
 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
 msgstr "Qwen-Omni 系列模型支持输入多种模态的数据，包括视频、音频、图片、文本，并输出音频与文本"

-msgid "Resource authorization"
+msgid "resource authorization"
 msgstr "资源授权"
--- a/apps/locales/zh_Hant/LC_MESSAGES/django.po
+++ b/apps/locales/zh_Hant/LC_MESSAGES/django.po
@ -8785,5 +8785,5 @@ msgstr "如果未傳遞，預設值為這段音訊在說什麼，只回答音訊
 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
 msgstr "Qwen-Omni系列模型支持輸入多種模態的數據，包括視頻、音訊、圖片、文字，並輸出音訊與文字"

-msgid "Resource authorization"
+msgid "resource authorization"
 msgstr "資源授權"
--- a/apps/system_manage/views/user_resource_permission.py
+++ b/apps/system_manage/views/user_resource_permission.py
@ -15,7 +15,8 @@ from rest_framework.views import APIView
 from common import result
 from common.auth import TokenAuth
 from common.auth.authentication import has_permissions
-from common.constants.permission_constants import PermissionConstants, RoleConstants, Permission, Group, Operate
+from common.constants.permission_constants import RoleConstants, Permission, Group, Operate, ViewPermission, \
+    CompareConstants
 from common.log.log import log
 from system_manage.api.user_resource_permission import UserResourcePermissionAPI, EditUserResourcePermissionAPI, \
    ResourceUserPermissionAPI, ResourceUserPermissionPageAPI, ResourceUserPermissionEditAPI, \
@ -114,9 +115,18 @@ class WorkspaceResourceUserPermissionView(APIView):
        tags=[_('Resources authorization')]  # type: ignore
    )
    @has_permissions(
-        lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
-                                     operate=Operate.AUTH),
-        RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.AUTH,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"),
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.AUTH,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}"),
+        ViewPermission([RoleConstants.USER.get_workspace_role()],
+                       [lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                                     operate=Operate.SELF,
+                                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}")],
+                       CompareConstants.AND),
+        RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
    def get(self, request: Request, workspace_id: str, target: str, resource: str):
        return result.success(ResourceUserPermissionSerializer(
            data={'workspace_id': workspace_id, "target": target, 'auth_target_type': resource,
@ -139,9 +149,18 @@ class WorkspaceResourceUserPermissionView(APIView):
         get_operation_object=lambda r, k: get_user_operation_object(k.get('user_id'))
         )
    @has_permissions(
-        lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
-                                     operate=Operate.AUTH),
-        RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.AUTH,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"),
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.AUTH,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}"),
+        ViewPermission([RoleConstants.USER.get_workspace_role()],
+                       [lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                                     operate=Operate.SELF,
+                                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}")],
+                       CompareConstants.AND),
+        RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
    def put(self, request: Request, workspace_id: str, target: str, resource: str):
        return result.success(ResourceUserPermissionSerializer(
            data={'workspace_id': workspace_id, "target": target, 'auth_target_type': resource, })
@ -160,9 +179,18 @@ class WorkspaceResourceUserPermissionView(APIView):
            tags=[_('Resources authorization')]  # type: ignore
        )
        @has_permissions(
-            lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
-                                         operate=Operate.AUTH),
-            RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
+            lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                         operate=Operate.AUTH,
+                                         resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"),
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.AUTH,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}"),
+             ViewPermission([RoleConstants.USER.get_workspace_role()],
+                           [lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.SELF,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}")],
+                           CompareConstants.AND),
+            RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
        def get(self, request: Request, workspace_id: str, target: str, resource: str, current_page: int,
                page_size: int):
            return result.success(ResourceUserPermissionSerializer(