From 795db14c7504f1b065f61772b8850c7290aafa13 Mon Sep 17 00:00:00 2001 From: zhangzhanwei Date: Mon, 18 Aug 2025 16:34:36 +0800 Subject: [PATCH] feat: Backend permissions for resource authorization --- apps/locales/en_US/LC_MESSAGES/django.po | 2 +- apps/locales/zh_CN/LC_MESSAGES/django.po | 2 +- apps/locales/zh_Hant/LC_MESSAGES/django.po | 2 +- .../views/user_resource_permission.py | 48 +++++++++++++++---- 4 files changed, 41 insertions(+), 13 deletions(-) diff --git a/apps/locales/en_US/LC_MESSAGES/django.po b/apps/locales/en_US/LC_MESSAGES/django.po index dfb96ee2e..63134d6df 100644 --- a/apps/locales/en_US/LC_MESSAGES/django.po +++ b/apps/locales/en_US/LC_MESSAGES/django.po @@ -8659,5 +8659,5 @@ msgstr "" msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text." msgstr "" -msgid "Resource authorization" +msgid "resource authorization" msgstr "" \ No newline at end of file diff --git a/apps/locales/zh_CN/LC_MESSAGES/django.po b/apps/locales/zh_CN/LC_MESSAGES/django.po index 7a8503c54..8abdf653b 100644 --- a/apps/locales/zh_CN/LC_MESSAGES/django.po +++ b/apps/locales/zh_CN/LC_MESSAGES/django.po @@ -8785,5 +8785,5 @@ msgstr "如果未传递,默认值为 这段音频在说什么,只回答音 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text." msgstr "Qwen-Omni 系列模型支持输入多种模态的数据,包括视频、音频、图片、文本,并输出音频与文本" -msgid "Resource authorization" +msgid "resource authorization" msgstr "资源授权" \ No newline at end of file diff --git a/apps/locales/zh_Hant/LC_MESSAGES/django.po b/apps/locales/zh_Hant/LC_MESSAGES/django.po index 380d9a290..06ec56659 100644 --- a/apps/locales/zh_Hant/LC_MESSAGES/django.po +++ b/apps/locales/zh_Hant/LC_MESSAGES/django.po @@ -8785,5 +8785,5 @@ msgstr "如果未傳遞,預設值為這段音訊在說什麼,只回答音訊 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text." msgstr "Qwen-Omni系列模型支持輸入多種模態的數據,包括視頻、音訊、圖片、文字,並輸出音訊與文字" -msgid "Resource authorization" +msgid "resource authorization" msgstr "資源授權" \ No newline at end of file diff --git a/apps/system_manage/views/user_resource_permission.py b/apps/system_manage/views/user_resource_permission.py index adb518cf9..2109f1dbb 100644 --- a/apps/system_manage/views/user_resource_permission.py +++ b/apps/system_manage/views/user_resource_permission.py @@ -15,7 +15,8 @@ from rest_framework.views import APIView from common import result from common.auth import TokenAuth from common.auth.authentication import has_permissions -from common.constants.permission_constants import PermissionConstants, RoleConstants, Permission, Group, Operate +from common.constants.permission_constants import RoleConstants, Permission, Group, Operate, ViewPermission, \ + CompareConstants from common.log.log import log from system_manage.api.user_resource_permission import UserResourcePermissionAPI, EditUserResourcePermissionAPI, \ ResourceUserPermissionAPI, ResourceUserPermissionPageAPI, ResourceUserPermissionEditAPI, \ @@ -114,9 +115,18 @@ class WorkspaceResourceUserPermissionView(APIView): tags=[_('Resources authorization')] # type: ignore ) @has_permissions( - lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'), - operate=Operate.AUTH), - RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role()) + lambda r, kwargs: Permission(group=Group(kwargs.get('resource')), + operate=Operate.AUTH, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"), + lambda r, kwargs: Permission(group=Group(kwargs.get('resource')), + operate=Operate.AUTH, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}"), + ViewPermission([RoleConstants.USER.get_workspace_role()], + [lambda r, kwargs: Permission(group=Group(kwargs.get('resource')), + operate=Operate.SELF, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}")], + CompareConstants.AND), + RoleConstants.WORKSPACE_MANAGE.get_workspace_role()) def get(self, request: Request, workspace_id: str, target: str, resource: str): return result.success(ResourceUserPermissionSerializer( data={'workspace_id': workspace_id, "target": target, 'auth_target_type': resource, @@ -139,9 +149,18 @@ class WorkspaceResourceUserPermissionView(APIView): get_operation_object=lambda r, k: get_user_operation_object(k.get('user_id')) ) @has_permissions( - lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'), - operate=Operate.AUTH), - RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role()) + lambda r, kwargs: Permission(group=Group(kwargs.get('resource')), + operate=Operate.AUTH, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"), + lambda r, kwargs: Permission(group=Group(kwargs.get('resource')), + operate=Operate.AUTH, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}"), + ViewPermission([RoleConstants.USER.get_workspace_role()], + [lambda r, kwargs: Permission(group=Group(kwargs.get('resource')), + operate=Operate.SELF, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}")], + CompareConstants.AND), + RoleConstants.WORKSPACE_MANAGE.get_workspace_role()) def put(self, request: Request, workspace_id: str, target: str, resource: str): return result.success(ResourceUserPermissionSerializer( data={'workspace_id': workspace_id, "target": target, 'auth_target_type': resource, }) @@ -160,9 +179,18 @@ class WorkspaceResourceUserPermissionView(APIView): tags=[_('Resources authorization')] # type: ignore ) @has_permissions( - lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'), - operate=Operate.AUTH), - RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role()) + lambda r, kwargs: Permission(group=Group(kwargs.get('resource')), + operate=Operate.AUTH, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"), + lambda r, kwargs: Permission(group=Group(kwargs.get('resource')), + operate=Operate.AUTH, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}"), + ViewPermission([RoleConstants.USER.get_workspace_role()], + [lambda r, kwargs: Permission(group=Group(kwargs.get('resource')), + operate=Operate.SELF, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}")], + CompareConstants.AND), + RoleConstants.WORKSPACE_MANAGE.get_workspace_role()) def get(self, request: Request, workspace_id: str, target: str, resource: str, current_page: int, page_size: int): return result.success(ResourceUserPermissionSerializer(