diff --git a/apps/application/serializers/application.py b/apps/application/serializers/application.py index 85f646c83..a01a58200 100644 --- a/apps/application/serializers/application.py +++ b/apps/application/serializers/application.py @@ -347,14 +347,15 @@ class Query(serializers.Serializer): application_custom_sql_query_set = application_query_set application_query_set = application_query_set.order_by("-create_time") - return {'folder_query_set': folder_query_set, - 'application_query_set': application_query_set, - 'workspace_user_resource_permission_query_set': QuerySet(WorkspaceUserResourcePermission).filter( + resource_and_folder_query_set = QuerySet(WorkspaceUserResourcePermission).filter( auth_target_type="APPLICATION", workspace_id=workspace_id, - user_id=user_id)} if ( + user_id=user_id) + + return {'application_query_set': application_query_set, + 'workspace_user_resource_permission_query_set': resource_and_folder_query_set, + } if ( not workspace_manage) else { - 'folder_query_set': folder_query_set, 'application_query_set': application_query_set, 'application_custom_sql': application_custom_sql_query_set } diff --git a/apps/application/sql/list_application.sql b/apps/application/sql/list_application.sql index f57d2a655..3b6e863fd 100644 --- a/apps/application/sql/list_application.sql +++ b/apps/application/sql/list_application.sql @@ -15,8 +15,5 @@ from (select application."id"::text, application."name", from application left join "user" on user_id = "user".id ${application_custom_sql} - UNION - select application_folder."id", application_folder."name", application_folder."desc", true as "is_publish", 'folder' as "type", 'folder' as "resource_type", application_folder."workspace_id", application_folder."parent_id" as "folder_id", application_folder."user_id", "user"."nick_name" as "nick_name", application_folder."create_time", application_folder."update_time", null as "publish_time", null as "icon" - from application_folder left join "user" - on user_id = "user".id ${folder_query_set}) temp + ) temp ${application_query_set} \ No newline at end of file diff --git a/apps/application/sql/list_application_user.sql b/apps/application/sql/list_application_user.sql index 54a901de7..c21c70675 100644 --- a/apps/application/sql/list_application_user.sql +++ b/apps/application/sql/list_application_user.sql @@ -16,21 +16,5 @@ from (select application."id"::text, application."name", left join "user" on user_id = "user".id where application."id" in (select target from workspace_user_resource_permission ${workspace_user_resource_permission_query_set} - and 'VIEW' = any (permission_list)) -UNION -select application_folder."id", - application_folder."name", - application_folder."desc", - true as "is_publish", - 'folder' as "type", - 'folder' as "resource_type", - application_folder."workspace_id", - application_folder."parent_id" as "folder_id", - application_folder."user_id", - "user"."nick_name" as "nick_name", - application_folder."create_time", - application_folder."update_time", - null as "publish_time", - null as "icon" -from application_folder - left join "user" on user_id = "user".id ${folder_query_set}) temp ${application_query_set} \ No newline at end of file + and 'VIEW' = any (permission_list))) temp +${application_query_set} \ No newline at end of file diff --git a/apps/application/sql/list_application_user_ee.sql b/apps/application/sql/list_application_user_ee.sql index 3d98452ff..0fe61a140 100644 --- a/apps/application/sql/list_application_user_ee.sql +++ b/apps/application/sql/list_application_user_ee.sql @@ -14,7 +14,7 @@ from (select application."id"::text, application."name", application.icon from application left join "user" on user_id = "user".id - where "application".id in (select target + where "application".id::text in (select target from workspace_user_resource_permission ${workspace_user_resource_permission_query_set} and case when auth_type = 'ROLE' then @@ -33,22 +33,5 @@ from (select application."id"::text, application."name", else 'VIEW' = any (permission_list) - end) -UNION -select application_folder."id", - application_folder."name", - application_folder."desc", - true as "is_publish", - 'folder' as "type", - 'folder' as "resource_type", - application_folder."workspace_id", - application_folder."parent_id" as "folder_id", - application_folder."user_id", - "user"."nick_name" as "nick_name", - application_folder."create_time", - application_folder."update_time", - null as "publish_time", - null as "icon" - -from application_folder - left join "user" on user_id = "user".id ${folder_query_set}) temp ${application_query_set} \ No newline at end of file + end)) temp +${application_query_set} \ No newline at end of file diff --git a/apps/common/constants/permission_constants.py b/apps/common/constants/permission_constants.py index b1ce7bf57..d6c08bf6a 100644 --- a/apps/common/constants/permission_constants.py +++ b/apps/common/constants/permission_constants.py @@ -88,6 +88,10 @@ class Group(Enum): OVERVIEW = "OVERVIEW" OPERATION_LOG = "OPERATION_LOG" + APPLICATION_FOLDER = "APPLICATION_FOLDER" + KNOWLEDGE_FOLDER = "KNOWLEDGE_FOLDER" + TOOL_FOLDER = "TOOL_FOLDER" + class SystemGroup(Enum): """ @@ -203,8 +207,11 @@ class ResourcePermission(models.TextChoices): class Resource(models.TextChoices): KNOWLEDGE = Group.KNOWLEDGE.value + KNOWLEDGE_FOLDER = Group.KNOWLEDGE_FOLDER.value APPLICATION = Group.APPLICATION.value + APPLICATION_FOLDER = Group.APPLICATION_FOLDER.value TOOL = Group.TOOL.value + TOOL_FOLDER = Group.TOOL_FOLDER.value MODEL = Group.MODEL.value def __eq__(self, other): @@ -222,10 +229,16 @@ class ResourcePermissionGroup: class ResourcePermissionConst: KNOWLEDGE_MANGE = ResourcePermissionGroup(Resource.KNOWLEDGE, ResourcePermission.MANAGE) + KNOWLEDGE_FOLDER_MANGE = ResourcePermissionGroup(Resource.KNOWLEDGE_FOLDER, ResourcePermission.MANAGE) + KNOWLEDGE_FOLDER_VIEW = ResourcePermissionGroup(Resource.KNOWLEDGE_FOLDER, ResourcePermission.VIEW) KNOWLEDGE_VIEW = ResourcePermissionGroup(Resource.KNOWLEDGE, ResourcePermission.VIEW) APPLICATION_MANGE = ResourcePermissionGroup(Resource.APPLICATION, ResourcePermission.MANAGE) + APPLICATION_FOLDER_MANGE = ResourcePermissionGroup(Resource.APPLICATION_FOLDER, ResourcePermission.MANAGE) + APPLICATION_FOLDER_VIEW = ResourcePermissionGroup(Resource.APPLICATION_FOLDER, ResourcePermission.VIEW) APPLICATION_VIEW = ResourcePermissionGroup(Resource.APPLICATION, ResourcePermission.VIEW) TOOL_MANGE = ResourcePermissionGroup(Resource.TOOL, ResourcePermission.MANAGE) + TOOL_FOLDER_MANGE = ResourcePermissionGroup(Resource.TOOL_FOLDER, ResourcePermission.MANAGE) + TOOL_FOLDER_VIEW = ResourcePermissionGroup(Resource.TOOL_FOLDER, ResourcePermission.VIEW) TOOL_VIEW = ResourcePermissionGroup(Resource.TOOL, ResourcePermission.VIEW) MODEL_MANGE = ResourcePermissionGroup(Resource.MODEL, ResourcePermission.MANAGE) MODEL_VIEW = ResourcePermissionGroup(Resource.MODEL, ResourcePermission.VIEW) @@ -437,6 +450,30 @@ class PermissionConstants(Enum): TOOL = Permission( group=Group.TOOL, operate=Operate.SELF, role_list=[RoleConstants.ADMIN, RoleConstants.USER], ) + APPLICATION_FOLDER_READ = Permission( + group=Group.APPLICATION_FOLDER, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_VIEW] + ) + APPLICATION_FOLDER_EDIT = Permission( + group=Group.APPLICATION_FOLDER, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE] + ) + KNOWLEDGE_FOLDER_READ = Permission( + group=Group.KNOWLEDGE_FOLDER, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_VIEW] + ) + KNOWLEDGE_FOLDER_EDIT = Permission( + group=Group.KNOWLEDGE_FOLDER, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE] + ) + TOOL_FOLDER_READ = Permission( + group=Group.TOOL_FOLDER, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], + resource_permission_group_list=[ResourcePermissionConst.TOOL_VIEW] + ) + TOOL_FOLDER_EDIT = Permission( + group=Group.TOOL_FOLDER, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], + resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE] + ) USER_READ = Permission( group=Group.USER, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], diff --git a/apps/folders/serializers/folder.py b/apps/folders/serializers/folder.py index 18e3e3e77..3b8d288bc 100644 --- a/apps/folders/serializers/folder.py +++ b/apps/folders/serializers/folder.py @@ -2,7 +2,7 @@ import uuid_utils.compat as uuid from django.db import transaction -from django.db.models import QuerySet, Q +from django.db.models import QuerySet, Q, Func, F from django.utils.translation import gettext_lazy as _ from rest_framework import serializers @@ -269,7 +269,8 @@ class FolderTreeSerializer(serializers.Serializer): return True # 需要重建 return False - def get_folder_tree(self, name=None): + def get_folder_tree(self, + current_user, name=None): self.is_valid(raise_exception=True) Folder = get_folder_type(self.data.get('source')) # noqa @@ -280,15 +281,21 @@ class FolderTreeSerializer(serializers.Serializer): if self._check_tree_integrity(workspace_folders): Folder.objects.rebuild() + workspace_manage = is_workspace_manage(current_user.id, self.data.get('workspace_id')) + + base_q = Q(workspace_id=self.data.get('workspace_id')) + if name is not None: - nodes = Folder.objects.filter( - Q(workspace_id=self.data.get('workspace_id')) & - Q(name__contains=name) - ).get_cached_trees() - else: - nodes = Folder.objects.filter( - Q(workspace_id=self.data.get('workspace_id')) - ).get_cached_trees() + base_q &= Q(name__contains=name) + if not workspace_manage: + base_q &= Q(id__in=WorkspaceUserResourcePermission.objects.filter(user_id=current_user.id, + auth_target_type=self.data.get('source'), + workspace_id=self.data.get('workspace_id'), + permission_list__contains=['VIEW']) + .values_list( + 'target', flat=True)) + + nodes = Folder.objects.filter(base_q).get_cached_trees() TreeSerializer = get_folder_tree_serializer(self.data.get('source')) # noqa serializer = TreeSerializer(nodes, many=True) diff --git a/apps/folders/views/folder.py b/apps/folders/views/folder.py index a774a565a..d57d080ee 100644 --- a/apps/folders/views/folder.py +++ b/apps/folders/views/folder.py @@ -6,7 +6,8 @@ from rest_framework.views import APIView from common.auth import TokenAuth from common.auth.authentication import has_permissions -from common.constants.permission_constants import Permission, Group, Operate, RoleConstants +from common.constants.permission_constants import Permission, Group, Operate, RoleConstants, ViewPermission, \ + PermissionConstants, CompareConstants from common.log.log import log from common.result import result from folders.api.folder import FolderCreateAPI, FolderEditAPI, FolderReadAPI, FolderTreeReadAPI, FolderDeleteAPI @@ -37,9 +38,17 @@ class FolderView(APIView): tags=[_('Folder')] # type: ignore ) @has_permissions( - lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.CREATE, - resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}"), - RoleConstants.WORKSPACE_MANAGE.get_workspace_role(), RoleConstants.USER.get_workspace_role() + lambda r, kwargs: Permission(group=Group(f"{kwargs.get('source')}_FOLDER"), operate=Operate.EDIT, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{r.data.get('parent_id')}"), + lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.EDIT, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE" + ), + lambda r, kwargs: ViewPermission([RoleConstants.USER.get_workspace_role()], + [Permission(group=Group(f"{kwargs.get('source')}_FOLDER"), + operate=Operate.SELF, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{r.data.get('parent_id')}" + )], CompareConstants.AND), + RoleConstants.WORKSPACE_MANAGE.get_workspace_role() ) @log( menu='folder', operate='Create folder', @@ -63,7 +72,8 @@ class FolderView(APIView): tags=[_('Folder')] # type: ignore ) @has_permissions( - lambda r, kwargs: Permission(group=Group(f"{kwargs.get('source')}_WORKSPACE_USER_RESOURCE_PERMISSION"), operate= Operate.READ, + lambda r, kwargs: Permission(group=Group(f"{kwargs.get('source')}_WORKSPACE_USER_RESOURCE_PERMISSION"), + operate=Operate.READ, resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}"), lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.READ, resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}"), @@ -73,7 +83,7 @@ class FolderView(APIView): def get(self, request: Request, workspace_id: str, source: str): return result.success(FolderTreeSerializer( data={'workspace_id': workspace_id, 'source': source} - ).get_folder_tree(request.query_params.get('name'))) + ).get_folder_tree(request.user, request.query_params.get('name'))) class Operate(APIView): authentication_classes = [TokenAuth] @@ -90,8 +100,17 @@ class FolderView(APIView): ) @has_permissions( lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.EDIT, - resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}"), - RoleConstants.WORKSPACE_MANAGE.get_workspace_role(), RoleConstants.USER.get_workspace_role() + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE" + ), + lambda r, kwargs: Permission(group=Group(f"{kwargs.get('source')}_FOLDER"), operate=Operate.EDIT, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{kwargs.get('folder_id')}" + ), + lambda r, kwargs: ViewPermission([RoleConstants.USER.get_workspace_role()], + [Permission(group=Group(f"{kwargs.get('source')}_FOLDER"), + operate=Operate.SELF, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{kwargs.get('folder_id')}" + )], CompareConstants.AND), + RoleConstants.WORKSPACE_MANAGE.get_workspace_role() ) @log( menu='folder', operate='Edit folder', @@ -132,9 +151,18 @@ class FolderView(APIView): tags=[_('Folder')] # type: ignore ) @has_permissions( - lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.DELETE, - resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}"), - RoleConstants.WORKSPACE_MANAGE.get_workspace_role(), RoleConstants.USER.get_workspace_role() + lambda r, kwargs: Permission(group=Group(kwargs.get('source')), operate=Operate.EDIT, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE" + ), + lambda r, kwargs: Permission(group=Group(f"{kwargs.get('source')}_FOLDER"), operate=Operate.EDIT, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{kwargs.get('folder_id')}" + ), + lambda r, kwargs: ViewPermission([RoleConstants.USER.get_workspace_role()], + [Permission(group=Group(f"{kwargs.get('source')}_FOLDER"), + operate=Operate.SELF, + resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('source')}/{kwargs.get('folder_id')}" + )], CompareConstants.AND), + RoleConstants.WORKSPACE_MANAGE.get_workspace_role() ) @log( menu='folder', operate='Delete folder', diff --git a/apps/knowledge/serializers/knowledge.py b/apps/knowledge/serializers/knowledge.py index 266b10f4a..417e9c0b1 100644 --- a/apps/knowledge/serializers/knowledge.py +++ b/apps/knowledge/serializers/knowledge.py @@ -161,7 +161,7 @@ class KnowledgeSerializer(serializers.Serializer): query_set_dict['knowledge_custom_sql'] = QuerySet(model=get_dynamics_model({ 'knowledge.workspace_id': models.CharField(), })).filter(**{'knowledge.workspace_id': workspace_id}) - query_set_dict['folder_query_set'] = folder_query_set + # query_set_dict['folder_query_set'] = folder_query_set if not workspace_manage: query_set_dict['workspace_user_resource_permission_query_set'] = QuerySet( WorkspaceUserResourcePermission).filter( @@ -321,7 +321,6 @@ class KnowledgeSerializer(serializers.Serializer): 'knowledge_custom_sql': QuerySet( model=get_dynamics_model({'knowledge.id': models.CharField()}) ).filter(**{'knowledge.id': self.data.get("knowledge_id")}), - 'folder_query_set': QuerySet(KnowledgeFolder) } if not workspace_manage: query_set_dict['workspace_user_resource_permission_query_set'] = QuerySet( diff --git a/apps/knowledge/sql/list_knowledge.sql b/apps/knowledge/sql/list_knowledge.sql index af51263ad..b8ff5a1ff 100644 --- a/apps/knowledge/sql/list_knowledge.sql +++ b/apps/knowledge/sql/list_knowledge.sql @@ -28,26 +28,5 @@ FROM (SELECT "temp_knowledge".id::text, "temp_knowledge".name, GROUP BY knowledge_id) app_knowledge_temp ON temp_knowledge."id" = "app_knowledge_temp".knowledge_id left join "user" on "user".id = temp_knowledge.user_id - UNION - SELECT knowledge_folder."id", - knowledge_folder."name", - knowledge_folder."desc", - 0 as "type", - 'folder' as "resource_type", - knowledge_folder."workspace_id", - knowledge_folder."parent_id" as "folder_id", - knowledge_folder."user_id", - "user"."nick_name" as "nick_name", - knowledge_folder."create_time", - knowledge_folder."update_time", - 0 as file_size_limit, - 0 as file_count_limit, - 'WORKSPACE' as "scope", - '' as "embedding_model_id", - 0 as char_length, - '{}'::jsonb as meta, - 0 as application_mapping_count, - 0 as document_count - from knowledge_folder left join "user" - on "user".id = user_id ${folder_query_set}) temp + ) temp ${default_sql} \ No newline at end of file diff --git a/apps/knowledge/sql/list_knowledge_application.sql b/apps/knowledge/sql/list_knowledge_application.sql index 3963f0ac0..155a64814 100644 --- a/apps/knowledge/sql/list_knowledge_application.sql +++ b/apps/knowledge/sql/list_knowledge_application.sql @@ -3,10 +3,11 @@ SELECT FROM application WHERE - user_id = %s UNION + user_id = %s +UNION SELECT * FROM application WHERE - "id" in (select target from workspace_user_resource_permission where auth_target_type = 'APPLICATION' and 'VIEW' = any (permission_list)) \ No newline at end of file + "id"::text in (select target from workspace_user_resource_permission where auth_target_type = 'APPLICATION' and 'VIEW' = any (permission_list)) \ No newline at end of file diff --git a/apps/knowledge/sql/list_knowledge_user.sql b/apps/knowledge/sql/list_knowledge_user.sql index a07e33fce..161255e27 100644 --- a/apps/knowledge/sql/list_knowledge_user.sql +++ b/apps/knowledge/sql/list_knowledge_user.sql @@ -33,26 +33,5 @@ FROM (SELECT "temp_knowledge".id::text, "temp_knowledge".name, GROUP BY knowledge_id) app_knowledge_temp ON temp_knowledge."id" = "app_knowledge_temp".knowledge_id left join "user" on "user".id = temp_knowledge.user_id - UNION - SELECT knowledge_folder."id", - knowledge_folder."name", - knowledge_folder."desc", - 0 as "type", - 'folder' as "resource_type", - knowledge_folder."workspace_id", - knowledge_folder."parent_id" as "folder_id", - knowledge_folder."user_id", - "user".nick_name as "nick_name", - knowledge_folder."create_time", - knowledge_folder."update_time", - 0 as file_size_limit, - 0 as file_count_limit, - 'WORKSPACE' as "scope", - '' as embedding_model_id, - 0 as char_length, - '{}'::jsonb as meta, - 0 as application_mapping_count, - 0 as document_count - from knowledge_folder left join "user" - on "user".id = user_id ${folder_query_set}) temp + ) temp ${default_sql} \ No newline at end of file diff --git a/apps/knowledge/sql/list_knowledge_user_ee.sql b/apps/knowledge/sql/list_knowledge_user_ee.sql index 2bef67044..cc43c88ea 100644 --- a/apps/knowledge/sql/list_knowledge_user_ee.sql +++ b/apps/knowledge/sql/list_knowledge_user_ee.sql @@ -22,7 +22,7 @@ FROM (SELECT "temp_knowledge".id::text, "temp_knowledge".name, "document_temp".document_count FROM (SELECT knowledge.* FROM knowledge knowledge ${knowledge_custom_sql} - AND "knowledge".id in (select target + AND "knowledge".id::text in (select target from workspace_user_resource_permission ${workspace_user_resource_permission_query_set} and case @@ -47,26 +47,5 @@ FROM (SELECT "temp_knowledge".id::text, "temp_knowledge".name, GROUP BY knowledge_id) app_knowledge_temp ON temp_knowledge."id" = "app_knowledge_temp".knowledge_id left join "user" on "user".id = temp_knowledge.user_id - UNION - SELECT knowledge_folder."id", - knowledge_folder."name", - knowledge_folder."desc", - 0 as "type", - 'folder' as "resource_type", - knowledge_folder."workspace_id", - knowledge_folder."parent_id" as "folder_id", - knowledge_folder."user_id", - "user".nick_name as "nick_name", - knowledge_folder."create_time", - knowledge_folder."update_time", - 0 as file_size_limit, - 0 as file_count_limit, - 'WORKSPACE' as "scope", - '' as embedding_model_id, - 0 as char_length, - '{}'::jsonb as meta, - 0 as application_mapping_count, - 0 as document_count - from knowledge_folder left join "user" - on "user".id = user_id ${folder_query_set}) temp + ) temp ${default_sql} \ No newline at end of file diff --git a/apps/models_provider/sql/list_model_user.sql b/apps/models_provider/sql/list_model_user.sql index 00cc68699..df50d538a 100644 --- a/apps/models_provider/sql/list_model_user.sql +++ b/apps/models_provider/sql/list_model_user.sql @@ -13,6 +13,6 @@ FROM (SELECT model."id"::text, model."name", model.workspace_id from model left join "user" on user_id = "user".id - where model."id" in (select target + where model."id"::text in (select target from workspace_user_resource_permission ${workspace_user_resource_permission_query_set} and 'VIEW' = any (permission_list)) ) temp ${model_query_set} diff --git a/apps/models_provider/sql/list_model_user_ee.sql b/apps/models_provider/sql/list_model_user_ee.sql index f527871ef..88590546e 100644 --- a/apps/models_provider/sql/list_model_user_ee.sql +++ b/apps/models_provider/sql/list_model_user_ee.sql @@ -13,7 +13,7 @@ FROM (SELECT model."id"::text, model."name", model.workspace_id from model left join "user" on user_id = "user".id - where model."id" in (select target + where model."id"::text in (select target from workspace_user_resource_permission ${workspace_user_resource_permission_query_set} and case when auth_type = 'ROLE' then diff --git a/apps/system_manage/migrations/0003_alter_workspaceuserresourcepermission_target.py b/apps/system_manage/migrations/0003_alter_workspaceuserresourcepermission_target.py new file mode 100644 index 000000000..be6f82840 --- /dev/null +++ b/apps/system_manage/migrations/0003_alter_workspaceuserresourcepermission_target.py @@ -0,0 +1,18 @@ +# Generated by Django 5.2.6 on 2025-10-11 02:54 + +from django.db import migrations, models + + +class Migration(migrations.Migration): + + dependencies = [ + ('system_manage', '0002_refresh_collation_reindex'), + ] + + operations = [ + migrations.AlterField( + model_name='workspaceuserresourcepermission', + name='target', + field=models.CharField(db_index=True, max_length=128, verbose_name='知识库/应用id'), + ), + ] diff --git a/apps/system_manage/models/workspace_user_permission.py b/apps/system_manage/models/workspace_user_permission.py index 13754b61e..07c8cffd1 100644 --- a/apps/system_manage/models/workspace_user_permission.py +++ b/apps/system_manage/models/workspace_user_permission.py @@ -38,7 +38,7 @@ class WorkspaceUserResourcePermission(models.Model): auth_target_type = models.CharField(verbose_name='授权目标', max_length=128, choices=AuthTargetType.choices, default=AuthTargetType.KNOWLEDGE, db_index=True) # 授权的知识库或者应用的id - target = models.UUIDField(max_length=128, verbose_name="知识库/应用id", db_index=True) + target = models.CharField(max_length=128, verbose_name="知识库/应用id", db_index=True) # 授权类型 如果是Role那么就是角色的权限 如果是PERMISSION auth_type = models.CharField(default=False, verbose_name="授权类型", choices=ResourceAuthType.choices, diff --git a/apps/system_manage/serializers/user_resource_permission.py b/apps/system_manage/serializers/user_resource_permission.py index 05f3444f8..a58307352 100644 --- a/apps/system_manage/serializers/user_resource_permission.py +++ b/apps/system_manage/serializers/user_resource_permission.py @@ -73,7 +73,7 @@ class UpdateUserResourcePermissionRequest(serializers.Serializer): illegal_target_id_list = select_list( get_file_content( os.path.join(PROJECT_DIR, "apps", "system_manage", 'sql', 'check_member_permission_target_exists.sql')), - [json.dumps(user_resource_permission_list), workspace_id, workspace_id, workspace_id, workspace_id]) + [json.dumps(user_resource_permission_list), workspace_id, workspace_id, workspace_id, workspace_id,workspace_id,workspace_id,workspace_id]) if illegal_target_id_list is not None and len(illegal_target_id_list) > 0: raise AppApiException(500, _('Non-existent id[') + str(illegal_target_id_list) + ']') @@ -85,6 +85,7 @@ m_map = { 'MODEL': Model, 'APPLICATION': Application, } + sql_map = { "KNOWLEDGE": 'get_knowledge_user_resource_permission.sql', 'TOOL': 'get_tool_user_resource_permission.sql', @@ -130,6 +131,8 @@ class UserResourcePermissionSerializer(serializers.Serializer): return { 'query_set': QuerySet(m_map.get(self.data.get('auth_target_type'))).filter( workspace_id=self.data.get('workspace_id')), + 'folder_query_set': QuerySet(m_map.get(self.data.get('auth_target_type'))).filter( + workspace_id=self.data.get('workspace_id')), 'workspace_user_resource_permission_query_set': QuerySet(WorkspaceUserResourcePermission).filter( workspace_id=self.data.get('workspace_id'), user=self.data.get('user_id'), auth_target_type=self.data.get('auth_target_type')), diff --git a/apps/system_manage/sql/check_member_permission_target_exists.sql b/apps/system_manage/sql/check_member_permission_target_exists.sql index 3f1bc0824..dc21460f5 100644 --- a/apps/system_manage/sql/check_member_permission_target_exists.sql +++ b/apps/system_manage/sql/check_member_permission_target_exists.sql @@ -1,37 +1,45 @@ -SELECT - static_temp."target_id"::text -FROM - (SELECT * FROM json_to_recordset( - %s - ) AS x(target_id uuid,auth_target_type text)) static_temp - LEFT JOIN ( - SELECT - "id", - 'KNOWLEDGE' AS "auth_target_type" - FROM - knowledge - WHERE workspace_id= %s - UNION - SELECT - "id", - 'APPLICATION' AS "auth_target_type" - FROM - application - WHERE workspace_id= %s - UNION - SELECT - "id", - 'MODEL' AS "auth_target_type" - FROM - model - WHERE workspace_id= %s - UNION - SELECT - "id", - 'TOOL' AS "auth_target_type" - FROM - tool - WHERE workspace_id= %s - ) "app_and_knowledge_temp" - ON "app_and_knowledge_temp"."id" = static_temp."target_id" and app_and_knowledge_temp."auth_target_type"=static_temp."auth_target_type" - WHERE app_and_knowledge_temp.id is NULL ; \ No newline at end of file +SELECT static_temp."target_id"::text +FROM (SELECT * + FROM json_to_recordset( + %s + ) AS x(target_id text, auth_target_type text)) static_temp + LEFT JOIN (SELECT id::text AS id, + auth_target_type + FROM (SELECT "id"::text, + 'KNOWLEDGE' AS "auth_target_type" + FROM knowledge + WHERE workspace_id = %s + UNION + SELECT "id"::text, + 'KNOWLEDGE' AS "auth_target_type" + FROM knowledge_folder + WHERE workspace_id = %s + UNION + SELECT "id"::text, + 'APPLICATION' AS "auth_target_type" + FROM application + WHERE workspace_id = %s + UNION + SELECT "id"::text, + 'APPLICATION' AS "auth_target_type" + FROM application_folder + WHERE workspace_id = %s + UNION + SELECT "id"::text, + 'MODEL' AS "auth_target_type" + FROM model + WHERE workspace_id = %s + UNION + SELECT "id"::text, + 'TOOL' AS "auth_target_type" + FROM tool + WHERE workspace_id = %s + UNION + SELECT "id"::text, + 'TOOL' AS "auth_target_type" + FROM tool_folder + WHERE workspace_id = %s + ) "union_temp") "app_and_knowledge_temp" + ON "app_and_knowledge_temp"."id" = static_temp."target_id" and + app_and_knowledge_temp."auth_target_type" = static_temp."auth_target_type" +WHERE app_and_knowledge_temp.id is NULL; \ No newline at end of file diff --git a/apps/system_manage/sql/get_application_user_resource_permission.sql b/apps/system_manage/sql/get_application_user_resource_permission.sql index 688b1b1ab..79c133080 100644 --- a/apps/system_manage/sql/get_application_user_resource_permission.sql +++ b/apps/system_manage/sql/get_application_user_resource_permission.sql @@ -1,38 +1,44 @@ -SELECT - app_or_knowledge.*, - CASE - WHEN - wurp."permission" is null then 'NOT_AUTH' - ELSE wurp."permission" - END +SELECT resource_or_folder.*, + CASE + WHEN wurp.permission IS NULL THEN 'NOT_AUTH' + ELSE wurp.permission + END FROM ( - SELECT - "id", - "name", - 'APPLICATION' AS "auth_target_type", - user_id, - workspace_id, - icon, - folder_id - FROM - application - ${query_set} -) app_or_knowledge + SELECT id::text, + "name", + 'APPLICATION' AS "auth_target_type", + 'application' AS "resource_type", + user_id, + workspace_id, + icon, + folder_id + FROM application + ${query_set} + UNION + SELECT application_folder."id"::text, + application_folder."name", + 'APPLICATION' AS "auth_target_type", + 'folder' AS "resource_type", + application_folder."user_id", + application_folder."workspace_id", + NULL AS "icon", + application_folder."parent_id" AS "folder_id" + FROM application_folder + ${folder_query_set} + ) resource_or_folder LEFT JOIN ( - SELECT - target, - CASE - WHEN auth_type = 'ROLE' - AND 'ROLE' = ANY(permission_list) THEN 'ROLE' - WHEN auth_type = 'RESOURCE_PERMISSION_GROUP' - AND 'MANAGE' = ANY(permission_list) THEN 'MANAGE' - WHEN auth_type = 'RESOURCE_PERMISSION_GROUP' - AND 'VIEW' = ANY(permission_list) THEN 'VIEW' - ELSE null - END AS permission - FROM - workspace_user_resource_permission - ${workspace_user_resource_permission_query_set} + SELECT target, + CASE + WHEN auth_type = 'ROLE' + AND 'ROLE' = ANY (permission_list) THEN 'ROLE' + WHEN auth_type = 'RESOURCE_PERMISSION_GROUP' + AND 'MANAGE' = ANY (permission_list) THEN 'MANAGE' + WHEN auth_type = 'RESOURCE_PERMISSION_GROUP' + AND 'VIEW' = ANY (permission_list) THEN 'VIEW' + ELSE NULL + END AS permission + FROM workspace_user_resource_permission + ${workspace_user_resource_permission_query_set} ) wurp -ON wurp.target = app_or_knowledge."id" -${resource_query_set} \ No newline at end of file +ON wurp.target::text = resource_or_folder.id +${resource_query_set} diff --git a/apps/system_manage/sql/get_knowledge_user_resource_permission.sql b/apps/system_manage/sql/get_knowledge_user_resource_permission.sql index 3a637aa5b..63cda382f 100644 --- a/apps/system_manage/sql/get_knowledge_user_resource_permission.sql +++ b/apps/system_manage/sql/get_knowledge_user_resource_permission.sql @@ -1,23 +1,32 @@ -SELECT - app_or_knowledge.*, +SELECT resource_or_folder.*, CASE - WHEN - wurp."permission" is null then 'NOT_AUTH' - ELSE wurp."permission" - END + WHEN wurp.permission IS NULL THEN 'NOT_AUTH' + ELSE wurp.permission + END FROM ( - SELECT - "id", - "name", - 'KNOWLEDGE' AS "auth_target_type", - user_id, - workspace_id, - "type"::varchar AS "icon", - folder_id - FROM - knowledge - ${query_set} -) app_or_knowledge + SELECT + id::text, + "name", + 'KNOWLEDGE' AS "auth_target_type", + 'knowledge' AS "resource_type", + user_id, + workspace_id, + "type"::varchar AS "icon", + folder_id + FROM knowledge + ${query_set} + UNION + SELECT knowledge_folder."id"::text, + knowledge_folder."name", + 'KNOWLEDGE' AS "auth_target_type", + 'folder' AS "resource_type", + knowledge_folder."user_id", + knowledge_folder."workspace_id", + NULL AS "icon", + knowledge_folder."parent_id" AS "folder_id" + FROM knowledge_folder + ${folder_query_set} + ) resource_or_folder LEFT JOIN ( SELECT target, @@ -34,5 +43,5 @@ LEFT JOIN ( workspace_user_resource_permission ${workspace_user_resource_permission_query_set} ) wurp -ON wurp.target = app_or_knowledge."id" +ON wurp.target::text = resource_or_folder.id ${resource_query_set} \ No newline at end of file diff --git a/apps/system_manage/sql/get_model_user_resource_permission.sql b/apps/system_manage/sql/get_model_user_resource_permission.sql index 772e688d9..1f1838821 100644 --- a/apps/system_manage/sql/get_model_user_resource_permission.sql +++ b/apps/system_manage/sql/get_model_user_resource_permission.sql @@ -1,5 +1,5 @@ SELECT - app_or_knowledge.*, + resource_or_folder.*, CASE WHEN wurp."permission" is null then 'NOT_AUTH' @@ -7,9 +7,10 @@ SELECT END FROM ( SELECT - "id", + "id"::text, "name", 'MODEL' AS "auth_target_type", + 'model' AS "resource_type", user_id, workspace_id, provider as icon, @@ -17,7 +18,20 @@ FROM ( FROM model ${query_set} -) app_or_knowledge + UNION + SELECT + "id"::text, + "name", + 'MODEL' AS "auth_target_type", + 'folder' AS "resource_type", + user_id, + workspace_id, + provider as icon, + 'default' as folder_id + FROM model + ${folder_query_set} + AND 1=0 +) resource_or_folder LEFT JOIN ( SELECT target, @@ -34,5 +48,5 @@ LEFT JOIN ( workspace_user_resource_permission ${workspace_user_resource_permission_query_set} ) wurp -ON wurp.target = app_or_knowledge."id" +ON wurp.target = resource_or_folder."id" ${resource_query_set} \ No newline at end of file diff --git a/apps/system_manage/sql/get_tool_user_resource_permission.sql b/apps/system_manage/sql/get_tool_user_resource_permission.sql index 6ea10846f..68f529f27 100644 --- a/apps/system_manage/sql/get_tool_user_resource_permission.sql +++ b/apps/system_manage/sql/get_tool_user_resource_permission.sql @@ -1,40 +1,48 @@ -SELECT - app_or_knowledge.*, +SELECT resource_or_folder.*, CASE - WHEN - wurp."permission" is null then 'NOT_AUTH' + WHEN wurp."permission" IS NULL THEN 'NOT_AUTH' ELSE wurp."permission" END FROM ( - SELECT - "id", - "name", - 'TOOL' AS "auth_target_type", - user_id, - workspace_id, - icon, - folder_id, - tool_type - FROM - tool + SELECT "id"::text, + "name", + 'TOOL' AS "auth_target_type", + 'tool' AS "resource_type", + user_id, + workspace_id, + icon, + folder_id, + tool_type + FROM tool ${query_set} -) app_or_knowledge + UNION + SELECT tool_folder."id"::text, + tool_folder."name", + 'TOOL' AS "auth_target_type", + 'folder' AS "resource_type", + tool_folder."user_id", + tool_folder."workspace_id", + NULL AS "icon", + tool_folder."parent_id" AS "folder_id", + NULL AS "tool_type" + FROM tool_folder + ${folder_query_set} + ) resource_or_folder LEFT JOIN ( - SELECT - target, - CASE - WHEN auth_type = 'ROLE' - AND 'ROLE' = ANY(permission_list) THEN 'ROLE' - WHEN auth_type = 'RESOURCE_PERMISSION_GROUP' - AND 'MANAGE' = ANY(permission_list) THEN 'MANAGE' - WHEN auth_type = 'RESOURCE_PERMISSION_GROUP' - AND 'VIEW' = ANY(permission_list) THEN 'VIEW' - ELSE null - END AS permission + SELECT target, + CASE + WHEN auth_type = 'ROLE' + AND 'ROLE' = ANY(permission_list) THEN 'ROLE' + WHEN auth_type = 'RESOURCE_PERMISSION_GROUP' + AND 'MANAGE' = ANY(permission_list) THEN 'MANAGE' + WHEN auth_type = 'RESOURCE_PERMISSION_GROUP' + AND 'VIEW' = ANY(permission_list) THEN 'VIEW' + ELSE null + END AS permission FROM workspace_user_resource_permission ${workspace_user_resource_permission_query_set} ) wurp -ON wurp.target = app_or_knowledge."id" +ON wurp.target::text = resource_or_folder."id" ${resource_query_set} diff --git a/apps/tools/serializers/tool.py b/apps/tools/serializers/tool.py index 276ef54fc..8efe2e877 100644 --- a/apps/tools/serializers/tool.py +++ b/apps/tools/serializers/tool.py @@ -942,7 +942,6 @@ class ToolTreeSerializer(serializers.Serializer): tool_query_set = tool_query_set.filter(tool_type=tool_type) query_set_dict = { - 'folder_query_set': folder_query_set, 'tool_query_set': tool_query_set, 'default_query_set': default_query_set, } diff --git a/apps/tools/sql/list_tool.sql b/apps/tools/sql/list_tool.sql index eb583fe53..07d85b7eb 100644 --- a/apps/tools/sql/list_tool.sql +++ b/apps/tools/sql/list_tool.sql @@ -20,26 +20,5 @@ from (select tool."id"::text, tool."is_active" from tool left join "user" on "user".id = user_id ${tool_query_set} - UNION - select tool_folder."id", - tool_folder."name", - tool_folder."desc", - 'folder' as "tool_type", - '' as scope, - 'folder' as "resource_type", - tool_folder."workspace_id", - tool_folder."parent_id" as "folder_id", - tool_folder."user_id", - "user".nick_name as "nick_name", - '' as "icon", - '' as label, - '' as "template_id", - tool_folder."create_time", - tool_folder."update_time", - '[]'::jsonb as init_field_list, - '[]'::jsonb as input_field_list, - '' as version, - 'true' as "is_active" - from tool_folder - left join "user" on "user".id = user_id ${folder_query_set}) temp + ) temp ${default_query_set} \ No newline at end of file diff --git a/apps/tools/sql/list_tool_user.sql b/apps/tools/sql/list_tool_user.sql index 25476f366..873ffc654 100644 --- a/apps/tools/sql/list_tool_user.sql +++ b/apps/tools/sql/list_tool_user.sql @@ -25,27 +25,5 @@ FROM (SELECT tool."id"::text, ${workspace_user_resource_permission_query_set} AND 'VIEW' = ANY (permission_list))) AS tool LEFT JOIN "user" ON "user".id = user_id - - UNION - SELECT tool_folder."id", - tool_folder."name", - tool_folder."desc", - 'folder' AS "tool_type", - '' AS scope, - 'folder' AS "resource_type", - tool_folder."workspace_id", - tool_folder."parent_id" AS "folder_id", - tool_folder."user_id", - "user".nick_name AS "nick_name", - '' AS "icon", - '' AS label, - '' AS "template_id", - tool_folder."create_time", - tool_folder."update_time", - '[]'::jsonb AS init_field_list, - '[]'::jsonb AS input_field_list, - '' AS version, - 'true' AS "is_active" - FROM tool_folder - LEFT JOIN "user" ON "user".id = user_id ${folder_query_set}) temp +) temp ${default_query_set} \ No newline at end of file diff --git a/apps/tools/sql/list_tool_user_ee.sql b/apps/tools/sql/list_tool_user_ee.sql index 39c3b9f3b..8a4de8708 100644 --- a/apps/tools/sql/list_tool_user_ee.sql +++ b/apps/tools/sql/list_tool_user_ee.sql @@ -20,7 +20,7 @@ FROM (SELECT tool."id"::text, tool."is_active" FROM (SELECT tool.* FROM tool tool ${tool_query_set} - AND tool.id IN (SELECT target + AND tool.id::text IN (SELECT target FROM workspace_user_resource_permission ${workspace_user_resource_permission_query_set} AND CASE WHEN auth_type = 'ROLE' THEN @@ -36,26 +36,5 @@ FROM (SELECT tool."id"::text, END )) AS tool LEFT JOIN "user" ON "user".id = user_id - UNION - SELECT tool_folder."id", - tool_folder."name", - tool_folder."desc", - 'folder' AS "tool_type", - '' AS scope, - 'folder' AS "resource_type", - tool_folder."workspace_id", - tool_folder."parent_id" AS "folder_id", - tool_folder."user_id", - "user".nick_name AS "nick_name", - '' AS "icon", - '' AS label, - '' AS "template_id", - tool_folder."create_time", - tool_folder."update_time", - '[]'::jsonb AS init_field_list, - '[]'::jsonb AS input_field_list, - '' AS version, - 'true' AS "is_active" - FROM tool_folder - LEFT JOIN "user" ON "user".id = user_id ${folder_query_set}) temp + ) temp ${default_query_set} \ No newline at end of file