From c5bdada6dc39cf6f51915a5444f043cd12ec0b89 Mon Sep 17 00:00:00 2001 From: shaohuzhang1 <80892890+shaohuzhang1@users.noreply.github.com> Date: Fri, 27 Jun 2025 22:22:52 +0800 Subject: [PATCH] feat: user resource permission (#3422) --- apps/common/auth/handle/impl/user_token.py | 8 +- apps/common/constants/permission_constants.py | 203 ++++++++++++------ .../models/workspace_user_permission.py | 6 +- .../serializers/user_resource_permission.py | 54 +++-- ...t_application_user_resource_permission.sql | 17 ++ ...get_knowledge_user_resource_permission.sql | 17 ++ .../get_model_user_resource_permission.sql | 17 ++ .../sql/get_tool_user_resource_permission.sql | 17 ++ apps/system_manage/urls.py | 2 +- .../views/user_resource_permission.py | 22 +- ui/src/api/system/resource-authorization.ts | 10 +- ui/src/router/modules/system.ts | 17 +- .../system/resource-authorization/index.vue | 13 +- 13 files changed, 288 insertions(+), 115 deletions(-) create mode 100644 apps/system_manage/sql/get_application_user_resource_permission.sql create mode 100644 apps/system_manage/sql/get_knowledge_user_resource_permission.sql create mode 100644 apps/system_manage/sql/get_model_user_resource_permission.sql create mode 100644 apps/system_manage/sql/get_tool_user_resource_permission.sql diff --git a/apps/common/auth/handle/impl/user_token.py b/apps/common/auth/handle/impl/user_token.py index 96e397ca9..879169e22 100644 --- a/apps/common/auth/handle/impl/user_token.py +++ b/apps/common/auth/handle/impl/user_token.py @@ -20,7 +20,7 @@ from common.constants.cache_version import Cache_Version from common.constants.permission_constants import Auth, PermissionConstants, ResourcePermissionGroup, \ get_permission_list_by_resource_group, ResourceAuthType, \ ResourcePermissionRole, get_default_role_permission_mapping_list, get_default_workspace_user_role_mapping_list, \ - RoleConstants + RoleConstants, ResourcePermission, Resource from common.database_model_manage.database_model_manage import DatabaseModelManage from common.exception.app_exception import AppAuthenticationFailed from common.utils.common import group_by @@ -132,9 +132,11 @@ def get_workspace_resource_permission_list_by_workspace_user_permission( resource_permission_list = [ [ f"{permission}:/WORKSPACE/{workspace_user_resource_permission.workspace_id}/{workspace_user_resource_permission.auth_target_type}/{workspace_user_resource_permission.target}" - for permission in get_permission_list_by_resource_group(ResourcePermissionGroup[resource_permission])] + for permission in get_permission_list_by_resource_group( + ResourcePermissionGroup(Resource(workspace_user_resource_permission.auth_target_type), + ResourcePermission(resource_permission)))] for resource_permission in workspace_user_resource_permission.permission_list if - ResourcePermissionGroup.values.__contains__(resource_permission)] + ResourcePermission.values.__contains__(resource_permission)] # 将二维数组扁平为一维 return reduce(lambda x, y: [*x, *y], resource_permission_list, []) return [] diff --git a/apps/common/constants/permission_constants.py b/apps/common/constants/permission_constants.py index b3ab3e667..a677ed6de 100644 --- a/apps/common/constants/permission_constants.py +++ b/apps/common/constants/permission_constants.py @@ -53,6 +53,11 @@ class Group(Enum): WORKSPACE_USER_RESOURCE_PERMISSION = "WORKSPACE_USER_RESOURCE_PERMISSION" + APPLICATION_WORKSPACE_USER_RESOURCE_PERMISSION = "APPLICATION_WORKSPACE_USER_RESOURCE_PERMISSION" + KNOWLEDGE_WORKSPACE_USER_RESOURCE_PERMISSION = "KNOWLEDGE_WORKSPACE_USER_RESOURCE_PERMISSION" + TOOL_WORKSPACE_USER_RESOURCE_PERMISSION = "TOOL_WORKSPACE_USER_RESOURCE_PERMISSION" + MODEL_WORKSPACE_USER_RESOURCE_PERMISSION = "MODEL_WORKSPACE_USER_RESOURCE_PERMISSION" + EMAIL_SETTING = "EMAIL_SETTING" ROLE = "ROLE" WORKSPACE_ROLE = "WORKSPACE_ROLE" @@ -169,7 +174,7 @@ class ResourcePermissionRole(models.TextChoices): return str(self) == str(other) -class ResourcePermissionGroup(models.TextChoices): +class ResourcePermission(models.TextChoices): """ 资源权限组 """ @@ -182,6 +187,36 @@ class ResourcePermissionGroup(models.TextChoices): return str(self) == str(other) +class Resource(models.TextChoices): + KNOWLEDGE = Group.KNOWLEDGE.value + APPLICATION = Group.APPLICATION.value + TOOL = Group.TOOL.value + MODEL = Group.MODEL.value + + def __eq__(self, other): + return str(self) == str(other) + + +class ResourcePermissionGroup: + def __init__(self, resource: Resource, permission: ResourcePermission): + self.permission = permission + self.resource = resource + + def __eq__(self, other): + return str(self.permission) == str(other.permission) and str(self.resource) == str(other.resource) + + +class ResourcePermissionConst: + KNOWLEDGE_MANGE = ResourcePermissionGroup(Resource.KNOWLEDGE, ResourcePermission.MANAGE) + KNOWLEDGE_VIEW = ResourcePermissionGroup(Resource.KNOWLEDGE, ResourcePermission.VIEW) + APPLICATION_MANGE = ResourcePermissionGroup(Resource.APPLICATION, ResourcePermission.MANAGE) + APPLICATION_VIEW = ResourcePermissionGroup(Resource.APPLICATION, ResourcePermission.VIEW) + TOOL_MANGE = ResourcePermissionGroup(Resource.TOOL, ResourcePermission.MANAGE) + TOOL_VIEW = ResourcePermissionGroup(Resource.TOOL, ResourcePermission.VIEW) + MODEL_MANGE = ResourcePermissionGroup(Resource.MODEL, ResourcePermission.MANAGE) + MODEL_VIEW = ResourcePermissionGroup(Resource.MODEL, ResourcePermission.VIEW) + + class ResourceAuthType(models.TextChoices): """ 资源授权类型 @@ -376,188 +411,224 @@ class PermissionConstants(Enum): MODEL_CREATE = Permission( group=Group.MODEL, operate=Operate.CREATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL] + parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL], + resource_permission_group_list=[ResourcePermissionConst.MODEL_MANGE] ) MODEL_READ = Permission( group=Group.MODEL, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL] + parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL], + resource_permission_group_list=[ResourcePermissionConst.MODEL_VIEW] ) MODEL_EDIT = Permission( group=Group.MODEL, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL] + parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL], + resource_permission_group_list=[ResourcePermissionConst.MODEL_MANGE] ) MODEL_DELETE = Permission( group=Group.MODEL, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL] + parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL], + resource_permission_group_list=[ResourcePermissionConst.MODEL_MANGE] ) TOOL_CREATE = Permission( group=Group.TOOL, operate=Operate.CREATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL] + parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL], + resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE] ) TOOL_EDIT = Permission( group=Group.TOOL, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL] + parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL], + resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE] ) TOOL_READ = Permission( group=Group.TOOL, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL] + parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL], + resource_permission_group_list=[ResourcePermissionConst.TOOL_VIEW] ) TOOL_DELETE = Permission( group=Group.TOOL, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL] + parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL], + resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE] ) TOOL_DEBUG = Permission( group=Group.TOOL, operate=Operate.DEBUG, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL] + parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL], + resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE] ) TOOL_IMPORT = Permission( group=Group.TOOL, operate=Operate.IMPORT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL] + parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL], + resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE] ) TOOL_EXPORT = Permission( group=Group.TOOL, operate=Operate.EXPORT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL] + parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL], + resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE] ) KNOWLEDGE_READ = Permission( group=Group.KNOWLEDGE, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.VIEW], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_VIEW], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_CREATE = Permission( group=Group.KNOWLEDGE, operate=Operate.CREATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.VIEW], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_VIEW], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_EDIT = Permission( group=Group.KNOWLEDGE, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_DELETE = Permission( group=Group.KNOWLEDGE, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_SYNC = Permission( group=Group.KNOWLEDGE, operate=Operate.SYNC, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_EXPORT = Permission( group=Group.KNOWLEDGE, operate=Operate.EXPORT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_VECTOR = Permission( group=Group.KNOWLEDGE, operate=Operate.VECTOR, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_GENERATE = Permission( group=Group.KNOWLEDGE, operate=Operate.GENERATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_DOCUMENT_READ = Permission( group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.VIEW], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_VIEW], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_DOCUMENT_CREATE = Permission( group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.CREATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_DOCUMENT_EDIT = Permission( group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_DOCUMENT_DELETE = Permission( group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_DOCUMENT_SYNC = Permission( group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.SYNC, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_DOCUMENT_EXPORT = Permission( group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.EXPORT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_DOCUMENT_DOWNLOAD_SOURCE_FILE = Permission( group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.DOWNLOAD, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_DOCUMENT_GENERATE = Permission( group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.GENERATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_DOCUMENT_VECTOR = Permission( group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.VECTOR, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_DOCUMENT_MIGRATE = Permission( group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.MIGRATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_PROBLEM_READ = Permission( group=Group.KNOWLEDGE_PROBLEM, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.VIEW], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_VIEW], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_PROBLEM_CREATE = Permission( group=Group.KNOWLEDGE_PROBLEM, operate=Operate.CREATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_PROBLEM_EDIT = Permission( group=Group.KNOWLEDGE_PROBLEM, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_PROBLEM_DELETE = Permission( group=Group.KNOWLEDGE_PROBLEM, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) KNOWLEDGE_PROBLEM_RELATE = Permission( group=Group.KNOWLEDGE_PROBLEM, operate=Operate.RELATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE], parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE] ) - WORKSPACE_USER_RESOURCE_PERMISSION_READ = Permission( - group=Group.WORKSPACE_USER_RESOURCE_PERMISSION, operate=Operate.READ, + APPLICATION_WORKSPACE_USER_RESOURCE_PERMISSION_READ = Permission( + group=Group.APPLICATION_WORKSPACE_USER_RESOURCE_PERMISSION, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE] ) - WORKSPACE_USER_RESOURCE_PERMISSION_EDIT = Permission( - group=Group.WORKSPACE_USER_RESOURCE_PERMISSION, operate=Operate.EDIT, + APPLICATION_WORKSPACE_USER_RESOURCE_PERMISSION_EDIT = Permission( + group=Group.APPLICATION_WORKSPACE_USER_RESOURCE_PERMISSION, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE] ) + KNOWLEDGE_WORKSPACE_USER_RESOURCE_PERMISSION_READ = Permission( + group=Group.KNOWLEDGE_WORKSPACE_USER_RESOURCE_PERMISSION, operate=Operate.READ, + role_list=[RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE] + ) + KNOWLEDGE_WORKSPACE_USER_RESOURCE_PERMISSION_EDIT = Permission( + group=Group.KNOWLEDGE_WORKSPACE_USER_RESOURCE_PERMISSION, operate=Operate.EDIT, + role_list=[RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE] + ) + TOOL_WORKSPACE_USER_RESOURCE_PERMISSION_READ = Permission( + group=Group.TOOL_WORKSPACE_USER_RESOURCE_PERMISSION, operate=Operate.READ, + role_list=[RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE] + ) + TOOL_WORKSPACE_USER_RESOURCE_PERMISSION_EDIT = Permission( + group=Group.TOOL_WORKSPACE_USER_RESOURCE_PERMISSION, operate=Operate.EDIT, + role_list=[RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE] + ) + MODEL_WORKSPACE_USER_RESOURCE_PERMISSION_READ = Permission( + group=Group.MODEL_WORKSPACE_USER_RESOURCE_PERMISSION, operate=Operate.READ, + role_list=[RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE] + ) + MODEL_WORKSPACE_USER_RESOURCE_PERMISSION_EDIT = Permission( + group=Group.MODEL_WORKSPACE_USER_RESOURCE_PERMISSION, operate=Operate.EDIT, + role_list=[RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE] + ) + EMAIL_SETTING_READ = Permission( group=Group.EMAIL_SETTING, operate=Operate.READ, role_list=[RoleConstants.ADMIN], parent_group=[SystemGroup.SYSTEM_SETTING] @@ -651,141 +722,146 @@ class PermissionConstants(Enum): APPLICATION_READ = Permission(group=Group.APPLICATION, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.VIEW], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_VIEW], ) APPLICATION_TO_CHAT = Permission(group=Group.APPLICATION, operate=Operate.TO_CHAT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], label=_('Chat') ) APPLICATION_DEBUG = Permission(group=Group.APPLICATION, operate=Operate.DEBUG, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_SETTING = Permission(group=Group.APPLICATION, operate=Operate.SETTING, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], label=_('Setting') ) APPLICATION_CREATE = Permission(group=Group.APPLICATION, operate=Operate.CREATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_IMPORT = Permission(group=Group.APPLICATION, operate=Operate.IMPORT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE] + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE] ) APPLICATION_EXPORT = Permission(group=Group.APPLICATION, operate=Operate.EXPORT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], ) APPLICATION_DELETE = Permission(group=Group.APPLICATION, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_EDIT = Permission(group=Group.APPLICATION, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_OVERVIEW_READ = Permission(group=Group.APPLICATION_OVERVIEW, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.VIEW], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_VIEW], ) APPLICATION_OVERVIEW_EMBED = Permission(group=Group.APPLICATION_OVERVIEW, operate=Operate.EMBED, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_OVERVIEW_ACCESS = Permission(group=Group.APPLICATION_OVERVIEW, operate=Operate.ACCESS, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_OVERVIEW_DISPLAY = Permission(group=Group.APPLICATION_OVERVIEW, operate=Operate.DISPLAY, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ + ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_OVERVIEW_API_KEY = Permission(group=Group.APPLICATION_OVERVIEW, operate=Operate.API_KET, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ + ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_OVERVIEW_PUBLIC = Permission(group=Group.APPLICATION_OVERVIEW, operate=Operate.PUBLIC_ACCESS, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], ) # 应用接入 APPLICATION_ACCESS_READ = Permission(group=Group.APPLICATION_ACCESS, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.VIEW], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_VIEW], ) APPLICATION_ACCESS_EDIT = Permission(group=Group.APPLICATION_ACCESS, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE]) + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE]) APPLICATION_CHAT_USER_READ = Permission(group=Group.APPLICATION_CHAT_USER, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_CHAT_USER_EDIT = Permission(group=Group.APPLICATION_CHAT_USER, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_CHAT_LOG_READ = Permission(group=Group.APPLICATION_CHAT_LOG, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_CHAT_LOG_ANNOTATION = Permission(group=Group.APPLICATION_CHAT_LOG, operate=Operate.ANNOTATION, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ + ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_CHAT_LOG_EXPORT = Permission(group=Group.APPLICATION_CHAT_LOG, operate=Operate.EXPORT, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_CHAT_LOG_CLEAR_POLICY = Permission(group=Group.APPLICATION_CHAT_LOG, operate=Operate.CLEAR_POLICY, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ + ResourcePermissionConst.APPLICATION_MANGE], ) APPLICATION_CHAT_LOG_ADD_KNOWLEDGE = Permission(group=Group.APPLICATION_CHAT_LOG, operate=Operate.ADD_KNOWLEDGE, role_list=[RoleConstants.ADMIN, RoleConstants.USER], parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION], - resource_permission_group_list=[ResourcePermissionGroup.MANAGE], + resource_permission_group_list=[ + ResourcePermissionConst.APPLICATION_MANGE], ) ABOUT_READ = Permission(group=Group.OTHER, operate=Operate.READ, @@ -1183,6 +1259,7 @@ class PermissionConstants(Enum): group=Group.OPERATION_LOG, operate=Operate.EXPORT, role_list=[RoleConstants.ADMIN], parent_group=[SystemGroup.OPERATION_LOG] ) + def get_workspace_application_permission(self): return lambda r, kwargs: Permission(group=self.value.group, operate=self.value.operate, resource_path= diff --git a/apps/system_manage/models/workspace_user_permission.py b/apps/system_manage/models/workspace_user_permission.py index 88179a802..a83c3c656 100644 --- a/apps/system_manage/models/workspace_user_permission.py +++ b/apps/system_manage/models/workspace_user_permission.py @@ -12,7 +12,7 @@ from django.contrib.postgres.fields import ArrayField from django.db import models from common.constants.permission_constants import Group, ResourcePermissionGroup, ResourceAuthType, \ - ResourcePermissionRole + ResourcePermissionRole, ResourcePermission from users.models import User @@ -48,8 +48,8 @@ class WorkspaceUserResourcePermission(models.Model): default=list, base_field=models.CharField(max_length=256, blank=True, - choices=ResourcePermissionGroup.choices + ResourcePermissionRole.choices, - default=ResourcePermissionGroup.VIEW)) + choices=ResourcePermission.choices + ResourcePermissionRole.choices, + default=ResourcePermission.VIEW)) create_time = models.DateTimeField(verbose_name="创建时间", auto_now_add=True) diff --git a/apps/system_manage/serializers/user_resource_permission.py b/apps/system_manage/serializers/user_resource_permission.py index a06d6e1c7..9f366f3e7 100644 --- a/apps/system_manage/serializers/user_resource_permission.py +++ b/apps/system_manage/serializers/user_resource_permission.py @@ -17,7 +17,7 @@ from rest_framework import serializers from application.models import Application from common.constants.cache_version import Cache_Version from common.constants.permission_constants import get_default_workspace_user_role_mapping_list, RoleConstants, \ - ResourcePermissionGroup, ResourcePermissionRole, ResourceAuthType + ResourcePermission, ResourcePermissionRole, ResourceAuthType from common.database_model_manage.database_model_manage import DatabaseModelManage from common.db.search import native_search from common.db.sql_execute import select_list @@ -51,7 +51,6 @@ class UserResourcePermissionResponse(serializers.Serializer): class UpdateTeamMemberItemPermissionSerializer(serializers.Serializer): - auth_target_type = serializers.ChoiceField(required=True, choices=AuthTargetType.choices, label="授权资源") target_id = serializers.CharField(required=True, label=_('target id')) auth_type = serializers.ChoiceField(required=True, choices=ResourceAuthType.choices, label="授权类型") permission = PermissionSerializer(required=True, many=False) @@ -60,34 +59,46 @@ class UpdateTeamMemberItemPermissionSerializer(serializers.Serializer): class UpdateUserResourcePermissionRequest(serializers.Serializer): user_resource_permission_list = UpdateTeamMemberItemPermissionSerializer(required=True, many=True) - def is_valid(self, *, workspace_id=None, raise_exception=False): + def is_valid(self, *, auth_target_type=None, workspace_id=None, raise_exception=False): super().is_valid(raise_exception=True) - user_resource_permission_list = self.data.get("user_resource_permission_list") + user_resource_permission_list = [{'target_id': urp.get('target_id'), 'auth_target_type': auth_target_type} for + urp in + self.data.get("user_resource_permission_list")] illegal_target_id_list = select_list( get_file_content( os.path.join(PROJECT_DIR, "apps", "system_manage", 'sql', 'check_member_permission_target_exists.sql')), [json.dumps(user_resource_permission_list), workspace_id, workspace_id, workspace_id, workspace_id]) if illegal_target_id_list is not None and len(illegal_target_id_list) > 0: raise AppApiException(500, - _('Non-existent application|knowledge base id[') + str(illegal_target_id_list) + ']') + _('Non-existent id[') + str(illegal_target_id_list) + ']') + + +m_map = { + "KNOWLEDGE": Knowledge, + 'TOOL': Tool, + 'MODEL': Model, + 'APPLICATION': Application, +} +sql_map = { + "KNOWLEDGE": 'get_knowledge_user_resource_permission.sql', + 'TOOL': 'get_tool_user_resource_permission.sql', + 'MODEL': 'get_model_user_resource_permission.sql', + 'APPLICATION': 'get_application_user_resource_permission.sql' +} class UserResourcePermissionSerializer(serializers.Serializer): workspace_id = serializers.CharField(required=True, label=_('workspace id')) user_id = serializers.CharField(required=True, label=_('user id')) + auth_target_type = serializers.CharField(required=True, label=_('resource')) def get_queryset(self): return { - "knowledge_query_set": QuerySet(Knowledge) - .filter(workspace_id=self.data.get('workspace_id')), - 'tool_query_set': QuerySet(Tool) - .filter(workspace_id=self.data.get('workspace_id')), - 'model_query_set': QuerySet(Model) - .filter(workspace_id=self.data.get('workspace_id')), - 'application_query_set': QuerySet(Application) - .filter(workspace_id=self.data.get('workspace_id')), + 'query_set': QuerySet(m_map.get(self.data.get('auth_target_type'))).filter( + workspace_id=self.data.get('workspace_id')), 'workspace_user_resource_permission_query_set': QuerySet(WorkspaceUserResourcePermission).filter( - workspace_id=self.data.get('workspace_id'), user=self.data.get('user_id')) + workspace_id=self.data.get('workspace_id'), user=self.data.get('user_id'), + auth_target_type=self.data.get('auth_target_type')) } def list(self, user, with_valid=True): @@ -97,7 +108,7 @@ class UserResourcePermissionSerializer(serializers.Serializer): user_id = self.data.get("user_id") # 用户权限列表 user_resource_permission_list = native_search(self.get_queryset(), get_file_content( - os.path.join(PROJECT_DIR, "apps", "system_manage", 'sql', 'get_user_resource_permission.sql'))) + os.path.join(PROJECT_DIR, "apps", "system_manage", 'sql', sql_map.get(self.data.get('auth_target_type'))))) workspace_user_role_mapping_model = DatabaseModelManage.get_model("workspace_user_role_mapping") workspace_model = DatabaseModelManage.get_model("workspace_model") if workspace_user_role_mapping_model and workspace_model: @@ -112,14 +123,14 @@ class UserResourcePermissionSerializer(serializers.Serializer): if is_workspace_manage: user_resource_permission_list = list( map(lambda row: {**row, - 'permission': {ResourcePermissionGroup.VIEW.value: True, - ResourcePermissionGroup.MANAGE.value: True, + 'permission': {ResourcePermission.VIEW.value: True, + ResourcePermission.MANAGE.value: True, ResourcePermissionRole.ROLE.value: True}}, user_resource_permission_list)) return group_by([{**user_resource_permission, 'permission': { permission: True if user_resource_permission.get('permission_list').__contains__(permission) else False for permission in - [ResourcePermissionGroup.VIEW.value, ResourcePermissionGroup.MANAGE.value, + [ResourcePermission.VIEW.value, ResourcePermission.MANAGE.value, ResourcePermissionRole.ROLE.value]}} for user_resource_permission in user_resource_permission_list], key=lambda item: item.get('auth_target_type')) @@ -128,6 +139,8 @@ class UserResourcePermissionSerializer(serializers.Serializer): if with_valid: self.is_valid(raise_exception=True) UpdateUserResourcePermissionRequest(data=instance).is_valid(raise_exception=True, + auth_target_type=self.data.get( + 'auth_target_type'), workspace_id=self.data.get('workspace_id')) workspace_id = self.data.get("workspace_id") user_id = self.data.get("user_id") @@ -135,7 +148,7 @@ class UserResourcePermissionSerializer(serializers.Serializer): save_list = [] user_resource_permission_list = instance.get('user_resource_permission_list') workspace_user_resource_permission_exist_list = QuerySet(WorkspaceUserResourcePermission).filter( - workspace_id=workspace_id, user_id=user_id) + workspace_id=workspace_id, user_id=user_id, auth_target_type=self.data.get('auth_target_type')) for user_resource_permission in user_resource_permission_list: exist_list = [user_resource_permission_exist for user_resource_permission_exist in workspace_user_resource_permission_exist_list if @@ -147,8 +160,7 @@ class UserResourcePermissionSerializer(serializers.Serializer): update_list.append(exist_list[0]) else: save_list.append(WorkspaceUserResourcePermission(target=user_resource_permission.get('target_id'), - auth_target_type=user_resource_permission.get( - 'auth_target_type'), + auth_target_type=self.data.get('auth_target_type'), permission_list=[key for key in user_resource_permission.get( 'permission').keys() if diff --git a/apps/system_manage/sql/get_application_user_resource_permission.sql b/apps/system_manage/sql/get_application_user_resource_permission.sql new file mode 100644 index 000000000..64195e240 --- /dev/null +++ b/apps/system_manage/sql/get_application_user_resource_permission.sql @@ -0,0 +1,17 @@ +SELECT app_or_knowledge.*, + COALESCE(workspace_user_resource_permission.permission_list,'{}')::varchar[] as permission_list, + COALESCE(workspace_user_resource_permission.auth_type,'ROLE') as auth_type +FROM (SELECT "id", + "name", + 'APPLICATION' AS "auth_target_type", + user_id, + workspace_id, + icon, + folder_id + FROM application + ${query_set} + ) app_or_knowledge + LEFT JOIN (SELECT * + FROM workspace_user_resource_permission + ${workspace_user_resource_permission_query_set}) workspace_user_resource_permission + ON workspace_user_resource_permission.target = app_or_knowledge."id"; diff --git a/apps/system_manage/sql/get_knowledge_user_resource_permission.sql b/apps/system_manage/sql/get_knowledge_user_resource_permission.sql new file mode 100644 index 000000000..bf1653281 --- /dev/null +++ b/apps/system_manage/sql/get_knowledge_user_resource_permission.sql @@ -0,0 +1,17 @@ +SELECT app_or_knowledge.*, + COALESCE(workspace_user_resource_permission.permission_list,'{}')::varchar[] as permission_list, + COALESCE(workspace_user_resource_permission.auth_type,'ROLE') as auth_type +FROM (SELECT "id", + "name", + 'KNOWLEDGE' AS "auth_target_type", + user_id, + workspace_id, + "type"::varchar AS "icon", + folder_id + FROM knowledge + ${query_set} + ) app_or_knowledge + LEFT JOIN (SELECT * + FROM workspace_user_resource_permission + ${workspace_user_resource_permission_query_set}) workspace_user_resource_permission + ON workspace_user_resource_permission.target = app_or_knowledge."id"; diff --git a/apps/system_manage/sql/get_model_user_resource_permission.sql b/apps/system_manage/sql/get_model_user_resource_permission.sql new file mode 100644 index 000000000..40a201bae --- /dev/null +++ b/apps/system_manage/sql/get_model_user_resource_permission.sql @@ -0,0 +1,17 @@ +SELECT app_or_knowledge.*, + COALESCE(workspace_user_resource_permission.permission_list,'{}')::varchar[] as permission_list, + COALESCE(workspace_user_resource_permission.auth_type,'ROLE') as auth_type +FROM (SELECT "id", + "name", + 'MODEL' AS "auth_target_type", + user_id, + workspace_id, + provider as icon, + 'default' as folder_id + FROM model + ${query_set} + ) app_or_knowledge + LEFT JOIN (SELECT * + FROM workspace_user_resource_permission + ${workspace_user_resource_permission_query_set}) workspace_user_resource_permission + ON workspace_user_resource_permission.target = app_or_knowledge."id"; diff --git a/apps/system_manage/sql/get_tool_user_resource_permission.sql b/apps/system_manage/sql/get_tool_user_resource_permission.sql new file mode 100644 index 000000000..15e1e8e52 --- /dev/null +++ b/apps/system_manage/sql/get_tool_user_resource_permission.sql @@ -0,0 +1,17 @@ +SELECT app_or_knowledge.*, + COALESCE(workspace_user_resource_permission.permission_list,'{}')::varchar[] as permission_list, + COALESCE(workspace_user_resource_permission.auth_type,'ROLE') as auth_type +FROM (SELECT "id", + "name", + 'TOOL' AS "auth_target_type", + user_id, + workspace_id, + icon, + folder_id + FROM tool + ${query_set} + ) app_or_knowledge + LEFT JOIN (SELECT * + FROM workspace_user_resource_permission + ${workspace_user_resource_permission_query_set}) workspace_user_resource_permission + ON workspace_user_resource_permission.target = app_or_knowledge."id"; diff --git a/apps/system_manage/urls.py b/apps/system_manage/urls.py index c8f953f5a..e1c41d7c4 100644 --- a/apps/system_manage/urls.py +++ b/apps/system_manage/urls.py @@ -5,7 +5,7 @@ from . import views app_name = "system_manage" # @formatter:off urlpatterns = [ - path('workspace//user_resource_permission/user/', views.WorkSpaceUserResourcePermissionView.as_view()), + path('workspace//user_resource_permission/user//resource/', views.WorkSpaceUserResourcePermissionView.as_view()), path('email_setting', views.SystemSetting.Email.as_view()), path('profile', views.SystemProfile.as_view()), path('valid//', views.Valid.as_view()) diff --git a/apps/system_manage/views/user_resource_permission.py b/apps/system_manage/views/user_resource_permission.py index 86f2b5380..da38106db 100644 --- a/apps/system_manage/views/user_resource_permission.py +++ b/apps/system_manage/views/user_resource_permission.py @@ -15,7 +15,7 @@ from rest_framework.views import APIView from common import result from common.auth import TokenAuth from common.auth.authentication import has_permissions -from common.constants.permission_constants import PermissionConstants, RoleConstants +from common.constants.permission_constants import PermissionConstants, RoleConstants, Permission, Group, Operate from common.log.log import log from common.result import DefaultResultSerializer from system_manage.api.user_resource_permission import UserResourcePermissionAPI, EditUserResourcePermissionAPI @@ -43,11 +43,13 @@ class WorkSpaceUserResourcePermissionView(APIView): responses=UserResourcePermissionAPI.get_response(), tags=[_('Resources authorization')] # type: ignore ) - @has_permissions(PermissionConstants.WORKSPACE_USER_RESOURCE_PERMISSION_READ.get_workspace_permission(), - RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role()) - def get(self, request: Request, workspace_id: str, user_id: str): + @has_permissions( + lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_WORKSPACE_USER_RESOURCE_PERMISSION'), + operate=Operate.READ), + RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role()) + def get(self, request: Request, workspace_id: str, user_id: str, resource: str): return result.success(UserResourcePermissionSerializer( - data={'workspace_id': workspace_id, 'user_id': user_id} + data={'workspace_id': workspace_id, 'user_id': user_id, 'auth_target_type': resource} ).list(request.user)) @extend_schema( @@ -62,9 +64,11 @@ class WorkSpaceUserResourcePermissionView(APIView): @log(menu='System', operate='Modify the resource authorization list', get_operation_object=lambda r, k: get_user_operation_object(k.get('user_id')) ) - @has_permissions(PermissionConstants.WORKSPACE_USER_RESOURCE_PERMISSION_EDIT.get_workspace_permission(), - RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role()) - def put(self, request: Request, workspace_id: str, user_id: str): + @has_permissions( + lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_WORKSPACE_USER_RESOURCE_PERMISSION'), + operate=Operate.EDIT), + RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role()) + def put(self, request: Request, workspace_id: str, user_id: str, resource: str): return result.success(UserResourcePermissionSerializer( - data={'workspace_id': workspace_id, 'user_id': user_id} + data={'workspace_id': workspace_id, 'user_id': user_id, 'auth_target_type': resource} ).edit(request.data, request.user)) diff --git a/ui/src/api/system/resource-authorization.ts b/ui/src/api/system/resource-authorization.ts index 34d0a174f..b12e72358 100644 --- a/ui/src/api/system/resource-authorization.ts +++ b/ui/src/api/system/resource-authorization.ts @@ -12,10 +12,11 @@ const prefix = '/workspace' const getResourceAuthorization: ( workspace_id: string, user_id: string, + resource: string, loading?: Ref, -) => Promise> = (workspace_id, user_id, loading) => { +) => Promise> = (workspace_id, user_id, resource, loading) => { return get( - `${prefix}/${workspace_id}/user_resource_permission/user/${user_id}`, + `${prefix}/${workspace_id}/user_resource_permission/user/${user_id}/resource/${resource}`, undefined, loading, ) @@ -42,11 +43,12 @@ const getResourceAuthorization: ( const putResourceAuthorization: ( workspace_id: string, user_id: string, + resource: string, body: any, loading?: Ref, -) => Promise> = (workspace_id, user_id, body, loading) => { +) => Promise> = (workspace_id, user_id, resource, body, loading) => { return put( - `${prefix}/${workspace_id}/user_resource_permission/user/${user_id}`, + `${prefix}/${workspace_id}/user_resource_permission/user/${user_id}/resource/${resource}`, body, {}, loading, diff --git a/ui/src/router/modules/system.ts b/ui/src/router/modules/system.ts index f55de3823..b9e9ca19b 100644 --- a/ui/src/router/modules/system.ts +++ b/ui/src/router/modules/system.ts @@ -184,6 +184,7 @@ const systemRouter = { activeMenu: '/system', parentPath: '/system', parentName: 'system', + resource: 'APPLICATION', }, component: () => import('@/views/system/resource-authorization/index.vue'), }, @@ -195,6 +196,7 @@ const systemRouter = { activeMenu: '/system', parentPath: '/system', parentName: 'system', + resource: 'KNOWLEDGE', }, component: () => import('@/views/system/resource-authorization/index.vue'), }, @@ -206,6 +208,7 @@ const systemRouter = { activeMenu: '/system', parentPath: '/system', parentName: 'system', + resource: 'TOOL', }, component: () => import('@/views/system/resource-authorization/index.vue'), }, @@ -217,6 +220,7 @@ const systemRouter = { activeMenu: '/system', parentPath: '/system', parentName: 'system', + resource: 'MODEL', }, component: () => import('@/views/system/resource-authorization/index.vue'), }, @@ -477,11 +481,14 @@ const systemRouter = { parentName: 'system', sameRoute: 'operate', permission: [ - new ComplexPermission( - [RoleConst.ADMIN], - [PermissionConst.OPERATION_LOG_READ], - [EditionConst.IS_EE, EditionConst.IS_PE], - 'OR',),], + new ComplexPermission( + [RoleConst.ADMIN], + [PermissionConst.OPERATION_LOG_READ], + [EditionConst.IS_EE, EditionConst.IS_PE], + 'OR', + ), + ], + }, component: () => import('@/views/system/operate-log/index.vue'), }, diff --git a/ui/src/views/system/resource-authorization/index.vue b/ui/src/views/system/resource-authorization/index.vue index 2165d410e..632e01abc 100644 --- a/ui/src/views/system/resource-authorization/index.vue +++ b/ui/src/views/system/resource-authorization/index.vue @@ -8,7 +8,11 @@ - + { @@ -290,10 +295,6 @@ const dfsFolder = (arr: any[] = [], folderIdMap: any) => { }) } -const handleTabChange = () => { - getWholeTree(currentUser.value) -} - function getFolder() { return AuthorizationApi.getSystemFolder( currentWorkspaceId.value || 'default', @@ -306,6 +307,7 @@ function getResourcePermissions(user_id: string) { return AuthorizationApi.getResourceAuthorization( currentWorkspaceId.value || 'default', user_id, + (route.meta?.resource as string) || 'APPLICATION', rLoading, ) } @@ -378,7 +380,6 @@ function changeWorkspace(item: WorkspaceItem) { currentWorkspaceId.value = item.id getMember() } -function refresh(data?: string[]) {} onMounted(() => { tableHeight.value = window.innerHeight - 330