From df49c5ba5c6d829e5edf5419bb6fd0439304fa4b Mon Sep 17 00:00:00 2001
From: shaohuzhang1 <80892890+shaohuzhang1@users.noreply.github.com>
Date: Thu, 3 Jul 2025 14:46:55 +0800
Subject: [PATCH] fix: Automatic authorization for resource creation (#3464)
---
apps/application/serializers/application.py | 13 +++++--
apps/knowledge/serializers/knowledge.py | 24 +++++--------
.../serializers/model_serializer.py | 19 ++++------
.../serializers/user_resource_permission.py | 28 +++++++++++++++
apps/tools/serializers/tool.py | 20 ++++-------
.../component/CreateApplicationDialog.vue | 35 ++++++++++---------
6 files changed, 77 insertions(+), 62 deletions(-)
diff --git a/apps/application/serializers/application.py b/apps/application/serializers/application.py
index 7e5a73d9c..d260c9df3 100644
--- a/apps/application/serializers/application.py
+++ b/apps/application/serializers/application.py
@@ -40,7 +40,8 @@ from knowledge.serializers.knowledge import KnowledgeSerializer, KnowledgeModelS
from maxkb.conf import PROJECT_DIR
from models_provider.models import Model
from models_provider.tools import get_model_instance_by_model_workspace_id
-from system_manage.models import WorkspaceUserResourcePermission
+from system_manage.models import WorkspaceUserResourcePermission, AuthTargetType
+from system_manage.serializers.user_resource_permission import UserResourcePermissionSerializer
from tools.models import Tool, ToolScope
from tools.serializers.tool import ToolModelSerializer
from users.models import User
@@ -430,9 +431,15 @@ class ApplicationSerializer(serializers.Serializer):
def insert(self, instance: Dict):
application_type = instance.get('type')
if 'WORK_FLOW' == application_type:
- return self.insert_workflow(instance)
+ r = self.insert_workflow(instance)
else:
- return self.insert_simple(instance)
+ r = self.insert_simple(instance)
+ UserResourcePermissionSerializer(data={
+ 'workspace_id': self.data.get('workspace_id'),
+ 'user_id': self.data.get('user_id'),
+ 'auth_target_type': AuthTargetType.APPLICATION.value
+ }).auth_resource(str(r.get('id')))
+ return r
def insert_workflow(self, instance: Dict):
self.is_valid(raise_exception=True)
diff --git a/apps/knowledge/serializers/knowledge.py b/apps/knowledge/serializers/knowledge.py
index ec5e662a4..72dd421a8 100644
--- a/apps/knowledge/serializers/knowledge.py
+++ b/apps/knowledge/serializers/knowledge.py
@@ -21,7 +21,7 @@ from rest_framework import serializers
from application.models import ApplicationKnowledgeMapping
from common.config.embedding_config import VectorStore
from common.constants.cache_version import Cache_Version
-from common.constants.permission_constants import ResourceAuthType, ResourcePermission
+from common.constants.permission_constants import ResourceAuthType, ResourcePermission, ResourcePermissionRole
from common.database_model_manage.database_model_manage import DatabaseModelManage
from common.db.search import native_search, get_dynamics_model, native_page_search
from common.db.sql_execute import select_list
@@ -42,6 +42,7 @@ from knowledge.task.sync import sync_web_knowledge, sync_replace_web_knowledge
from maxkb.conf import PROJECT_DIR
from models_provider.models import Model
from system_manage.models import WorkspaceUserResourcePermission, AuthTargetType
+from system_manage.serializers.user_resource_permission import UserResourcePermissionSerializer
from users.serializers.user import is_workspace_manage
@@ -553,21 +554,12 @@ class KnowledgeSerializer(serializers.Serializer):
QuerySet(ProblemParagraphMapping).bulk_create(
problem_paragraph_mapping_list
) if len(problem_paragraph_mapping_list) > 0 else None
-
- # 自动授权给创建者
- WorkspaceUserResourcePermission(
- target=knowledge_id,
- auth_target_type=AuthTargetType.KNOWLEDGE,
- permission_list=[ResourcePermission.VIEW, ResourcePermission.MANAGE],
- workspace_id=self.data.get('workspace_id'),
- user_id=self.data.get('user_id'),
- auth_type=ResourceAuthType.RESOURCE_PERMISSION_GROUP
- ).save()
- # 刷新缓存
- version = Cache_Version.PERMISSION_LIST.get_version()
- key = Cache_Version.PERMISSION_LIST.get_key(user_id=self.data.get('user_id'))
- cache.delete(key, version=version)
-
+ # 自动资源给授权当前用户
+ UserResourcePermissionSerializer(data={
+ 'workspace_id': self.data.get('workspace_id'),
+ 'user_id': self.data.get('user_id'),
+ 'auth_target_type': AuthTargetType.KNOWLEDGE.value
+ }).auth_resource(str(knowledge_id))
return {
**KnowledgeModelSerializer(knowledge).data,
'user_id': self.data.get('user_id'),
diff --git a/apps/models_provider/serializers/model_serializer.py b/apps/models_provider/serializers/model_serializer.py
index 545122371..b5020e04e 100644
--- a/apps/models_provider/serializers/model_serializer.py
+++ b/apps/models_provider/serializers/model_serializer.py
@@ -26,6 +26,7 @@ from models_provider.constants.model_provider_constants import ModelProvideConst
from models_provider.models import Model, Status
from models_provider.tools import get_model_credential
from system_manage.models import WorkspaceUserResourcePermission, AuthTargetType
+from system_manage.serializers.user_resource_permission import UserResourcePermissionSerializer
from users.serializers.user import is_workspace_manage
@@ -326,19 +327,11 @@ class ModelSerializer(serializers.Serializer):
model = Model(**model_data)
try:
model.save()
- # 自动授权给创建者
- WorkspaceUserResourcePermission(
- target=model.id,
- auth_target_type=AuthTargetType.MODEL,
- permission_list=[ResourcePermission.VIEW, ResourcePermission.MANAGE],
- workspace_id=workspace_id,
- user_id=self.data.get('user_id'),
- auth_type=ResourceAuthType.RESOURCE_PERMISSION_GROUP
- ).save()
- # 刷新缓存
- version = Cache_Version.PERMISSION_LIST.get_version()
- key = Cache_Version.PERMISSION_LIST.get_key(user_id=self.data.get('user_id'))
- cache.delete(key, version=version)
+ UserResourcePermissionSerializer(data={
+ 'workspace_id': self.data.get('workspace_id'),
+ 'user_id': self.data.get('user_id'),
+ 'auth_target_type': AuthTargetType.MODEL.value
+ }).auth_resource(str(model.id))
except Exception as save_error:
# 可添加日志记录
raise AppApiException(500, _("Model saving failed")) from save_error
diff --git a/apps/system_manage/serializers/user_resource_permission.py b/apps/system_manage/serializers/user_resource_permission.py
index 9f366f3e7..8f7d95bb0 100644
--- a/apps/system_manage/serializers/user_resource_permission.py
+++ b/apps/system_manage/serializers/user_resource_permission.py
@@ -29,6 +29,7 @@ from maxkb.conf import PROJECT_DIR
from models_provider.models import Model
from system_manage.models import WorkspaceUserResourcePermission, AuthTargetType
from tools.models import Tool
+from users.serializers.user import is_workspace_manage
class PermissionSerializer(serializers.Serializer):
@@ -101,6 +102,33 @@ class UserResourcePermissionSerializer(serializers.Serializer):
auth_target_type=self.data.get('auth_target_type'))
}
+ def auth_resource(self, resource_id: str):
+ self.is_valid(raise_exception=True)
+ workspace_manage = is_workspace_manage(self.data.get('user_id'), self.data.get('workspace_id'))
+ if not workspace_manage:
+ auth_target_type = self.data.get('auth_target_type')
+ workspace_id = self.data.get('workspace_id')
+ user_id = self.data.get('user_id')
+ wurp = QuerySet(WorkspaceUserResourcePermission).filter(auth_target_type=auth_target_type,
+ workspace_id=workspace_id).first()
+ auth_type = wurp.auth_type if wurp else ResourceAuthType.RESOURCE_PERMISSION_GROUP
+ # 自动授权给创建者
+ WorkspaceUserResourcePermission(
+ target=resource_id,
+ auth_target_type=auth_target_type,
+ permission_list=[ResourcePermission.VIEW,
+ ResourcePermission.MANAGE] if auth_type == ResourceAuthType.RESOURCE_PERMISSION_GROUP else [
+ ResourcePermissionRole.ROLE],
+ workspace_id=workspace_id,
+ user_id=user_id,
+ auth_type=auth_type
+ ).save()
+ # 刷新缓存
+ version = Cache_Version.PERMISSION_LIST.get_version()
+ key = Cache_Version.PERMISSION_LIST.get_key(user_id=user_id)
+ cache.delete(key, version=version)
+ return True
+
def list(self, user, with_valid=True):
if with_valid:
self.is_valid(raise_exception=True)
diff --git a/apps/tools/serializers/tool.py b/apps/tools/serializers/tool.py
index e9ec68b7e..ab50c73e4 100644
--- a/apps/tools/serializers/tool.py
+++ b/apps/tools/serializers/tool.py
@@ -29,6 +29,7 @@ from common.utils.tool_code import ToolExecutor
from knowledge.models import File, FileSourceType
from maxkb.const import CONFIG, PROJECT_DIR
from system_manage.models import AuthTargetType, WorkspaceUserResourcePermission
+from system_manage.serializers.user_resource_permission import UserResourcePermissionSerializer
from tools.models import Tool, ToolScope, ToolFolder, ToolType
from tools.serializers.tool_folder import ToolFolderFlatSerializer
from users.serializers.user import is_workspace_manage
@@ -219,20 +220,11 @@ class ToolSerializer(serializers.Serializer):
).save()
# 自动授权给创建者
- WorkspaceUserResourcePermission(
- target=tool_id,
- auth_target_type=AuthTargetType.TOOL,
- permission_list=[ResourcePermission.VIEW, ResourcePermission.MANAGE],
- workspace_id=self.data.get('workspace_id'),
- user_id=self.data.get('user_id'),
- auth_type=ResourceAuthType.RESOURCE_PERMISSION_GROUP
- ).save()
-
- # 刷新缓存
- version = Cache_Version.PERMISSION_LIST.get_version()
- key = Cache_Version.PERMISSION_LIST.get_key(user_id=self.data.get('user_id'))
- cache.delete(key, version=version)
-
+ UserResourcePermissionSerializer(data={
+ 'workspace_id': self.data.get('workspace_id'),
+ 'user_id': self.data.get('user_id'),
+ 'auth_target_type': AuthTargetType.TOOL.value
+ }).auth_resource(str(tool_id))
return ToolSerializer.Operate(data={
'id': tool_id, 'workspace_id': self.data.get('workspace_id')
}).one()
diff --git a/ui/src/views/application/component/CreateApplicationDialog.vue b/ui/src/views/application/component/CreateApplicationDialog.vue
index c2efbdc72..79155af01 100644
--- a/ui/src/views/application/component/CreateApplicationDialog.vue
+++ b/ui/src/views/application/component/CreateApplicationDialog.vue
@@ -82,16 +82,17 @@