From e8418f6f5c22b9fca09dd694ba7c1480d8412707 Mon Sep 17 00:00:00 2001
From: shaohuzhang1 <80892890+shaohuzhang1@users.noreply.github.com>
Date: Wed, 2 Jul 2025 14:26:57 +0800
Subject: [PATCH] fix: role user permission (#3452)

---
 apps/common/auth/handle/impl/user_token.py    | 20 ++++++++++---------
 apps/common/constants/permission_constants.py | 15 ++++++++++++++
 2 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/apps/common/auth/handle/impl/user_token.py b/apps/common/auth/handle/impl/user_token.py
index 217761236..d876ad346 100644
--- a/apps/common/auth/handle/impl/user_token.py
+++ b/apps/common/auth/handle/impl/user_token.py
@@ -127,7 +127,8 @@ def get_workspace_resource_permission_list_by_workspace_user_permission(
                 ResourcePermissionRole.ROLE)):
         return [
             f"{role_permission_mapping.permission_id}:/WORKSPACE/{workspace_user_resource_permission.workspace_id}/{workspace_user_resource_permission.auth_target_type}/{workspace_user_resource_permission.target}"
-            for role_permission_mapping in role_permission_mapping_list]
+            for role_permission_mapping in role_permission_mapping_list] + [
+            f"{workspace_user_resource_permission.auth_target_type}:/WORKSPACE/{workspace_user_resource_permission.workspace_id}/{workspace_user_resource_permission.auth_target_type}/{workspace_user_resource_permission.target}"]
 
     elif workspace_user_resource_permission.auth_type == ResourceAuthType.RESOURCE_PERMISSION_GROUP:
         resource_permission_list = [
@@ -230,7 +231,7 @@ def reset_workspace_role(role_id, workspace_id, role_dict):
         if system_role == role_id:
             return role_id
         else:
-            return f"{role_id}:/WORKSPACE/{workspace_id}"
+            return [f"{role_id}:/WORKSPACE/{workspace_id}", role_id]
     else:
         r = role_dict.get(role_id)
         if r is None:
@@ -238,7 +239,7 @@ def reset_workspace_role(role_id, workspace_id, role_dict):
         role_type = role_dict.get(role_id).type
         if system_role == role_type:
             return RoleConstants.EXTENDS_ADMIN.value.name
-        return f"EXTENDS_{role_type}:/WORKSPACE/{workspace_id}"
+        return [f"EXTENDS_{role_type}:/WORKSPACE/{workspace_id}", f"EXTENDS_{role_type}"]
 
 
 def get_role_list(user,
@@ -260,12 +261,13 @@ def get_role_list(user,
             workspace_user_role_mapping_list = QuerySet(workspace_user_role_mapping_model).filter(user_id=user.id)
             role_list = QuerySet(role_model).filter(id__in=[wurm.role_id for wurm in workspace_user_role_mapping_list])
             role_dict = {r.id: r for r in role_list}
-            role_list = list(set([reset_workspace_role(workspace_user_role_mapping.role_id,
-                                                       workspace_user_role_mapping.workspace_id,
-                                                       role_dict)
-                                  for
-                                  workspace_user_role_mapping in
-                                  workspace_user_role_mapping_list]))
+            role_list = list(
+                set(reduce(lambda x, y: [*x, *y], [reset_workspace_role(workspace_user_role_mapping.role_id,
+                                                                        workspace_user_role_mapping.workspace_id,
+                                                                        role_dict)
+                                                   for
+                                                   workspace_user_role_mapping in
+                                                   workspace_user_role_mapping_list], [])))
             cache.set(key, workspace_list, version=version)
             return role_list
         else:
diff --git a/apps/common/constants/permission_constants.py b/apps/common/constants/permission_constants.py
index d5cea649f..d26885402 100644
--- a/apps/common/constants/permission_constants.py
+++ b/apps/common/constants/permission_constants.py
@@ -125,6 +125,7 @@ class Operate(Enum):
     """
      一个权限组的操作权限
     """
+    SELF = ""
     READ = 'READ'
     EDIT = "READ+EDIT"
     CREATE = "READ+CREATE"
@@ -161,6 +162,7 @@ class Operate(Enum):
     SETTING = "READ+SETTING"  # 管理
     DOWNLOAD = "READ+DOWNLOAD"  # 下载
 
+
 class RoleGroup(Enum):
     # 系统用户
     SYSTEM_USER = "SYSTEM_USER"
@@ -405,6 +407,19 @@ class PermissionConstants(Enum):
     """
      权限枚举
     """
+    KNOWLEDGE = Permission(
+        group=Group.KNOWLEDGE, operate=Operate.SELF, role_list=[RoleConstants.ADMIN, RoleConstants.USER]
+    )
+    APPLICATION = Permission(
+        group=Group.APPLICATION, operate=Operate.SELF, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+    )
+    MODEL = Permission(
+        group=Group.MODEL, operate=Operate.SELF, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+    )
+    TOOL = Permission(
+        group=Group.TOOL, operate=Operate.SELF, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+    )
+
     USER_READ = Permission(
         group=Group.USER, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
         parent_group=[SystemGroup.USER_MANAGEMENT]