feat: Resource authorization permission

Author: zhanweizhang7

apps/common/constants/permission_constants.py

@@ -170,6 +170,7 @@ class Operate(Enum):
     TO_CHAT = "READ+TO_CHAT"  # 去对话
     SETTING = "READ+SETTING"  # 管理
     DOWNLOAD = "READ+DOWNLOAD"  # 下载
+    AUTH = "READ+AUTH"
 
 
 class RoleGroup(Enum):
@@ -335,6 +336,7 @@ def get_workspace_role(self):
     Operate.DD.value: _('Dingding'),
     Operate.WEIXIN_PUBLIC_ACCOUNT.value: _('Weixin Public Account'),
     Operate.ADD_KNOWLEDGE.value: _('Add to Knowledge Base'),
+    Operate.AUTH.value:_('resource authorization'),
     Group.APPLICATION_OVERVIEW.value: _('Overview'),
     Group.APPLICATION_ACCESS.value: _('Application Access'),
     Group.APPLICATION_CHAT_USER.value: _('Dialogue users'),
@@ -481,6 +483,11 @@ class PermissionConstants(Enum):
         parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL],
         resource_permission_group_list=[ResourcePermissionConst.MODEL_MANGE]
     )
+    MODEL_RESOURCE_AUTHORIZATION = Permission(
+        group=Group.MODEL, operate=Operate.AUTH, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL],
+        resource_permission_group_list=[ResourcePermissionConst.MODEL_MANGE]
+    )
     TOOL_READ = Permission(
         group=Group.TOOL, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
         parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL],
@@ -520,6 +527,11 @@ class PermissionConstants(Enum):
         parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL],
         resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE]
     )
+    TOOL_RESOURCE_AUTHORIZATION = Permission(
+        group=Group.TOOL, operate=Operate.AUTH, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL],
+        resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE]
+    )
     KNOWLEDGE_READ = Permission(
         group=Group.KNOWLEDGE, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
         resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_VIEW],
@@ -560,6 +572,11 @@ class PermissionConstants(Enum):
         resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE],
         parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE]
     )
+    KNOWLEDGE_RESOURCE_AUTHORIZATION = Permission(
+        group=Group.KNOWLEDGE, operate=Operate.AUTH, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE],
+        parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE]
+    )
     KNOWLEDGE_DOCUMENT_READ = Permission(
         group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.READ,
         role_list=[RoleConstants.ADMIN, RoleConstants.USER],
@@ -819,7 +836,11 @@ class PermissionConstants(Enum):
                                   parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION],
                                   resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE],
                                   )
-
+    APPLICATION_RESOURCE_AUTHORIZATION = Permission(group=Group.APPLICATION, operate=Operate.AUTH,
+                                  role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+                                  parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION],
+                                  resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE],
+                                  )
     APPLICATION_OVERVIEW_READ = Permission(group=Group.APPLICATION_OVERVIEW, operate=Operate.READ,
                                            role_list=[RoleConstants.ADMIN, RoleConstants.USER],
                                            parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION],

apps/locales/en_US/LC_MESSAGES/django.po

@@ -8657,4 +8657,7 @@ msgid "If not passed, the default value is What is this audio saying? Only answe
 msgstr ""
 
 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
+msgstr ""
+
+msgid "Resource authorization"
 msgstr ""

apps/locales/zh_CN/LC_MESSAGES/django.po

@@ -8783,4 +8783,7 @@ msgid "If not passed, the default value is What is this audio saying? Only answe
 msgstr "如果未传递，默认值为 这段音频在说什么，只回答音频的内容"
 
 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
-msgstr "Qwen-Omni 系列模型支持输入多种模态的数据，包括视频、音频、图片、文本，并输出音频与文本"
+msgstr "Qwen-Omni 系列模型支持输入多种模态的数据，包括视频、音频、图片、文本，并输出音频与文本"
+
+msgid "Resource authorization"
+msgstr "资源授权"

apps/locales/zh_Hant/LC_MESSAGES/django.po

@@ -8783,4 +8783,7 @@ msgid "If not passed, the default value is What is this audio saying? Only answe
 msgstr "如果未傳遞，預設值為這段音訊在說什麼，只回答音訊的內容"
 
 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
-msgstr "Qwen-Omni系列模型支持輸入多種模態的數據，包括視頻、音訊、圖片、文字，並輸出音訊與文字"
+msgstr "Qwen-Omni系列模型支持輸入多種模態的數據，包括視頻、音訊、圖片、文字，並輸出音訊與文字"
+
+msgid "Resource authorization"
+msgstr "資源授權"

apps/system_manage/views/user_resource_permission.py

@@ -89,6 +89,10 @@ class Page(APIView):
             responses=UserResourcePermissionPageAPI.get_response(),
             tags=[_('Resources authorization')]  # type: ignore
         )
+        @has_permissions(
+            lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_WORKSPACE_USER_RESOURCE_PERMISSION'),
+                                         operate=Operate.READ),
+            RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
         def get(self, request: Request, workspace_id: str, user_id: str, resource: str, current_page: str,
                 page_size: str):
             return result.success(UserResourcePermissionSerializer(
@@ -109,6 +113,10 @@ class WorkspaceResourceUserPermissionView(APIView):
         responses=ResourceUserPermissionAPI.get_response(),
         tags=[_('Resources authorization')]  # type: ignore
     )
+    @has_permissions(
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
+                                     operate=Operate.AUTH),
+        RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
     def get(self, request: Request, workspace_id: str, target: str, resource: str):
         return result.success(ResourceUserPermissionSerializer(
             data={'workspace_id': workspace_id, "target": target, 'auth_target_type': resource,
@@ -127,6 +135,13 @@ def get(self, request: Request, workspace_id: str, target: str, resource: str):
         responses=ResourceUserPermissionEditAPI.get_response(),
         tags=[_('Resources authorization')]  # type: ignore
     )
+    @log(menu='System', operate='Edit user authorization status of resource',
+         get_operation_object=lambda r, k: get_user_operation_object(k.get('user_id'))
+         )
+    @has_permissions(
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
+                                     operate=Operate.AUTH),
+        RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
     def put(self, request: Request, workspace_id: str, target: str, resource: str):
         return result.success(ResourceUserPermissionSerializer(
             data={'workspace_id': workspace_id, "target": target, 'auth_target_type': resource, })
@@ -144,6 +159,10 @@ class Page(APIView):
             responses=ResourceUserPermissionPageAPI.get_response(),
             tags=[_('Resources authorization')]  # type: ignore
         )
+        @has_permissions(
+            lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
+                                         operate=Operate.AUTH),
+            RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
         def get(self, request: Request, workspace_id: str, target: str, resource: str, current_page: int,
                 page_size: int):
             return result.success(ResourceUserPermissionSerializer(

ui/src/views/system/resource-authorization/constant.ts

@@ -1,7 +1,11 @@
 import { AuthorizationEnum } from '@/enums/system'
 import { t } from '@/locales'
+import { hasPermission } from '@/utils/permission'
+import { EditionConst } from '@/utils/permission/data'
 
-export const permissionOptions = [
+const notCommunity = hasPermission([EditionConst.IS_EE,EditionConst.IS_PE],'OR')
+
+const permissionOptions = [
   {
     label: t('views.system.resourceAuthorization.setting.notAuthorized'),
     value: AuthorizationEnum.NOT_AUTH,
@@ -17,9 +21,16 @@ export const permissionOptions = [
     value: AuthorizationEnum.MANAGE,
     desc: t('views.system.resourceAuthorization.setting.managementDesc'),
   },
-  {
+]
+
+if (notCommunity) {
+  permissionOptions.push(
+    {
     label: t('views.system.resourceAuthorization.setting.role'),
     value: AuthorizationEnum.ROLE,
     desc: t('views.system.resourceAuthorization.setting.roleDesc'),
   },
-]
+  )
+}
+
+export {permissionOptions}