feat: Backend permissions for resource authorization

zhanweizhang7 · zhanweizhang7 · commit 293c64df12ed · 2025-08-18T16:34:36.000+08:00
diff --git a/apps/locales/en_US/LC_MESSAGES/django.po b/apps/locales/en_US/LC_MESSAGES/django.po
@@ -8659,5 +8659,5 @@ msgstr ""
 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
 msgstr ""
 
-msgid "Resource authorization"
+msgid "resource authorization"
 msgstr ""
diff --git a/apps/locales/zh_CN/LC_MESSAGES/django.po b/apps/locales/zh_CN/LC_MESSAGES/django.po
@@ -8785,5 +8785,5 @@ msgstr "如果未传递，默认值为 这段音频在说什么，只回答音
 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
 msgstr "Qwen-Omni 系列模型支持输入多种模态的数据，包括视频、音频、图片、文本，并输出音频与文本"
 
-msgid "Resource authorization"
+msgid "resource authorization"
 msgstr "资源授权"
diff --git a/apps/locales/zh_Hant/LC_MESSAGES/django.po b/apps/locales/zh_Hant/LC_MESSAGES/django.po
@@ -8785,5 +8785,5 @@ msgstr "如果未傳遞，預設值為這段音訊在說什麼，只回答音訊
 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
 msgstr "Qwen-Omni系列模型支持輸入多種模態的數據，包括視頻、音訊、圖片、文字，並輸出音訊與文字"
 
-msgid "Resource authorization"
+msgid "resource authorization"
 msgstr "資源授權"
diff --git a/apps/system_manage/views/user_resource_permission.py b/apps/system_manage/views/user_resource_permission.py
@@ -15,7 +15,8 @@
 from common import result
 from common.auth import TokenAuth
 from common.auth.authentication import has_permissions
-from common.constants.permission_constants import PermissionConstants, RoleConstants, Permission, Group, Operate
+from common.constants.permission_constants import RoleConstants, Permission, Group, Operate, ViewPermission, \
+    CompareConstants
 from common.log.log import log
 from system_manage.api.user_resource_permission import UserResourcePermissionAPI, EditUserResourcePermissionAPI, \
     ResourceUserPermissionAPI, ResourceUserPermissionPageAPI, ResourceUserPermissionEditAPI, \
@@ -114,9 +115,18 @@ class WorkspaceResourceUserPermissionView(APIView):
         tags=[_('Resources authorization')]  # type: ignore
     )
     @has_permissions(
-        lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
-                                     operate=Operate.AUTH),
-        RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.AUTH,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"),
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.AUTH,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}"),
+        ViewPermission([RoleConstants.USER.get_workspace_role()],
+                       [lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                                     operate=Operate.SELF,
+                                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}")],
+                       CompareConstants.AND),
+        RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
     def get(self, request: Request, workspace_id: str, target: str, resource: str):
         return result.success(ResourceUserPermissionSerializer(
             data={'workspace_id': workspace_id, "target": target, 'auth_target_type': resource,
@@ -139,9 +149,18 @@ def get(self, request: Request, workspace_id: str, target: str, resource: str):
          get_operation_object=lambda r, k: get_user_operation_object(k.get('user_id'))
          )
     @has_permissions(
-        lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
-                                     operate=Operate.AUTH),
-        RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.AUTH,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"),
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.AUTH,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}"),
+        ViewPermission([RoleConstants.USER.get_workspace_role()],
+                       [lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                                     operate=Operate.SELF,
+                                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}")],
+                       CompareConstants.AND),
+        RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
     def put(self, request: Request, workspace_id: str, target: str, resource: str):
         return result.success(ResourceUserPermissionSerializer(
             data={'workspace_id': workspace_id, "target": target, 'auth_target_type': resource, })
@@ -160,9 +179,18 @@ class Page(APIView):
             tags=[_('Resources authorization')]  # type: ignore
         )
         @has_permissions(
-            lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
-                                         operate=Operate.AUTH),
-            RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
+            lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                         operate=Operate.AUTH,
+                                         resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/ROLE/WORKSPACE_MANAGE"),
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.AUTH,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}"),
+             ViewPermission([RoleConstants.USER.get_workspace_role()],
+                           [lambda r, kwargs: Permission(group=Group(kwargs.get('resource')),
+                                     operate=Operate.SELF,
+                                     resource_path=f"/WORKSPACE/{kwargs.get('workspace_id')}/{kwargs.get('resource')}/{kwargs.get('target')}")],
+                           CompareConstants.AND),
+            RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
         def get(self, request: Request, workspace_id: str, target: str, resource: str, current_page: int,
                 page_size: int):
             return result.success(ResourceUserPermissionSerializer(
