fix: Chat log add to knowledge permission

--bug=1060944 --user=张展玮 【权限】用户只有知识库的查看权限，但可以将对话日志中的信息添加到知识库作为分段，并可删除 https://www.tapd.cn/62980211/s/1763639

Author: zhanweizhang7

apps/application/serializers/application_chat_record.py

@@ -20,8 +20,10 @@
 from application.models import ChatRecord, ApplicationAccessToken, Application
 from application.serializers.application_chat import ChatCountSerializer
 from application.serializers.common import ChatInfo
+from common.auth.authentication import get_is_permissions
+from common.constants.permission_constants import PermissionConstants, RoleConstants, ViewPermission, CompareConstants
 from common.db.search import page_search
-from common.exception.app_exception import AppApiException
+from common.exception.app_exception import AppApiException, AppUnauthorizedFailed
 from common.utils.common import post
 from knowledge.models import Paragraph, Document, Problem, ProblemParagraphMapping, Knowledge
 from knowledge.serializers.common import get_embedding_model_id_by_knowledge_id, update_document_char_length
@@ -254,8 +256,27 @@ def post_embedding_paragraph(paragraph_ids, knowledge_id):
 
     @post(post_function=post_embedding_paragraph)
     @transaction.atomic
-    def post_improve(self, instance: Dict):
-        ApplicationChatRecordAddKnowledgeSerializer(data=instance).is_valid(raise_exception=True)
+    def post_improve(self, instance: Dict, request=None, scope='WORKSPACE', with_valid=True):
+        if with_valid:
+            ApplicationChatRecordAddKnowledgeSerializer(data=instance).is_valid(raise_exception=True)
+        self.is_valid(raise_exception=True)
+        if scope == 'WORKSPACE':
+            is_permission = get_is_permissions(request=request, workspace_id=self.data.get('workspace_id'),
+                                               knowledge_id=self.data.get("knowledge_id"))(
+                PermissionConstants.KNOWLEDGE_DOCUMENT_EDIT.get_workspace_knowledge_permission(),
+                PermissionConstants.KNOWLEDGE_DOCUMENT_EDIT.get_workspace_permission_workspace_manage_role(),
+                RoleConstants.WORKSPACE_MANAGE.get_workspace_role(),
+                ViewPermission([RoleConstants.USER.get_workspace_role()],
+                               [PermissionConstants.KNOWLEDGE.get_workspace_knowledge_permission()],
+                               CompareConstants.AND),
+            )
+        else:
+            is_permission = get_is_permissions(request=request, workspace_id=self.data.get('workspace_id'),
+                                               knowledge_id=self.data.get("knowledge_id"))(
+                PermissionConstants.RESOURCE_KNOWLEDGE_DOCUMENT_EDIT, RoleConstants.ADMIN
+            )
+        if not is_permission:
+            raise AppUnauthorizedFailed(403, gettext('No permission to access'))
 
         chat_ids = instance['chat_ids']
         document_id = instance['document_id']
@@ -372,9 +393,26 @@ def post_embedding_paragraph(chat_record, paragraph_id, knowledge_id):
 
     @post(post_function=post_embedding_paragraph)
     @transaction.atomic
-    def improve(self, instance: Dict, with_valid=True):
+    def improve(self, instance: Dict, request=None, scope='WORKSPACE', with_valid=True):
         if with_valid:
             self.is_valid(raise_exception=True)
+        if scope == 'WORKSPACE':
+            is_permission = get_is_permissions(request, workspace_id=self.data.get('workspace_id'),
+                                               knowledge_id=self.data.get("knowledge_id"))(
+                PermissionConstants.KNOWLEDGE_DOCUMENT_EDIT.get_workspace_knowledge_permission(),
+                PermissionConstants.KNOWLEDGE_DOCUMENT_EDIT.get_workspace_permission_workspace_manage_role(),
+                RoleConstants.WORKSPACE_MANAGE.get_workspace_role(),
+                ViewPermission([RoleConstants.USER.get_workspace_role()],
+                               [PermissionConstants.KNOWLEDGE.get_workspace_knowledge_permission()],
+                               CompareConstants.AND),
+            )
+        else:
+            is_permission = get_is_permissions(request, workspace_id=self.data.get('workspace_id'),
+                                               knowledge_id=self.data.get("knowledge_id"))(
+                PermissionConstants.RESOURCE_KNOWLEDGE_DOCUMENT_EDIT, RoleConstants.ADMIN
+            )
+        if not is_permission:
+            raise AppUnauthorizedFailed(403, gettext('No permission to access'))
         ApplicationChatRecordImproveInstanceSerializer(data=instance).is_valid(raise_exception=True)
         chat_record_id = self.data.get('chat_record_id')
         chat_id = self.data.get('chat_id')
@@ -427,9 +465,28 @@ class Operate(serializers.Serializer):
 
         workspace_id = serializers.CharField(required=True, label=_("Workspace ID"))
 
-        def delete(self, with_valid=True):
+        def delete(self, request=None, scope='WORKSPACE', with_valid=True):
             if with_valid:
                 self.is_valid(raise_exception=True)
+                if scope == 'WORKSPACE':
+                    is_permission = get_is_permissions(request=request, workspace_id=self.data.get('workspace_id'),
+                                                       knowledge_id=self.data.get("knowledge_id"))(
+                        PermissionConstants.KNOWLEDGE_DOCUMENT_EDIT.get_workspace_knowledge_permission(),
+                        PermissionConstants.KNOWLEDGE_DOCUMENT_EDIT.get_workspace_permission_workspace_manage_role(),
+                        RoleConstants.WORKSPACE_MANAGE.get_workspace_role(),
+                        ViewPermission([RoleConstants.USER.get_workspace_role()],
+                                       [PermissionConstants.KNOWLEDGE.get_workspace_knowledge_permission()],
+                                       CompareConstants.AND),
+                    )
+                else:
+                    is_permission = get_is_permissions(request=request, workspace_id=self.data.get('workspace_id'),
+                                                       knowledge_id=self.data.get("knowledge_id"))(
+                        PermissionConstants.RESOURCE_KNOWLEDGE_DOCUMENT_EDIT, RoleConstants.ADMIN
+                    )
+
+                if not is_permission:
+                    raise AppUnauthorizedFailed(403, gettext('No permission to access'))
+
             workspace_id = self.data.get('workspace_id')
             chat_record_id = self.data.get('chat_record_id')
             chat_id = self.data.get('chat_id')

apps/application/views/application_chat_record.py

@@ -129,7 +129,7 @@ class ApplicationChatRecordAddKnowledge(APIView):
                      RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
     def post(self, request: Request, workspace_id: str, application_id: str):
         return result.success(ApplicationChatRecordAddKnowledgeSerializer().post_improve(
-            {'workspace_id': workspace_id, 'application_id': application_id, **request.data}))
+            {'workspace_id': workspace_id, 'application_id': application_id, **request.data}, request=request))
 
 
 class ApplicationChatRecordImprove(APIView):
@@ -186,7 +186,7 @@ def put(self, request: Request,
         return result.success(ApplicationChatRecordImproveSerializer(
             data={'workspace_id': workspace_id, 'application_id': application_id, 'chat_id': chat_id,
                   'chat_record_id': chat_record_id,
-                  'knowledge_id': knowledge_id, 'document_id': document_id}).improve(request.data))
+                  'knowledge_id': knowledge_id, 'document_id': document_id}).improve(request.data, request=request))
 
     class Operate(APIView):
         authentication_classes = [TokenAuth]
@@ -214,4 +214,4 @@ def delete(self, request: Request, workspace_id: str, application_id: str, chat_
                 data={'chat_id': chat_id, 'chat_record_id': chat_record_id, 'workspace_id': workspace_id,
                       'application_id': application_id,
                       'knowledge_id': knowledge_id, 'document_id': document_id,
-                      'paragraph_id': paragraph_id}).delete())
+                      'paragraph_id': paragraph_id}).delete(request=request))