feat: user resource permission (#3422)

Author: shaohuzhang1

apps/common/auth/handle/impl/user_token.py

@@ -20,7 +20,7 @@
 from common.constants.permission_constants import Auth, PermissionConstants, ResourcePermissionGroup, \
     get_permission_list_by_resource_group, ResourceAuthType, \
     ResourcePermissionRole, get_default_role_permission_mapping_list, get_default_workspace_user_role_mapping_list, \
-    RoleConstants
+    RoleConstants, ResourcePermission, Resource
 from common.database_model_manage.database_model_manage import DatabaseModelManage
 from common.exception.app_exception import AppAuthenticationFailed
 from common.utils.common import group_by
@@ -132,9 +132,11 @@ def get_workspace_resource_permission_list_by_workspace_user_permission(
         resource_permission_list = [
             [
                 f"{permission}:/WORKSPACE/{workspace_user_resource_permission.workspace_id}/{workspace_user_resource_permission.auth_target_type}/{workspace_user_resource_permission.target}"
-                for permission in get_permission_list_by_resource_group(ResourcePermissionGroup[resource_permission])]
+                for permission in get_permission_list_by_resource_group(
+                ResourcePermissionGroup(Resource(workspace_user_resource_permission.auth_target_type),
+                                        ResourcePermission(resource_permission)))]
             for resource_permission in workspace_user_resource_permission.permission_list if
-            ResourcePermissionGroup.values.__contains__(resource_permission)]
+            ResourcePermission.values.__contains__(resource_permission)]
         # 将二维数组扁平为一维
         return reduce(lambda x, y: [*x, *y], resource_permission_list, [])
     return []

apps/common/constants/permission_constants.py

@@ -12,7 +12,7 @@
 from django.db import models
 
 from common.constants.permission_constants import Group, ResourcePermissionGroup, ResourceAuthType, \
-    ResourcePermissionRole
+    ResourcePermissionRole, ResourcePermission
 from users.models import User
 
 
@@ -48,8 +48,8 @@ class WorkspaceUserResourcePermission(models.Model):
                                  default=list,
                                  base_field=models.CharField(max_length=256,
                                                              blank=True,
-                                                             choices=ResourcePermissionGroup.choices + ResourcePermissionRole.choices,
-                                                             default=ResourcePermissionGroup.VIEW))
+                                                             choices=ResourcePermission.choices + ResourcePermissionRole.choices,
+                                                             default=ResourcePermission.VIEW))
 
     create_time = models.DateTimeField(verbose_name="创建时间", auto_now_add=True)
 

apps/system_manage/models/workspace_user_permission.py

@@ -17,7 +17,7 @@
 from application.models import Application
 from common.constants.cache_version import Cache_Version
 from common.constants.permission_constants import get_default_workspace_user_role_mapping_list, RoleConstants, \
-    ResourcePermissionGroup, ResourcePermissionRole, ResourceAuthType
+    ResourcePermission, ResourcePermissionRole, ResourceAuthType
 from common.database_model_manage.database_model_manage import DatabaseModelManage
 from common.db.search import native_search
 from common.db.sql_execute import select_list
@@ -51,7 +51,6 @@ class UserResourcePermissionResponse(serializers.Serializer):
 
 
 class UpdateTeamMemberItemPermissionSerializer(serializers.Serializer):
-    auth_target_type = serializers.ChoiceField(required=True, choices=AuthTargetType.choices, label="授权资源")
     target_id = serializers.CharField(required=True, label=_('target id'))
     auth_type = serializers.ChoiceField(required=True, choices=ResourceAuthType.choices, label="授权类型")
     permission = PermissionSerializer(required=True, many=False)
@@ -60,34 +59,46 @@ class UpdateTeamMemberItemPermissionSerializer(serializers.Serializer):
 class UpdateUserResourcePermissionRequest(serializers.Serializer):
     user_resource_permission_list = UpdateTeamMemberItemPermissionSerializer(required=True, many=True)
 
-    def is_valid(self, *, workspace_id=None, raise_exception=False):
+    def is_valid(self, *, auth_target_type=None, workspace_id=None, raise_exception=False):
         super().is_valid(raise_exception=True)
-        user_resource_permission_list = self.data.get("user_resource_permission_list")
+        user_resource_permission_list = [{'target_id': urp.get('target_id'), 'auth_target_type': auth_target_type} for
+                                         urp in
+                                         self.data.get("user_resource_permission_list")]
         illegal_target_id_list = select_list(
             get_file_content(
                 os.path.join(PROJECT_DIR, "apps", "system_manage", 'sql', 'check_member_permission_target_exists.sql')),
             [json.dumps(user_resource_permission_list), workspace_id, workspace_id, workspace_id, workspace_id])
         if illegal_target_id_list is not None and len(illegal_target_id_list) > 0:
             raise AppApiException(500,
-                                  _('Non-existent application|knowledge base id[') + str(illegal_target_id_list) + ']')
+                                  _('Non-existent id[') + str(illegal_target_id_list) + ']')
+
+
+m_map = {
+    "KNOWLEDGE": Knowledge,
+    'TOOL': Tool,
+    'MODEL': Model,
+    'APPLICATION': Application,
+}
+sql_map = {
+    "KNOWLEDGE": 'get_knowledge_user_resource_permission.sql',
+    'TOOL': 'get_tool_user_resource_permission.sql',
+    'MODEL': 'get_model_user_resource_permission.sql',
+    'APPLICATION': 'get_application_user_resource_permission.sql'
+}
 
 
 class UserResourcePermissionSerializer(serializers.Serializer):
     workspace_id = serializers.CharField(required=True, label=_('workspace id'))
     user_id = serializers.CharField(required=True, label=_('user id'))
+    auth_target_type = serializers.CharField(required=True, label=_('resource'))
 
     def get_queryset(self):
         return {
-            "knowledge_query_set": QuerySet(Knowledge)
-            .filter(workspace_id=self.data.get('workspace_id')),
-            'tool_query_set': QuerySet(Tool)
-            .filter(workspace_id=self.data.get('workspace_id')),
-            'model_query_set': QuerySet(Model)
-            .filter(workspace_id=self.data.get('workspace_id')),
-            'application_query_set': QuerySet(Application)
-            .filter(workspace_id=self.data.get('workspace_id')),
+            'query_set': QuerySet(m_map.get(self.data.get('auth_target_type'))).filter(
+                workspace_id=self.data.get('workspace_id')),
             'workspace_user_resource_permission_query_set': QuerySet(WorkspaceUserResourcePermission).filter(
-                workspace_id=self.data.get('workspace_id'), user=self.data.get('user_id'))
+                workspace_id=self.data.get('workspace_id'), user=self.data.get('user_id'),
+                auth_target_type=self.data.get('auth_target_type'))
         }
 
     def list(self, user, with_valid=True):
@@ -97,7 +108,7 @@ def list(self, user, with_valid=True):
         user_id = self.data.get("user_id")
         # 用户权限列表
         user_resource_permission_list = native_search(self.get_queryset(), get_file_content(
-            os.path.join(PROJECT_DIR, "apps", "system_manage", 'sql', 'get_user_resource_permission.sql')))
+            os.path.join(PROJECT_DIR, "apps", "system_manage", 'sql', sql_map.get(self.data.get('auth_target_type')))))
         workspace_user_role_mapping_model = DatabaseModelManage.get_model("workspace_user_role_mapping")
         workspace_model = DatabaseModelManage.get_model("workspace_model")
         if workspace_user_role_mapping_model and workspace_model:
@@ -112,14 +123,14 @@ def list(self, user, with_valid=True):
         if is_workspace_manage:
             user_resource_permission_list = list(
                 map(lambda row: {**row,
-                                 'permission': {ResourcePermissionGroup.VIEW.value: True,
-                                                ResourcePermissionGroup.MANAGE.value: True,
+                                 'permission': {ResourcePermission.VIEW.value: True,
+                                                ResourcePermission.MANAGE.value: True,
                                                 ResourcePermissionRole.ROLE.value: True}},
                     user_resource_permission_list))
         return group_by([{**user_resource_permission, 'permission': {
             permission: True if user_resource_permission.get('permission_list').__contains__(permission) else False for
             permission in
-            [ResourcePermissionGroup.VIEW.value, ResourcePermissionGroup.MANAGE.value,
+            [ResourcePermission.VIEW.value, ResourcePermission.MANAGE.value,
              ResourcePermissionRole.ROLE.value]}}
             for user_resource_permission in user_resource_permission_list],
             key=lambda item: item.get('auth_target_type'))
@@ -128,14 +139,16 @@ def edit(self, instance, user, with_valid=True):
         if with_valid:
             self.is_valid(raise_exception=True)
             UpdateUserResourcePermissionRequest(data=instance).is_valid(raise_exception=True,
+                                                                        auth_target_type=self.data.get(
+                                                                            'auth_target_type'),
                                                                         workspace_id=self.data.get('workspace_id'))
         workspace_id = self.data.get("workspace_id")
         user_id = self.data.get("user_id")
         update_list = []
         save_list = []
         user_resource_permission_list = instance.get('user_resource_permission_list')
         workspace_user_resource_permission_exist_list = QuerySet(WorkspaceUserResourcePermission).filter(
-            workspace_id=workspace_id, user_id=user_id)
+            workspace_id=workspace_id, user_id=user_id, auth_target_type=self.data.get('auth_target_type'))
         for user_resource_permission in user_resource_permission_list:
             exist_list = [user_resource_permission_exist for user_resource_permission_exist in
                           workspace_user_resource_permission_exist_list if
@@ -147,8 +160,7 @@ def edit(self, instance, user, with_valid=True):
                 update_list.append(exist_list[0])
             else:
                 save_list.append(WorkspaceUserResourcePermission(target=user_resource_permission.get('target_id'),
-                                                                 auth_target_type=user_resource_permission.get(
-                                                                     'auth_target_type'),
+                                                                 auth_target_type=self.data.get('auth_target_type'),
                                                                  permission_list=[key for key in
                                                                                   user_resource_permission.get(
                                                                                       'permission').keys() if

apps/system_manage/serializers/user_resource_permission.py

@@ -0,0 +1,17 @@
+SELECT app_or_knowledge.*,
+      COALESCE(workspace_user_resource_permission.permission_list,'{}')::varchar[] as permission_list,
+      COALESCE(workspace_user_resource_permission.auth_type,'ROLE') as auth_type
+FROM (SELECT "id",
+             "name",
+             'APPLICATION' AS "auth_target_type",
+             user_id,
+             workspace_id,
+             icon,
+             folder_id
+      FROM application
+      ${query_set}
+   ) app_or_knowledge
+         LEFT JOIN (SELECT *
+                    FROM workspace_user_resource_permission
+                     ${workspace_user_resource_permission_query_set}) workspace_user_resource_permission
+                   ON workspace_user_resource_permission.target = app_or_knowledge."id";

apps/system_manage/sql/get_application_user_resource_permission.sql

@@ -0,0 +1,17 @@
+SELECT app_or_knowledge.*,
+      COALESCE(workspace_user_resource_permission.permission_list,'{}')::varchar[] as permission_list,
+      COALESCE(workspace_user_resource_permission.auth_type,'ROLE') as auth_type
+FROM (SELECT "id",
+             "name",
+             'KNOWLEDGE' AS "auth_target_type",
+             user_id,
+             workspace_id,
+             "type"::varchar    AS "icon",
+             folder_id
+      FROM knowledge
+      ${query_set}
+   ) app_or_knowledge
+         LEFT JOIN (SELECT *
+                    FROM workspace_user_resource_permission
+                     ${workspace_user_resource_permission_query_set}) workspace_user_resource_permission
+                   ON workspace_user_resource_permission.target = app_or_knowledge."id";

apps/system_manage/sql/get_knowledge_user_resource_permission.sql

@@ -0,0 +1,17 @@
+SELECT app_or_knowledge.*,
+      COALESCE(workspace_user_resource_permission.permission_list,'{}')::varchar[] as permission_list,
+      COALESCE(workspace_user_resource_permission.auth_type,'ROLE') as auth_type
+FROM (SELECT "id",
+             "name",
+             'MODEL' AS "auth_target_type",
+             user_id,
+             workspace_id,
+             provider as icon,
+             'default' as folder_id
+      FROM model
+      ${query_set}
+   ) app_or_knowledge
+         LEFT JOIN (SELECT *
+                    FROM workspace_user_resource_permission
+                     ${workspace_user_resource_permission_query_set}) workspace_user_resource_permission
+                   ON workspace_user_resource_permission.target = app_or_knowledge."id";

apps/system_manage/sql/get_model_user_resource_permission.sql

@@ -0,0 +1,17 @@
+SELECT app_or_knowledge.*,
+      COALESCE(workspace_user_resource_permission.permission_list,'{}')::varchar[] as permission_list,
+      COALESCE(workspace_user_resource_permission.auth_type,'ROLE') as auth_type
+FROM (SELECT "id",
+             "name",
+             'TOOL' AS "auth_target_type",
+             user_id,
+             workspace_id,
+             icon,
+             folder_id
+      FROM tool
+      ${query_set}
+   ) app_or_knowledge
+         LEFT JOIN (SELECT *
+                    FROM workspace_user_resource_permission
+                     ${workspace_user_resource_permission_query_set}) workspace_user_resource_permission
+                   ON workspace_user_resource_permission.target = app_or_knowledge."id";

apps/system_manage/sql/get_tool_user_resource_permission.sql

@@ -5,7 +5,7 @@
 app_name = "system_manage"
 # @formatter:off
 urlpatterns = [
-    path('workspace/<str:workspace_id>/user_resource_permission/user/<str:user_id>', views.WorkSpaceUserResourcePermissionView.as_view()),
+    path('workspace/<str:workspace_id>/user_resource_permission/user/<str:user_id>/resource/<str:resource>', views.WorkSpaceUserResourcePermissionView.as_view()),
     path('email_setting', views.SystemSetting.Email.as_view()),
     path('profile', views.SystemProfile.as_view()),
     path('valid/<str:valid_type>/<int:valid_count>', views.Valid.as_view())

apps/system_manage/urls.py

@@ -15,7 +15,7 @@
 from common import result
 from common.auth import TokenAuth
 from common.auth.authentication import has_permissions
-from common.constants.permission_constants import PermissionConstants, RoleConstants
+from common.constants.permission_constants import PermissionConstants, RoleConstants, Permission, Group, Operate
 from common.log.log import log
 from common.result import DefaultResultSerializer
 from system_manage.api.user_resource_permission import UserResourcePermissionAPI, EditUserResourcePermissionAPI
@@ -43,11 +43,13 @@ class WorkSpaceUserResourcePermissionView(APIView):
         responses=UserResourcePermissionAPI.get_response(),
         tags=[_('Resources authorization')]  # type: ignore
     )
-    @has_permissions(PermissionConstants.WORKSPACE_USER_RESOURCE_PERMISSION_READ.get_workspace_permission(),
-                     RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
-    def get(self, request: Request, workspace_id: str, user_id: str):
+    @has_permissions(
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_WORKSPACE_USER_RESOURCE_PERMISSION'),
+                                     operate=Operate.READ),
+        RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
+    def get(self, request: Request, workspace_id: str, user_id: str, resource: str):
         return result.success(UserResourcePermissionSerializer(
-            data={'workspace_id': workspace_id, 'user_id': user_id}
+            data={'workspace_id': workspace_id, 'user_id': user_id, 'auth_target_type': resource}
         ).list(request.user))
 
     @extend_schema(
@@ -62,9 +64,11 @@ def get(self, request: Request, workspace_id: str, user_id: str):
     @log(menu='System', operate='Modify the resource authorization list',
          get_operation_object=lambda r, k: get_user_operation_object(k.get('user_id'))
          )
-    @has_permissions(PermissionConstants.WORKSPACE_USER_RESOURCE_PERMISSION_EDIT.get_workspace_permission(),
-                     RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
-    def put(self, request: Request, workspace_id: str, user_id: str):
+    @has_permissions(
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_WORKSPACE_USER_RESOURCE_PERMISSION'),
+                                     operate=Operate.EDIT),
+        RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
+    def put(self, request: Request, workspace_id: str, user_id: str, resource: str):
         return result.success(UserResourcePermissionSerializer(
-            data={'workspace_id': workspace_id, 'user_id': user_id}
+            data={'workspace_id': workspace_id, 'user_id': user_id, 'auth_target_type': resource}
         ).edit(request.data, request.user))