fix: Automatic authorization for resource creation (#3464)

Author: shaohuzhang1

apps/application/serializers/application.py

@@ -40,7 +40,8 @@
 from maxkb.conf import PROJECT_DIR
 from models_provider.models import Model
 from models_provider.tools import get_model_instance_by_model_workspace_id
-from system_manage.models import WorkspaceUserResourcePermission
+from system_manage.models import WorkspaceUserResourcePermission, AuthTargetType
+from system_manage.serializers.user_resource_permission import UserResourcePermissionSerializer
 from tools.models import Tool, ToolScope
 from tools.serializers.tool import ToolModelSerializer
 from users.models import User
@@ -430,9 +431,15 @@ class ApplicationSerializer(serializers.Serializer):
     def insert(self, instance: Dict):
         application_type = instance.get('type')
         if 'WORK_FLOW' == application_type:
-            return self.insert_workflow(instance)
+            r = self.insert_workflow(instance)
         else:
-            return self.insert_simple(instance)
+            r = self.insert_simple(instance)
+        UserResourcePermissionSerializer(data={
+            'workspace_id': self.data.get('workspace_id'),
+            'user_id': self.data.get('user_id'),
+            'auth_target_type': AuthTargetType.APPLICATION.value
+        }).auth_resource(str(r.get('id')))
+        return r
 
     def insert_workflow(self, instance: Dict):
         self.is_valid(raise_exception=True)

apps/knowledge/serializers/knowledge.py

@@ -21,7 +21,7 @@
 from application.models import ApplicationKnowledgeMapping
 from common.config.embedding_config import VectorStore
 from common.constants.cache_version import Cache_Version
-from common.constants.permission_constants import ResourceAuthType, ResourcePermission
+from common.constants.permission_constants import ResourceAuthType, ResourcePermission, ResourcePermissionRole
 from common.database_model_manage.database_model_manage import DatabaseModelManage
 from common.db.search import native_search, get_dynamics_model, native_page_search
 from common.db.sql_execute import select_list
@@ -42,6 +42,7 @@
 from maxkb.conf import PROJECT_DIR
 from models_provider.models import Model
 from system_manage.models import WorkspaceUserResourcePermission, AuthTargetType
+from system_manage.serializers.user_resource_permission import UserResourcePermissionSerializer
 from users.serializers.user import is_workspace_manage
 
 
@@ -553,21 +554,12 @@ def save_base(self, instance, with_valid=True):
             QuerySet(ProblemParagraphMapping).bulk_create(
                 problem_paragraph_mapping_list
             ) if len(problem_paragraph_mapping_list) > 0 else None
-
-            # 自动授权给创建者
-            WorkspaceUserResourcePermission(
-                target=knowledge_id,
-                auth_target_type=AuthTargetType.KNOWLEDGE,
-                permission_list=[ResourcePermission.VIEW, ResourcePermission.MANAGE],
-                workspace_id=self.data.get('workspace_id'),
-                user_id=self.data.get('user_id'),
-                auth_type=ResourceAuthType.RESOURCE_PERMISSION_GROUP
-            ).save()
-            # 刷新缓存
-            version = Cache_Version.PERMISSION_LIST.get_version()
-            key = Cache_Version.PERMISSION_LIST.get_key(user_id=self.data.get('user_id'))
-            cache.delete(key, version=version)
-
+            # 自动资源给授权当前用户
+            UserResourcePermissionSerializer(data={
+                'workspace_id': self.data.get('workspace_id'),
+                'user_id': self.data.get('user_id'),
+                'auth_target_type': AuthTargetType.KNOWLEDGE.value
+            }).auth_resource(str(knowledge_id))
             return {
                 **KnowledgeModelSerializer(knowledge).data,
                 'user_id': self.data.get('user_id'),

apps/models_provider/serializers/model_serializer.py

@@ -26,6 +26,7 @@
 from models_provider.models import Model, Status
 from models_provider.tools import get_model_credential
 from system_manage.models import WorkspaceUserResourcePermission, AuthTargetType
+from system_manage.serializers.user_resource_permission import UserResourcePermissionSerializer
 from users.serializers.user import is_workspace_manage
 
 
@@ -326,19 +327,11 @@ def insert(self, workspace_id, with_valid=True):
             model = Model(**model_data)
             try:
                 model.save()
-                # 自动授权给创建者
-                WorkspaceUserResourcePermission(
-                    target=model.id,
-                    auth_target_type=AuthTargetType.MODEL,
-                    permission_list=[ResourcePermission.VIEW, ResourcePermission.MANAGE],
-                    workspace_id=workspace_id,
-                    user_id=self.data.get('user_id'),
-                    auth_type=ResourceAuthType.RESOURCE_PERMISSION_GROUP
-                ).save()
-                # 刷新缓存
-                version = Cache_Version.PERMISSION_LIST.get_version()
-                key = Cache_Version.PERMISSION_LIST.get_key(user_id=self.data.get('user_id'))
-                cache.delete(key, version=version)
+                UserResourcePermissionSerializer(data={
+                    'workspace_id': self.data.get('workspace_id'),
+                    'user_id': self.data.get('user_id'),
+                    'auth_target_type': AuthTargetType.MODEL.value
+                }).auth_resource(str(model.id))
             except Exception as save_error:
                 # 可添加日志记录
                 raise AppApiException(500, _("Model saving failed")) from save_error

apps/system_manage/serializers/user_resource_permission.py

@@ -29,6 +29,7 @@
 from models_provider.models import Model
 from system_manage.models import WorkspaceUserResourcePermission, AuthTargetType
 from tools.models import Tool
+from users.serializers.user import is_workspace_manage
 
 
 class PermissionSerializer(serializers.Serializer):
@@ -101,6 +102,33 @@ def get_queryset(self):
                 auth_target_type=self.data.get('auth_target_type'))
         }
 
+    def auth_resource(self, resource_id: str):
+        self.is_valid(raise_exception=True)
+        workspace_manage = is_workspace_manage(self.data.get('user_id'), self.data.get('workspace_id'))
+        if not workspace_manage:
+            auth_target_type = self.data.get('auth_target_type')
+            workspace_id = self.data.get('workspace_id')
+            user_id = self.data.get('user_id')
+            wurp = QuerySet(WorkspaceUserResourcePermission).filter(auth_target_type=auth_target_type,
+                                                                    workspace_id=workspace_id).first()
+            auth_type = wurp.auth_type if wurp else ResourceAuthType.RESOURCE_PERMISSION_GROUP
+            # 自动授权给创建者
+            WorkspaceUserResourcePermission(
+                target=resource_id,
+                auth_target_type=auth_target_type,
+                permission_list=[ResourcePermission.VIEW,
+                                 ResourcePermission.MANAGE] if auth_type == ResourceAuthType.RESOURCE_PERMISSION_GROUP else [
+                    ResourcePermissionRole.ROLE],
+                workspace_id=workspace_id,
+                user_id=user_id,
+                auth_type=auth_type
+            ).save()
+            # 刷新缓存
+            version = Cache_Version.PERMISSION_LIST.get_version()
+            key = Cache_Version.PERMISSION_LIST.get_key(user_id=user_id)
+            cache.delete(key, version=version)
+        return True
+
     def list(self, user, with_valid=True):
         if with_valid:
             self.is_valid(raise_exception=True)

apps/tools/serializers/tool.py

@@ -29,6 +29,7 @@
 from knowledge.models import File, FileSourceType
 from maxkb.const import CONFIG, PROJECT_DIR
 from system_manage.models import AuthTargetType, WorkspaceUserResourcePermission
+from system_manage.serializers.user_resource_permission import UserResourcePermissionSerializer
 from tools.models import Tool, ToolScope, ToolFolder, ToolType
 from tools.serializers.tool_folder import ToolFolderFlatSerializer
 from users.serializers.user import is_workspace_manage
@@ -219,20 +220,11 @@ def insert(self, instance, with_valid=True):
             ).save()
 
             # 自动授权给创建者
-            WorkspaceUserResourcePermission(
-                target=tool_id,
-                auth_target_type=AuthTargetType.TOOL,
-                permission_list=[ResourcePermission.VIEW, ResourcePermission.MANAGE],
-                workspace_id=self.data.get('workspace_id'),
-                user_id=self.data.get('user_id'),
-                auth_type=ResourceAuthType.RESOURCE_PERMISSION_GROUP
-            ).save()
-
-            # 刷新缓存
-            version = Cache_Version.PERMISSION_LIST.get_version()
-            key = Cache_Version.PERMISSION_LIST.get_key(user_id=self.data.get('user_id'))
-            cache.delete(key, version=version)
-
+            UserResourcePermissionSerializer(data={
+                'workspace_id': self.data.get('workspace_id'),
+                'user_id': self.data.get('user_id'),
+                'auth_target_type': AuthTargetType.TOOL.value
+            }).auth_resource(str(tool_id))
             return ToolSerializer.Operate(data={
                 'id': tool_id, 'workspace_id': self.data.get('workspace_id')
             }).one()

ui/src/views/application/component/CreateApplicationDialog.vue

@@ -82,16 +82,17 @@
   </el-dialog>
 </template>
 <script setup lang="ts">
-import {ref, watch, reactive} from 'vue'
-import {useRouter, useRoute} from 'vue-router'
-import type {ApplicationFormType} from '@/api/type/application'
-import type {FormInstance, FormRules} from 'element-plus'
+import { ref, watch, reactive } from 'vue'
+import { useRouter, useRoute } from 'vue-router'
+import type { ApplicationFormType } from '@/api/type/application'
+import type { FormInstance, FormRules } from 'element-plus'
 import applicationApi from '@/api/application/application'
-import {MsgSuccess, MsgAlert} from '@/utils/message'
-import {isWorkFlow} from '@/utils/application'
-import {baseNodes} from '@/workflow/common/data'
-import {t} from '@/locales'
-
+import { MsgSuccess, MsgAlert } from '@/utils/message'
+import { isWorkFlow } from '@/utils/application'
+import { baseNodes } from '@/workflow/common/data'
+import { t } from '@/locales'
+import useStore from '@/stores'
+const { user } = useStore()
 const router = useRouter()
 const emit = defineEmits(['refresh'])
 
@@ -227,17 +228,19 @@ const submitHandle = async (formEl: FormInstance | undefined) => {
       }
       console.log(applicationForm.value.type)
       applicationApi
-        .postApplication(
-          {...applicationForm.value, folder_id: currentFolder.value},
-          loading,
-        )
+        .postApplication({ ...applicationForm.value, folder_id: currentFolder.value }, loading)
+        .then((res) => {
+          return user.profile().then(() => {
+            return res
+          })
+        })
         .then((res) => {
           MsgSuccess(t('common.createSuccess'))
           emit('refresh')
           if (isWorkFlow(applicationForm.value.type)) {
-            router.push({path: `/application/${res.data.id}/workflow`})
+            router.push({ path: `/application/${res.data.id}/workflow` })
           } else {
-            router.push({path: `/application/${res.data.id}/${res.data.type}/setting`})
+            router.push({ path: `/application/${res.data.id}/${res.data.type}/setting` })
           }
           dialogVisible.value = false
         })
@@ -249,7 +252,7 @@ function selectedType(type: string) {
   appTemplate.value = type
 }
 
-defineExpose({open})
+defineExpose({ open })
 </script>
 <style lang="scss" scoped>
 .radio-card {