Skip to content

feat: Knowledge workflow permission #4349

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zhanweizhang7 merged 1 commit into from
Nov 11, 2025
Merged

feat: Knowledge workflow permission #4349

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions apps/common/constants/permission_constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,9 +39,12 @@ class Group(Enum):
SYSTEM_RES_KNOWLEDGE = "SYSTEM_RESOURCE_KNOWLEDGE"
KNOWLEDGE_HIT_TEST = "KNOWLEDGE_HIT_TEST"
KNOWLEDGE_DOCUMENT = "KNOWLEDGE_DOCUMENT"
KNOWLEDGE_WORKFLOW = "KNOWLEDGE_WORKFLOW"
KNOWLEDGE_TAG = "KNOWLEDGE_TAG"
SYSTEM_KNOWLEDGE_DOCUMENT = "SYSTEM_KNOWLEDGE_DOCUMENT"
SYSTEM_KNOWLEDGE_WORKFLOW = "SYSTEM_KNOWLEDGE_WORKFLOW"
SYSTEM_RES_KNOWLEDGE_DOCUMENT = "SYSTEM_RESOURCE_KNOWLEDGE_DOCUMENT"
SYSTEM_RES_KNOWLEDGE_WORKFLOW = "SYSTEM_RESOURCE_KNOWLEDGE_WORKFLOW"
SYSTEM_RES_KNOWLEDGE_TAG = "SYSTEM_RES_KNOWLEDGE_TAG"
SYSTEM_KNOWLEDGE_TAG = "SYSTEM_KNOWLEDGE_TAG"

Expand Down Expand Up @@ -328,6 +331,7 @@ def get_workspace_role(self):
Group.APPLICATION.value: _("Application"),
Group.KNOWLEDGE.value: _("Knowledge"),
Group.KNOWLEDGE_DOCUMENT.value: _("Document"),
Group.KNOWLEDGE_WORKFLOW.value: _("Workflow"),
Group.KNOWLEDGE_TAG.value: _("Tag"),
Group.KNOWLEDGE_PROBLEM.value: _("Problem"),
Group.KNOWLEDGE_HIT_TEST.value: _("Hit-Test"),
Expand Down Expand Up @@ -375,6 +379,7 @@ def get_workspace_role(self):
Group.SYSTEM_MODEL.value: _("Model"),
Group.SYSTEM_KNOWLEDGE.value: _("Knowledge"),
Group.SYSTEM_KNOWLEDGE_DOCUMENT.value: _("Document"),
Group.SYSTEM_KNOWLEDGE_WORKFLOW.value: _("Workflow"),
Group.SYSTEM_KNOWLEDGE_TAG.value: _("Tag"),
Group.SYSTEM_KNOWLEDGE_PROBLEM.value: _("Problem"),
Group.SYSTEM_KNOWLEDGE_HIT_TEST.value: _("Hit-Test"),
Expand All @@ -383,6 +388,7 @@ def get_workspace_role(self):
Group.SYSTEM_RES_MODEL.value: _("Model"),
Group.SYSTEM_RES_KNOWLEDGE.value: _("Knowledge"),
Group.SYSTEM_RES_KNOWLEDGE_DOCUMENT.value: _("Document"),
Group.SYSTEM_RES_KNOWLEDGE_WORKFLOW.value: _("Workflow"),
Group.SYSTEM_RES_KNOWLEDGE_TAG.value: _("Tag"),
Group.SYSTEM_RES_KNOWLEDGE_PROBLEM.value: _("Problem"),
Group.SYSTEM_RES_KNOWLEDGE_HIT_TEST.value: _("Hit-Test"),
Expand Down Expand Up @@ -616,6 +622,16 @@ class PermissionConstants(Enum):
resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE],
parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE]
)
KNOWLEDGE_WORKFLOW_READ = Permission(
group=Group.KNOWLEDGE_WORKFLOW, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_VIEW],
parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE]
)
KNOWLEDGE_WORKFLOW_EDIT = Permission(
group=Group.KNOWLEDGE_WORKFLOW, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE],
parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE]
)
KNOWLEDGE_DOCUMENT_READ = Permission(
group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.READ,
role_list=[RoleConstants.ADMIN, RoleConstants.USER],
Expand Down Expand Up @@ -1209,6 +1225,14 @@ class PermissionConstants(Enum):
group=Group.SYSTEM_KNOWLEDGE, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.SHARED_KNOWLEDGE], is_ee=settings.edition == "EE"
)
SHARED_KNOWLEDGE_WORKFLOW_READ = Permission(
group=Group.SYSTEM_KNOWLEDGE_WORKFLOW, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.SHARED_KNOWLEDGE], is_ee=settings.edition == "EE"
)
SHARED_KNOWLEDGE_WORKFLOW_EDIT = Permission(
group=Group.SYSTEM_KNOWLEDGE_WORKFLOW, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.SHARED_KNOWLEDGE], is_ee=settings.edition == "EE"
)
SHARED_KNOWLEDGE_DOCUMENT_READ = Permission(
group=Group.SYSTEM_KNOWLEDGE_DOCUMENT, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.SHARED_KNOWLEDGE], is_ee=settings.edition == "EE"
Expand Down Expand Up @@ -1437,6 +1461,14 @@ class PermissionConstants(Enum):
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE], is_ee=settings.edition == "EE"
)
# 文档
RESOURCE_KNOWLEDGE_WORKFLOW_READ = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_WORKFLOW, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE], is_ee=settings.edition == "EE"
)
RESOURCE_KNOWLEDGE_WORKFLOW_EDIT = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_WORKFLOW, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE], is_ee=settings.edition == "EE"
)
RESOURCE_KNOWLEDGE_DOCUMENT_READ = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_DOCUMENT, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE], is_ee=settings.edition == "EE"
Copy link
Contributor Author

@shaohuzhang1 shaohuzhang1 Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are no apparent issues with the provided code snippet. It seems to be correctly defining enumerations and permission constants based on different groups and their associated operations, roles, and resource permissions. A few notes:

  1. The new KNOWLEDGE_WORKFLOW group is added along with its respective permissions (READ, EDIT) for both workspace and system-level access.

  2. Similar additional entries have been created for workflow-related permissions in system-level knowledge resources and user/shared workspaces.

  3. There might be redundancy in the list of resource_permission_group_list since some names like "KNOWLEDGE_MANGE" and "KNOWLEDGE_VIEW" are repeated, but this doesn't affect the functionality unless those specific values need customization.

Overall, the structure looks clean and follows good naming conventions. If there's any further modification needed beyond these entries, please specify!

Expand Down
78 changes: 76 additions & 2 deletions ui/src/router/modules/document.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -112,11 +112,85 @@ const DocumentRouter = {
permission: [
() => {
const to: any = get_next_route()
if (to.params.type === '4') {
if (to.params.folderId == 'shared') {
return RoleConst.ADMIN
} else if (to.params.folderId == 'resource-management') {
} else {
return new ComplexPermission(
[RoleConst.USER],
[
PermissionConst.KNOWLEDGE.getKnowledgeWorkspaceResourcePermission(
to ? to.params.id : '',
),
],
[],
'AND',
)
}
},
],
() => {
const to: any = get_next_route()
if (to.params.folderId == 'shared') {
return RoleConst.ADMIN
} else if (to.params.folderId == 'resource-management') {
} else {
return RoleConst.WORKSPACE_MANAGE.getWorkspaceRole()
}
},
() => {
const to: any = get_next_route()
if (to.params.folderId == 'shared') {
return PermissionConst.SHARED_KNOWLEDGE_WORKFLOW_READ
} else if (to.params.folderId == 'resource-management') {
} else {
return PermissionConst.KNOWLEDGE_WORKFLOW_READ.getKnowledgeWorkspaceResourcePermission(
to ? to.params.id : '',
)
}
},
() => {
const to: any = get_next_route()
if (to.params.folderId == 'shared') {
return RoleConst.ADMIN
} else if (to.params.folderId == 'resource-management') {
} else {
return PermissionConst.KNOWLEDGE_WORKFLOW_READ.getWorkspacePermissionWorkspaceManageRole()
}
},
() => {
const to: any = get_next_route()
if (to.params.folderId == 'share') {
return new ComplexPermission(
[RoleConst.EXTENDS_USER.getWorkspaceRole()],
[PermissionConst.KNOWLEDGE_WORKFLOW_READ.getWorkspacePermission()],
[],
'AND',
)
}
},
() => {
const to: any = get_next_route()
if (to.params.folderId == 'share') {
return RoleConst.USER.getWorkspaceRole()
}
},
() => {
const to: any = get_next_route()
if (to.params.folderId == 'resource-management') {
return RoleConst.ADMIN
}
},
() => {
const to: any = get_next_route()
if (to.params.folderId == 'resource-management') {
return PermissionConst.RESOURCE_KNOWLEDGE_WORKFLOW_READ
}
},
].map(p => () => {
const to: any = get_next_route()
if (to.params.type !== '4') {return false}
return p()
}),
},
redirect: (menu: any) => {
const from = 'workspace'
Copy link
Contributor Author

@shaohuzhang1 shaohuzhang1 Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some potential issues with the provided React component code:

  1. The permission array is unnecessarily complex and verbose.
  2. There are duplicated checks and permissions in different parts of the array.
  3. Some route parameters are incorrectly written (folderId should be type, extensionId seems misplaced).

Optimization suggestions:

  1. Combine similar conditions and roles into fewer function calls and simpler logic.
  2. Simplify repeated permission calculations.
  3. Correct inconsistencies such as "shared" vs. 'shared'.

Here's an optimized version:

const DocumentRouter = {
  permission: [
    (to) => {
      if (to.params.type === '4') {
        if (to.params.folderId === 'workspace-management') {
          return new ComplexPermission([RoleConst.ADMIN], [], [], 'AND');
        } else {
          return RoleConst.WORKSPACE_MANAGE.getWorkspaceRole();
        }
      }
      // Handle other types or folderIds appropriately
    },
    (to) => {
      if (to.params.type === '4') {
        return PermissionConst.KNOWLEDGE_WORKFLOW_READ.getKnowledgeWorkspaceResourcePermission(to.params.id);
      }
<|fim_suffix|>n to.params.type.includes('document') && !to.params.extensionId;
};

DocumentRouter.redirect = ({ type }) => {
  if (!['admin', 'editor'].includes(type)) return '/login';
};

These improvements enhance readability, reduce redundancy, and handle various scenarios more efficiently.

Expand Down
10 changes: 10 additions & 0 deletions ui/src/utils/permission/data.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,9 @@ const PermissionConst = {
KNOWLEDGE_EXPORT: new Permission('KNOWLEDGE:READ+EXPORT'),
KNOWLEDGE_DELETE: new Permission('KNOWLEDGE:READ+DELETE'),
KNOWLEDGE_GENERATE: new Permission('KNOWLEDGE:READ+GENERATE'),

KNOWLEDGE_WORKFLOW_READ: new Permission('KNOWLEDGE_WORKFLOW:READ'),
KNOWLEDGE_WORKFLOW_EDIT: new Permission('KNOWLEDGE_WORKFLOW:READ+EDIT'),

KNOWLEDGE_DOCUMENT_READ: new Permission('KNOWLEDGE_DOCUMENT:READ'),
KNOWLEDGE_DOCUMENT_CREATE: new Permission('KNOWLEDGE_DOCUMENT:READ+CREATE'),
Expand Down Expand Up @@ -190,6 +193,9 @@ const PermissionConst = {
SHARED_KNOWLEDGE_EXPORT: new Permission('SYSTEM_KNOWLEDGE:READ+EXPORT'),
SHARED_KNOWLEDGE_GENERATE: new Permission('SYSTEM_KNOWLEDGE:READ+GENERATE'),
SHARED_KNOWLEDGE_DELETE: new Permission('SYSTEM_KNOWLEDGE:READ+DELETE'),

SHARED_KNOWLEDGE_WORKFLOW_READ: new Permission('SYSTEM_KNOWLEDGE_WORKFLOW:READ'),
SHARED_KNOWLEDGE_WORKFLOW_EDIT: new Permission('SYSTEM_KNOWLEDGE_WORKFLOW:READ+EDIT'),

SHARED_KNOWLEDGE_DOCUMENT_READ: new Permission('SYSTEM_KNOWLEDGE_DOCUMENT:READ'),
SHARED_KNOWLEDGE_DOCUMENT_CREATE: new Permission('SYSTEM_KNOWLEDGE_DOCUMENT:READ+CREATE'),
Expand Down Expand Up @@ -243,6 +249,9 @@ const PermissionConst = {
RESOURCE_KNOWLEDGE_EXPORT: new Permission('SYSTEM_RESOURCE_KNOWLEDGE:READ+EXPORT'),
RESOURCE_KNOWLEDGE_DELETE: new Permission('SYSTEM_RESOURCE_KNOWLEDGE:READ+DELETE'),
RESOURCE_KNOWLEDGE_GENERATE: new Permission('SYSTEM_RESOURCE_KNOWLEDGE:READ+GENERATE'),

RESOURCE_KNOWLEDGE_WORKFLOW_READ: new Permission('SYSTEM_RESOURCE_KNOWLEDGE_WORKFLOW:READ'),
RESOURCE_KNOWLEDGE_WORKFLOW_EDIT: new Permission('SYSTEM_RESOURCE_KNOWLEDGE_WORKFLOW:READ+EDIT'),

RESOURCE_KNOWLEDGE_DOCUMENT_READ: new Permission('SYSTEM_RESOURCE_KNOWLEDGE_DOCUMENT:READ'),
RESOURCE_KNOWLEDGE_DOCUMENT_CREATE: new Permission('SYSTEM_RESOURCE_KNOWLEDGE_DOCUMENT:READ+CREATE'),
Expand Down Expand Up @@ -377,3 +386,4 @@ const EditionConst = {
IS_CE: new Edition('X-PACK-CE'),
}
export {PermissionConst, RoleConst, EditionConst}

Copy link
Contributor Author

@shaohuzhang1 shaohuzhang1 Nov 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The current code appears to be adding two new permissions for knowledge workflow access: KNOWLEDGE_WORKFLOW_READ and KNOWLEDGE_WORKFLOW_EDIT. These additions could potentially improve the functionality of systems that work with advanced workflows related to knowledge management.

Here are a few points:

  1. Functionality Enhancement: Adding these permissions would allow users with these capabilities to view or edit knowledge workflows, which can be useful in scenarios such as managing processes or approvals associated with knowledge items.

  2. Clarity and Organization: Organizing permissions into separate groups like KNOWLEDGE_, SHARED_KNOWLEDGE_, and RESOURCE_KNOWLDGE_ helps in clearly delineating areas where permission sets differ based on data scope (knowledge, shared knowledge, resources).

  3. Future Proofing: If more complex permission requirements emerge for workflow-related actions, having these distinct sections makes it easier to scale and maintain the system's permission structure.

Overall, the addition of these permissions aligns with best practices for implementing robust access control mechanisms tailored to specific functionalities within an application.

Loading