feat: Resource authorization permission

2025-08-18 14:22:28 +08:00 · 2025-08-18 14:22:28 +08:00 · 2714a941f9
commit 2714a941f9
parent f1c7f0f3af
6 changed files with 66 additions and 6 deletions
--- a/apps/common/constants/permission_constants.py
+++ b/apps/common/constants/permission_constants.py
@ -170,6 +170,7 @@ class Operate(Enum):
    TO_CHAT = "READ+TO_CHAT"  # 去对话
    SETTING = "READ+SETTING"  # 管理
    DOWNLOAD = "READ+DOWNLOAD"  # 下载
+    AUTH = "READ+AUTH"


 class RoleGroup(Enum):
@ -335,6 +336,7 @@ Permission_Label = {
    Operate.DD.value: _('Dingding'),
    Operate.WEIXIN_PUBLIC_ACCOUNT.value: _('Weixin Public Account'),
    Operate.ADD_KNOWLEDGE.value: _('Add to Knowledge Base'),
+    Operate.AUTH.value:_('resource authorization'),
    Group.APPLICATION_OVERVIEW.value: _('Overview'),
    Group.APPLICATION_ACCESS.value: _('Application Access'),
    Group.APPLICATION_CHAT_USER.value: _('Dialogue users'),
@ -481,6 +483,11 @@ class PermissionConstants(Enum):
        parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL],
        resource_permission_group_list=[ResourcePermissionConst.MODEL_MANGE]
    )
+    MODEL_RESOURCE_AUTHORIZATION = Permission(
+        group=Group.MODEL, operate=Operate.AUTH, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        parent_group=[WorkspaceGroup.MODEL, UserGroup.MODEL],
+        resource_permission_group_list=[ResourcePermissionConst.MODEL_MANGE]
+    )
    TOOL_READ = Permission(
        group=Group.TOOL, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
        parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL],
@ -520,6 +527,11 @@ class PermissionConstants(Enum):
        parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL],
        resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE]
    )
+    TOOL_RESOURCE_AUTHORIZATION = Permission(
+        group=Group.TOOL, operate=Operate.AUTH, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL],
+        resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE]
+    )
    KNOWLEDGE_READ = Permission(
        group=Group.KNOWLEDGE, operate=Operate.READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
        resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_VIEW],
@ -560,6 +572,11 @@ class PermissionConstants(Enum):
        resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE],
        parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE]
    )
+    KNOWLEDGE_RESOURCE_AUTHORIZATION = Permission(
+        group=Group.KNOWLEDGE, operate=Operate.AUTH, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        resource_permission_group_list=[ResourcePermissionConst.KNOWLEDGE_MANGE],
+        parent_group=[WorkspaceGroup.KNOWLEDGE, UserGroup.KNOWLEDGE]
+    )
    KNOWLEDGE_DOCUMENT_READ = Permission(
        group=Group.KNOWLEDGE_DOCUMENT, operate=Operate.READ,
        role_list=[RoleConstants.ADMIN, RoleConstants.USER],
@ -819,7 +836,11 @@ class PermissionConstants(Enum):
                                  parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION],
                                  resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE],
                                  )
-
+    APPLICATION_RESOURCE_AUTHORIZATION = Permission(group=Group.APPLICATION, operate=Operate.AUTH,
+                                  role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+                                  parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION],
+                                  resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE],
+                                  )
    APPLICATION_OVERVIEW_READ = Permission(group=Group.APPLICATION_OVERVIEW, operate=Operate.READ,
                                           role_list=[RoleConstants.ADMIN, RoleConstants.USER],
                                           parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION],
--- a/apps/locales/en_US/LC_MESSAGES/django.po
+++ b/apps/locales/en_US/LC_MESSAGES/django.po
@ -8658,3 +8658,6 @@ msgstr ""

 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
 msgstr ""
+
+msgid "Resource authorization"
+msgstr ""
--- a/apps/locales/zh_CN/LC_MESSAGES/django.po
+++ b/apps/locales/zh_CN/LC_MESSAGES/django.po
@ -8784,3 +8784,6 @@ msgstr "如果未传递，默认值为 这段音频在说什么，只回答音

 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
 msgstr "Qwen-Omni 系列模型支持输入多种模态的数据，包括视频、音频、图片、文本，并输出音频与文本"
+
+msgid "Resource authorization"
+msgstr "资源授权"
--- a/apps/locales/zh_Hant/LC_MESSAGES/django.po
+++ b/apps/locales/zh_Hant/LC_MESSAGES/django.po
@ -8784,3 +8784,6 @@ msgstr "如果未傳遞，預設值為這段音訊在說什麼，只回答音訊

 msgid "The Qwen Omni series model supports inputting multiple modalities of data, including video, audio, images, and text, and outputting audio and text."
 msgstr "Qwen-Omni系列模型支持輸入多種模態的數據，包括視頻、音訊、圖片、文字，並輸出音訊與文字"
+
+msgid "Resource authorization"
+msgstr "資源授權"
--- a/apps/system_manage/views/user_resource_permission.py
+++ b/apps/system_manage/views/user_resource_permission.py
@ -89,6 +89,10 @@ class WorkSpaceUserResourcePermissionView(APIView):
            responses=UserResourcePermissionPageAPI.get_response(),
            tags=[_('Resources authorization')]  # type: ignore
        )
+        @has_permissions(
+            lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_WORKSPACE_USER_RESOURCE_PERMISSION'),
+                                         operate=Operate.READ),
+            RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
        def get(self, request: Request, workspace_id: str, user_id: str, resource: str, current_page: str,
                page_size: str):
            return result.success(UserResourcePermissionSerializer(
@ -109,6 +113,10 @@ class WorkspaceResourceUserPermissionView(APIView):
        responses=ResourceUserPermissionAPI.get_response(),
        tags=[_('Resources authorization')]  # type: ignore
    )
+    @has_permissions(
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
+                                     operate=Operate.AUTH),
+        RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
    def get(self, request: Request, workspace_id: str, target: str, resource: str):
        return result.success(ResourceUserPermissionSerializer(
            data={'workspace_id': workspace_id, "target": target, 'auth_target_type': resource,
@ -127,6 +135,13 @@ class WorkspaceResourceUserPermissionView(APIView):
        responses=ResourceUserPermissionEditAPI.get_response(),
        tags=[_('Resources authorization')]  # type: ignore
    )
+    @log(menu='System', operate='Edit user authorization status of resource',
+         get_operation_object=lambda r, k: get_user_operation_object(k.get('user_id'))
+         )
+    @has_permissions(
+        lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
+                                     operate=Operate.AUTH),
+        RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
    def put(self, request: Request, workspace_id: str, target: str, resource: str):
        return result.success(ResourceUserPermissionSerializer(
            data={'workspace_id': workspace_id, "target": target, 'auth_target_type': resource, })
@ -144,6 +159,10 @@ class WorkspaceResourceUserPermissionView(APIView):
            responses=ResourceUserPermissionPageAPI.get_response(),
            tags=[_('Resources authorization')]  # type: ignore
        )
+        @has_permissions(
+            lambda r, kwargs: Permission(group=Group(kwargs.get('resource') + '_RESOURCE_AUTHORIZATION'),
+                                         operate=Operate.AUTH),
+            RoleConstants.ADMIN, RoleConstants.WORKSPACE_MANAGE.get_workspace_role())
        def get(self, request: Request, workspace_id: str, target: str, resource: str, current_page: int,
                page_size: int):
            return result.success(ResourceUserPermissionSerializer(
--- a/ui/src/views/system/resource-authorization/constant.ts
+++ b/ui/src/views/system/resource-authorization/constant.ts
@ -1,7 +1,11 @@
 import { AuthorizationEnum } from '@/enums/system'
 import { t } from '@/locales'
+import { hasPermission } from '@/utils/permission'
+import { EditionConst } from '@/utils/permission/data'

-export const permissionOptions = [
+const notCommunity = hasPermission([EditionConst.IS_EE,EditionConst.IS_PE],'OR')
+
+const permissionOptions = [
  {
    label: t('views.system.resourceAuthorization.setting.notAuthorized'),
    value: AuthorizationEnum.NOT_AUTH,
@ -17,9 +21,16 @@ export const permissionOptions = [
    value: AuthorizationEnum.MANAGE,
    desc: t('views.system.resourceAuthorization.setting.managementDesc'),
  },
-  {
+]
+
+if (notCommunity) {
+  permissionOptions.push(
+    {
    label: t('views.system.resourceAuthorization.setting.role'),
    value: AuthorizationEnum.ROLE,
    desc: t('views.system.resourceAuthorization.setting.roleDesc'),
  },
-]
+  )
+}
+
+export {permissionOptions}