From 1e5df79e052ce9cb9e255db1edc2a5ce9ebf79b5 Mon Sep 17 00:00:00 2001
From: GareArc <chen4851@purdue.edu>
Date: Wed, 28 May 2025 18:39:03 +0800
Subject: [PATCH] fix: remove permission check in web login api

---
 api/controllers/web/login.py        |  4 ----
 api/services/webapp_auth_service.py | 16 ----------------
 2 files changed, 20 deletions(-)

diff --git a/api/controllers/web/login.py b/api/controllers/web/login.py
index e853bde5d0..7494501e81 100644
--- a/api/controllers/web/login.py
+++ b/api/controllers/web/login.py
@@ -39,8 +39,6 @@ class LoginApi(Resource):
         except services.errors.account.AccountNotFoundError:
             raise AccountNotFound()
 
-        WebAppAuthService._validate_user_accessibility(account=account, app_code=app_code)
-
         end_user = WebAppAuthService.create_end_user(email=args["email"], app_code=app_code)
 
         token = WebAppAuthService.login(account=account, app_code=app_code, end_user_id=end_user.id)
@@ -110,8 +108,6 @@ class EmailCodeLoginApi(Resource):
         if not account:
             raise AccountNotFound()
 
-        WebAppAuthService._validate_user_accessibility(account=account, app_code=app_code)
-
         end_user = WebAppAuthService.create_end_user(email=user_email, app_code=app_code)
 
         token = WebAppAuthService.login(account=account, app_code=app_code, end_user_id=end_user.id)
diff --git a/api/services/webapp_auth_service.py b/api/services/webapp_auth_service.py
index 87b791a333..a101688ab7 100644
--- a/api/services/webapp_auth_service.py
+++ b/api/services/webapp_auth_service.py
@@ -5,16 +5,13 @@ from typing import Any, Optional, cast
 from werkzeug.exceptions import NotFound, Unauthorized
 
 from configs import dify_config
-from controllers.web.error import WebAppAuthAccessDeniedError
 from extensions.ext_database import db
 from libs.helper import TokenManager
 from libs.passport import PassportService
 from libs.password import compare_password
 from models.account import Account, AccountStatus
 from models.model import App, EndUser, Site
-from services.enterprise.enterprise_service import EnterpriseService
 from services.errors.account import AccountLoginError, AccountNotFoundError, AccountPasswordError
-from services.feature_service import FeatureService
 from tasks.mail_email_code_login import send_email_code_login_mail_task
 
 
@@ -107,19 +104,6 @@ class WebAppAuthService:
 
         return end_user
 
-    @classmethod
-    def _validate_user_accessibility(cls, account: Account, app_code: str):
-        """Check if the user is allowed to access the app."""
-        system_features = FeatureService.get_system_features()
-        if system_features.webapp_auth.enabled:
-            app_settings = EnterpriseService.WebAppAuth.get_app_access_mode_by_code(app_code=app_code)
-
-            if (
-                app_settings.access_mode != "public"
-                and not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(account.id, app_code=app_code)
-            ):
-                raise WebAppAuthAccessDeniedError()
-
     @classmethod
     def _get_account_jwt_token(cls, account: Account, site: Site, end_user_id: str) -> str:
         exp_dt = datetime.now(UTC) + timedelta(hours=dify_config.ACCESS_TOKEN_EXPIRE_MINUTES * 24)