From 475dafb8b7c06c15b8e956ef6a7ec9d7a13942e5 Mon Sep 17 00:00:00 2001
From: "yunlu.wen" <yunlu.wen@dify.ai>
Date: Mon, 22 Jun 2026 11:19:20 +0800
Subject: [PATCH] fix missing decorator

---
 api/controllers/common/wraps.py | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/api/controllers/common/wraps.py b/api/controllers/common/wraps.py
index 7e39b4f37cd..57f108679dc 100644
--- a/api/controllers/common/wraps.py
+++ b/api/controllers/common/wraps.py
@@ -30,11 +30,39 @@ from extensions.ext_database import db
 from libs.login import current_account_with_tenant
 from models.dataset import Dataset
 from models.model import App
+from controllers.openapi.auth.data import AuthData
 from services.enterprise.rbac_service import RBACService
 
 __all__ = ["RBACPermission", "RBACResourceScope", "rbac_permission_required"]
 
 
+
+def openapi_rbac_permission_required[**P, R](
+    resource_type: RBACResourceScope,
+    scene: RBACPermission,
+    *,
+    resource_required: bool = True,
+) -> Callable[[Callable[P, R]], Callable[P, R]]:
+    """RBAC guard for OpenAPI endpoints that may be called by either an Account or an EndUser."""
+    inner = rbac_permission_required(resource_type, scene, resource_required=resource_required)
+
+    def decorator(view: Callable[P, R]) -> Callable[P, R]:
+        guarded = inner(view)
+
+        @wraps(view)
+        def decorated(*args: P.args, **kwargs: P.kwargs) -> R:
+            auth_data: AuthData | None = kwargs.get("auth_data")
+            if not auth_data:
+                raise Forbidden() # openapi auth pipeline is required
+            if auth_data.caller_kind == "end_user":
+                # end_user is handled by openapi scope control
+                return view(*args, **kwargs)
+            return guarded(*args, **kwargs)
+
+        return decorated
+
+    return decorator
+
 def rbac_permission_required[**P, R](
     resource_type: RBACResourceScope,
     scene: RBACPermission,