fix: add legacy snippet permissions (#37718)

2026-06-23 20:41:17 +08:00 · 2026-06-22 13:37:21 +08:00 · 2026-06-22 13:37:21 +08:00 · 7b3508e376
commit 7b3508e376
parent 6a5ddc751c
2 changed files with 37 additions and 0 deletions
--- a/api/services/enterprise/rbac_service.py
+++ b/api/services/enterprise/rbac_service.py
@ -321,6 +321,8 @@ _LEGACY_WORKSPACE_OWNER_KEYS: list[str] = [
    "dataset.external.connect",
    "tool.manage",
    "mcp.manage",
+    "snippets.create_and_modify",
+    "snippets.management",
 ]

 _LEGACY_WORKSPACE_ADMIN_KEYS: list[str] = [
@ -343,6 +345,8 @@ _LEGACY_WORKSPACE_ADMIN_KEYS: list[str] = [
    "dataset.external.connect",
    "tool.manage",
    "mcp.manage",
+    "snippets.create_and_modify",
+    "snippets.management",
 ]

 _LEGACY_WORKSPACE_EDITOR_KEYS: list[str] = [
@ -357,6 +361,7 @@ _LEGACY_WORKSPACE_EDITOR_KEYS: list[str] = [
    "dataset.tag.manage",
    "dataset.external.connect",
    "tool.manage",
+    "snippets.create_and_modify",
 ]

 _LEGACY_WORKSPACE_NORMAL_KEYS: list[str] = [
--- a/api/tests/unit_tests/services/enterprise/test_rbac_service.py
+++ b/api/tests/unit_tests/services/enterprise/test_rbac_service.py
@ -621,6 +621,38 @@ class TestMyPermissions:
        assert out.app.overrides == []
        assert out.dataset.overrides == []

+    @pytest.mark.parametrize(
+        ("role", "expected_snippet_keys"),
+        [
+            ("owner", {"snippets.create_and_modify", "snippets.management"}),
+            ("admin", {"snippets.create_and_modify", "snippets.management"}),
+            ("editor", {"snippets.create_and_modify"}),
+            ("normal", set()),
+            ("dataset_operator", set()),
+        ],
+    )
+    def test_get_uses_legacy_snippet_permissions_when_rbac_disabled(
+        self,
+        mock_send: MagicMock,
+        role: str,
+        expected_snippet_keys: set[str],
+    ):
+        mock_session = MagicMock()
+        mock_session.__enter__.return_value = mock_session
+        mock_session.scalar.return_value = role
+        with (
+            patch(f"{MODULE}.dify_config.RBAC_ENABLED", False),
+            patch(f"{MODULE}.session_factory.create_session", return_value=mock_session),
+        ):
+            out = svc.RBACService.MyPermissions.get("tenant-1", "acct-1")
+
+        actual_snippet_keys = {
+            permission_key for permission_key in out.workspace.permission_keys if permission_key.startswith("snippets.")
+        }
+
+        mock_send.assert_not_called()
+        assert actual_snippet_keys == expected_snippet_keys
+
    def test_get_returns_empty_when_role_missing_and_rbac_disabled(self, mock_send: MagicMock):
        mock_session = MagicMock()
        mock_session.__enter__.return_value = mock_session