opensource/dify
2
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2026-05-11 23:18:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

chore: skip old auth check when rbac enabled

Browse Source
This commit is contained in:
fatelei 2026-05-11 15:12:49 +08:00
parent d90825fd8a
commit a409a0c3a1
No known key found for this signature in database
GPG Key ID: 2F91DA05646F4EED
2 changed files with 64 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
api/models/account.py
View File

@ -11,6 +11,8 @@ from sqlalchemy import DateTime, String, func, select
from sqlalchemy.orm import Mapped, Session, mapped_column
from typing_extensions import deprecated
from configs import dify_config
from .base import TypeBase
from .engine import db
from .types import EnumText, LongText, StringUUID
@ -187,10 +189,14 @@ class Account(UserMixin, TypeBase):
# check current_user.current_tenant.current_role in ['admin', 'owner']
@property
def is_admin_or_owner(self):
if dify_config.RBAC_ENABLED:
return True
return TenantAccountRole.is_privileged_role(self.role)
@property
def is_admin(self):
if dify_config.RBAC_ENABLED:
return True
return TenantAccountRole.is_admin_role(self.role)
@property
@ -216,14 +222,20 @@ class Account(UserMixin, TypeBase):
- `ADMIN`
- `EDITOR`
"""
if dify_config.RBAC_ENABLED:
return True
return TenantAccountRole.is_editing_role(self.role)
@property
def is_dataset_editor(self):
if dify_config.RBAC_ENABLED:
return True
return TenantAccountRole.is_dataset_edit_role(self.role)
@property
def is_dataset_operator(self):
if dify_config.RBAC_ENABLED:
return True
return self.role == TenantAccountRole.DATASET_OPERATOR

61
api/tests/unit_tests/models/test_account_models.py
View File

@ -13,6 +13,7 @@ import base64
import secrets
from datetime import UTC, datetime
from uuid import uuid4
from unittest.mock import patch
import pytest
@ -347,7 +348,15 @@ class TestAccountRolePermissions:
account.role = TenantAccountRole.ADMIN
# Act & Assert
assert account.is_admin_or_owner
with patch("models.account.dify_config.RBAC_ENABLED", False):
assert account.is_admin_or_owner
def test_is_admin_or_owner_with_rbac_enabled(self):
account = Account(name="Test User", email="test@example.com")
account.role = TenantAccountRole.NORMAL
with patch("models.account.dify_config.RBAC_ENABLED", True):
assert account.is_admin_or_owner
def test_is_admin_or_owner_with_owner_role(self):
"""Test is_admin_or_owner property with owner role."""
@ -383,8 +392,16 @@ class TestAccountRolePermissions:
owner_account.role = TenantAccountRole.OWNER
# Act & Assert
assert admin_account.is_admin
assert not owner_account.is_admin
with patch("models.account.dify_config.RBAC_ENABLED", False):
assert admin_account.is_admin
assert not owner_account.is_admin
def test_is_admin_with_rbac_enabled(self):
account = Account(name="Test User", email="test@example.com")
account.role = TenantAccountRole.NORMAL
with patch("models.account.dify_config.RBAC_ENABLED", True):
assert account.is_admin
def test_has_edit_permission_with_editing_roles(self):
"""Test has_edit_permission property with roles that have edit permission."""
@ -400,7 +417,15 @@ class TestAccountRolePermissions:
account.role = role
# Act & Assert
assert account.has_edit_permission, f"Role {role} should have edit permission"
with patch("models.account.dify_config.RBAC_ENABLED", False):
assert account.has_edit_permission, f"Role {role} should have edit permission"
def test_has_edit_permission_with_rbac_enabled(self):
account = Account(name="Test User", email="test@example.com")
account.role = TenantAccountRole.NORMAL
with patch("models.account.dify_config.RBAC_ENABLED", True):
assert account.has_edit_permission
def test_has_edit_permission_without_editing_roles(self):
"""Test has_edit_permission property with roles that don't have edit permission."""
@ -415,7 +440,8 @@ class TestAccountRolePermissions:
account.role = role
# Act & Assert
assert not account.has_edit_permission, f"Role {role} should not have edit permission"
with patch("models.account.dify_config.RBAC_ENABLED", False):
assert not account.has_edit_permission, f"Role {role} should not have edit permission"
def test_is_dataset_editor_property(self):
"""Test is_dataset_editor property."""
@ -432,12 +458,21 @@ class TestAccountRolePermissions:
account.role = role
# Act & Assert
assert account.is_dataset_editor, f"Role {role} should have dataset edit permission"
with patch("models.account.dify_config.RBAC_ENABLED", False):
assert account.is_dataset_editor, f"Role {role} should have dataset edit permission"
# Test normal role doesn't have dataset edit permission
normal_account = Account(name="Normal User", email="normal@example.com")
normal_account.role = TenantAccountRole.NORMAL
assert not normal_account.is_dataset_editor
with patch("models.account.dify_config.RBAC_ENABLED", False):
assert not normal_account.is_dataset_editor
def test_is_dataset_editor_with_rbac_enabled(self):
account = Account(name="Test User", email="test@example.com")
account.role = TenantAccountRole.NORMAL
with patch("models.account.dify_config.RBAC_ENABLED", True):
assert account.is_dataset_editor
def test_is_dataset_operator_property(self):
"""Test is_dataset_operator property."""
@ -449,8 +484,16 @@ class TestAccountRolePermissions:
normal_account.role = TenantAccountRole.NORMAL
# Act & Assert
assert dataset_operator.is_dataset_operator
assert not normal_account.is_dataset_operator
with patch("models.account.dify_config.RBAC_ENABLED", False):
assert dataset_operator.is_dataset_operator
assert not normal_account.is_dataset_operator
def test_is_dataset_operator_with_rbac_enabled(self):
account = Account(name="Test User", email="test@example.com")
account.role = TenantAccountRole.NORMAL
with patch("models.account.dify_config.RBAC_ENABLED", True):
assert account.is_dataset_operator
def test_current_role_property(self):
"""Test current_role property."""