feat: filter dataset operator and add miss permission key (#37867)

Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
2026-06-24 21:11:16 +08:00 · 2026-06-24 17:56:28 +08:00 · 2026-06-24 17:56:28 +08:00 · d87764b0f8
commit d87764b0f8
parent d135dab241
4 changed files with 33 additions and 19 deletions
--- a/api/controllers/console/workspace/rbac.py
+++ b/api/controllers/console/workspace/rbac.py
@ -201,21 +201,23 @@ def _legacy_workspace_roles(
    This keeps the new `/rbac/roles` endpoint compatible with the original
    Dify role model when enterprise RBAC is disabled.
    """
-
-    legacy_roles = [
-        svc.RBACRole(
-            id=role_name,
-            tenant_id="",
-            type=svc.RBACRoleType.WORKSPACE.value,
-            category="global_system_default",
-            name=role_name,
-            description="",
-            is_builtin=True,
-            permission_keys=list(dict.fromkeys(_LEGACY_ROLE_PERMISSION_KEYS[role_name])),
-            role_tag="owner" if role_name == "owner" else "",
+    legacy_roles = []
+    for role_name in ("owner", "admin", "editor", "normal", "dataset_operator"):
+        if not dify_config.DATASET_OPERATOR_ENABLED and role_name == "dataset_operator":
+            continue
+        legacy_roles.append(
+            svc.RBACRole(
+                id=role_name,
+                tenant_id="",
+                type=svc.RBACRoleType.WORKSPACE.value,
+                category="global_system_default",
+                name=role_name,
+                description="",
+                is_builtin=True,
+                permission_keys=list(dict.fromkeys(_LEGACY_ROLE_PERMISSION_KEYS[role_name])),
+                role_tag="owner" if role_name == "owner" else "",
+            )
        )
-        for role_name in ("owner", "admin", "editor", "normal", "dataset_operator")
-    ]

    if not include_owner:
        legacy_roles = [r for r in legacy_roles if r.name != "owner"]
--- a/api/services/enterprise/rbac_service.py
+++ b/api/services/enterprise/rbac_service.py
@ -379,6 +379,9 @@ _LEGACY_WORKSPACE_EDITOR_KEYS: list[str] = [
    "snippets.create_and_modify",
    "tool.manage",
    "snippets.create_and_modify",
+    "billing.view",
+    "billing.subscription.manage",
+    "billing.manage",
 ]

 _LEGACY_WORKSPACE_NORMAL_KEYS: list[str] = [
@ -386,6 +389,9 @@ _LEGACY_WORKSPACE_NORMAL_KEYS: list[str] = [
    "plugin.install",
    "credential.use",
    "app_library.access",
+    "billing.view",
+    "billing.subscription.manage",
+    "billing.manage",
 ]

 _LEGACY_WORKSPACE_DATASET_OPERATOR_KEYS: list[str] = [
@ -834,6 +840,7 @@ class RBACService:
            options: ListOption | None = None,
        ) -> Paginated[RBACRole]:
            params = (options or ListOption()).to_params({"include_owner": include_owner})
+            params["dataset_operator_enabled"] = dify_config.DATASET_OPERATOR_ENABLED
            data = _inner_call(
                "GET",
                f"{_INNER_PREFIX}/roles",
--- a/api/tests/unit_tests/controllers/console/workspace/test_rbac.py
+++ b/api/tests/unit_tests/controllers/console/workspace/test_rbac.py
@ -201,10 +201,10 @@ class TestPaginationMapping:
            },
        ]
        assert response["pagination"] == {
-            "total_count": 5,
+            "total_count": 4,
            "per_page": 2,
            "current_page": 1,
-            "total_pages": 3,
+            "total_pages": 2,
        }
        mock_list.assert_not_called()

--- a/api/tests/unit_tests/services/enterprise/test_rbac_service.py
+++ b/api/tests/unit_tests/services/enterprise/test_rbac_service.py
@ -86,21 +86,26 @@ class TestRoles:
        call = _call_args(mock_send)
        assert call.method == "GET"
        assert call.endpoint == "/rbac/roles"
-        assert call.params == {"page_number": 2, "results_per_page": 50, "reverse": "true"}
+        assert call.params == {
+            "dataset_operator_enabled": False,
+            "page_number": 2,
+            "results_per_page": 50,
+            "reverse": "true",
+        }
        assert out.pagination
        assert out.pagination.total_count == 1

    def test_list_omits_params_when_default(self, mock_send: MagicMock):
        mock_send.return_value = {"data": [], "pagination": None}
        svc.RBACService.Roles.list("tenant-1")
-        assert _call_args(mock_send).params is None
+        assert _call_args(mock_send).params is not None

    def test_list_forwards_include_owner(self, mock_send: MagicMock):
        mock_send.return_value = {"data": [], "pagination": None}

        svc.RBACService.Roles.list("tenant-1", include_owner=1)

-        assert _call_args(mock_send).params == {"include_owner": 1}
+        assert _call_args(mock_send).params == {"dataset_operator_enabled": False, "include_owner": 1}

    def test_list_coerces_null_permission_keys(self, mock_send: MagicMock):
        mock_send.return_value = {