opensource/dify
2
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2026-05-11 14:58:23 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: fix permission key format and fix role return format

Browse Source
This commit is contained in:
fatelei 2026-05-11 14:08:17 +08:00
parent 3dcea78e10
commit d90825fd8a
No known key found for this signature in database
GPG Key ID: 2F91DA05646F4EED
7 changed files with 54 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
api/controllers/console/workspace/members.py
View File

@ -73,11 +73,11 @@ register_enum_models(console_ns, TenantAccountRole)
register_schema_models(console_ns, AccountWithRole, AccountWithRoleList)
def _serialize_member_roles(current_role: str | None, member_role_ids: list[str]) -> list[str]:
if member_role_ids:
return member_role_ids
def _serialize_member_roles(current_role: str | None, member_roles: list[enterprise_rbac_service.MemberRoleSummary]) -> list[dict[str, str]]:
if member_roles:
return [{"id": role.id, "name": role.name} for role in member_roles]
if current_role:
return [current_role]
return [{"id": current_role, "name": current_role}]
return []
@ -106,7 +106,7 @@ class MemberListApi(Resource):
current_user.id,
member_ids,
)
roles_map = {item.account_id: [role.id for role in item.roles] for item in member_roles}
roles_map = {item.account_id: item.roles for item in member_roles}
else:
roles_map = {}

69
api/controllers/console/workspace/rbac.py
View File

@ -16,34 +16,24 @@ from services.enterprise import rbac_service as svc
_LEGACY_WORKSPACE_PERMISSION_KEYS: list[str] = [
"inviteMembers",
"removeMembers",
"assignRoles",
"workspaceSettings",
"manageBilling",
"transferOwnership",
# These keys are copied from the enterprise RBAC catalog examples in
# `dify-rbac.md` so the legacy workspace roles stay in the same key format
# as the enterprise RBAC surface.
"workspace.member.manage",
"workspace.role.manage",
]
_LEGACY_APP_PERMISSION_KEYS: list[str] = [
"createApps",
"editApps",
"useApps",
"app.acl.view_layout",
"app.acl.test_and_run",
"app.acl.edit",
"app.acl.access_config",
]
_LEGACY_DATASET_PERMISSION_KEYS: list[str] = [
"createDatasets",
"editDatasets",
"manageDatasets",
]
_LEGACY_ENTERPRISE_PERMISSION_KEYS: list[str] = [
"workspace.member.manage",
"workspace.settings.manage",
"workspace.billing.manage",
"workspace.owner.transfer",
"app.acl.edit",
"app.acl.test_and_run",
"dataset.acl.readonly",
"dataset.acl.edit",
"dataset.acl.use",
]
_LEGACY_ROLE_PERMISSION_KEYS: dict[str, list[str]] = {
@ -55,45 +45,22 @@ _LEGACY_ROLE_PERMISSION_KEYS: dict[str, list[str]] = {
*_LEGACY_WORKSPACE_PERMISSION_KEYS,
*_LEGACY_APP_PERMISSION_KEYS,
*_LEGACY_DATASET_PERMISSION_KEYS,
*_LEGACY_ENTERPRISE_PERMISSION_KEYS,
],
"admin": [
"inviteMembers",
"removeMembers",
"assignRoles",
"workspaceSettings",
"manageBilling",
"workspace.member.manage",
"workspace.settings.manage",
"workspace.billing.manage",
"app.acl.edit",
"app.acl.test_and_run",
"dataset.acl.edit",
"createApps",
"editApps",
"useApps",
"createDatasets",
"editDatasets",
"manageDatasets",
*_LEGACY_WORKSPACE_PERMISSION_KEYS,
*_LEGACY_APP_PERMISSION_KEYS,
*_LEGACY_DATASET_PERMISSION_KEYS,
],
"editor": [
"createApps",
"editApps",
"useApps",
"createDatasets",
"editDatasets",
"workspace.member.manage",
"app.acl.edit",
"app.acl.test_and_run",
"dataset.acl.edit",
*_LEGACY_APP_PERMISSION_KEYS,
*_LEGACY_DATASET_PERMISSION_KEYS,
],
"normal": [
"useApps",
"app.acl.view_layout",
"app.acl.test_and_run",
],
"dataset_operator": [
"manageDatasets",
"dataset.acl.edit",
*_LEGACY_DATASET_PERMISSION_KEYS,
],
}

2
api/fields/member_fields.py
View File

@ -70,7 +70,7 @@ class AccountWithRole(_AccountAvatar):
last_active_at: int | None = None
created_at: int | None = None
role: str
roles: list[str] = Field(default_factory=list)
roles: list[dict[str, str]] = Field(default_factory=list)
status: str
@field_validator("last_login_at", "last_active_at", "created_at", mode="before")

7
api/services/enterprise/rbac_service.py
View File

@ -74,6 +74,11 @@ class RBACRole(_RBACModel):
return value
class MemberRoleSummary(_RBACModel):
id: str
name: str
class AccessPolicy(_RBACModel):
id: str
tenant_id: str = ""
@ -146,7 +151,7 @@ class MemberBindingsResponse(_RBACModel):
class MemberRolesResponse(_RBACModel):
account_id: str
roles: list[RBACRole] = Field(default_factory=list)
roles: list[MemberRoleSummary] = Field(default_factory=list)
class MemberRolesBatchResponse(_RBACModel):

12
api/tests/unit_tests/controllers/console/workspace/test_members.py
View File

@ -60,7 +60,7 @@ class TestMemberListApi:
assert status == 200
assert len(result["accounts"]) == 1
assert result["accounts"][0]["role"] == "admin"
assert result["accounts"][0]["roles"] == ["admin"]
assert result["accounts"][0]["roles"] == [{"id": "admin", "name": "admin"}]
def test_get_with_rbac_enabled_fetches_roles_in_batch(self, app):
api = MemberListApi()
@ -81,7 +81,10 @@ class TestMemberListApi:
)
role_item = SimpleNamespace(
account_id="m1",
roles=[SimpleNamespace(id="workspace.owner"), SimpleNamespace(id="workspace.editor")],
roles=[
SimpleNamespace(id="workspace.owner", name="Owner"),
SimpleNamespace(id="workspace.editor", name="Editor"),
],
)
with (
@ -98,7 +101,10 @@ class TestMemberListApi:
assert status == 200
assert result["accounts"][0]["role"] == "editor"
assert result["accounts"][0]["roles"] == ["workspace.owner", "workspace.editor"]
assert result["accounts"][0]["roles"] == [
{"id": "workspace.owner", "name": "Owner"},
{"id": "workspace.editor", "name": "Editor"},
]
mock_batch_get.assert_called_once_with("tenant-1", "acct-1", ["m1"])
def test_get_no_tenant(self, app):

42
api/tests/unit_tests/controllers/console/workspace/test_rbac.py
View File

@ -137,25 +137,15 @@ class TestPaginationMapping:
"description": "",
"is_builtin": True,
"permission_keys": [
"inviteMembers",
"removeMembers",
"assignRoles",
"workspaceSettings",
"manageBilling",
"transferOwnership",
"createApps",
"editApps",
"useApps",
"createDatasets",
"editDatasets",
"manageDatasets",
"workspace.member.manage",
"workspace.settings.manage",
"workspace.billing.manage",
"workspace.owner.transfer",
"app.acl.edit",
"workspace.role.manage",
"app.acl.view_layout",
"app.acl.test_and_run",
"app.acl.edit",
"app.acl.access_config",
"dataset.acl.readonly",
"dataset.acl.edit",
"dataset.acl.use",
],
},
{
@ -167,23 +157,15 @@ class TestPaginationMapping:
"description": "",
"is_builtin": True,
"permission_keys": [
"inviteMembers",
"removeMembers",
"assignRoles",
"workspaceSettings",
"manageBilling",
"workspace.member.manage",
"workspace.settings.manage",
"workspace.billing.manage",
"app.acl.edit",
"workspace.role.manage",
"app.acl.view_layout",
"app.acl.test_and_run",
"app.acl.edit",
"app.acl.access_config",
"dataset.acl.readonly",
"dataset.acl.edit",
"createApps",
"editApps",
"useApps",
"createDatasets",
"editDatasets",
"manageDatasets",
"dataset.acl.use",
],
},
]

6
api/tests/unit_tests/services/enterprise/test_rbac_service.py
View File

@ -312,7 +312,7 @@ class TestMyPermissions:
def test_get_without_payload_uses_get(self, mock_send: MagicMock):
mock_send.return_value = {
"workspace": {"permission_keys": ["workspace.member.manage"]},
"app": {"default_permission_keys": ["app.acl.test_and_run"], "overrides": []},
"app": {"default_permission_keys": ["app.acl.view_layout", "app.acl.test_and_run"], "overrides": []},
"dataset": {"default_permission_keys": [], "overrides": []},
}
@ -378,8 +378,8 @@ class TestMemberRoles:
{
"account_id": "acct-2",
"roles": [
{"id": "role-1", "type": "workspace", "name": "Admin"},
{"id": "role-2", "type": "workspace", "name": "Editor"},
{"id": "role-1", "name": "Admin"},
{"id": "role-2", "name": "Editor"},
],
},
{