v4.6 -1 (#459)

packages/service/support/permission/auth/app.ts

@@ -0,0 +1,72 @@
+import { MongoApp } from '../../../core/app/schema';
+import { AppDetailType } from '@fastgpt/global/core/app/type.d';
+import { AuthModeType } from '../type';
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { parseHeaderCert } from '../controller';
+import { PermissionTypeEnum } from '@fastgpt/global/support/permission/constant';
+import { AppErrEnum } from '@fastgpt/global/common/error/code/app';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+
+// 模型使用权校验
+export async function authApp({
+  appId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  appId: string;
+}): Promise<
+  AuthResponseType & {
+    teamOwner: boolean;
+    app: AppDetailType;
+  }
+> {
+  const result = await parseHeaderCert(props);
+  const { userId, teamId, tmbId } = result;
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { app, isOwner, canWrite } = await (async () => {
+    // get app
+    const app = (await MongoApp.findOne({ _id: appId, teamId }))?.toJSON();
+    if (!app) {
+      return Promise.reject(AppErrEnum.unAuthApp);
+    }
+
+    const isOwner =
+      role !== TeamMemberRoleEnum.visitor &&
+      (String(app.tmbId) === tmbId || role === TeamMemberRoleEnum.owner);
+    const canWrite =
+      isOwner ||
+      (app.permission === PermissionTypeEnum.public && role !== TeamMemberRoleEnum.visitor);
+
+    if (per === 'r') {
+      if (!isOwner && app.permission !== PermissionTypeEnum.public) {
+        return Promise.reject(AppErrEnum.unAuthApp);
+      }
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(AppErrEnum.unAuthApp);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(AppErrEnum.unAuthApp);
+    }
+
+    return {
+      app: {
+        ...app,
+        isOwner,
+        canWrite
+      },
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    ...result,
+    app,
+    isOwner,
+    canWrite,
+    teamOwner: role === TeamMemberRoleEnum.owner
+  };
+}

packages/service/support/permission/auth/chat.ts

@@ -0,0 +1,67 @@
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { AuthModeType } from '../type';
+import type { ChatSchema, ChatWithAppSchema } from '@fastgpt/global/core/chat/type';
+import { parseHeaderCert } from '../controller';
+import { MongoChat } from '../../../core/chat/chatSchema';
+import { ChatErrEnum } from '@fastgpt/global/common/error/code/chat';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { PermissionTypeEnum } from '@fastgpt/global/support/permission/constant';
+
+export async function authChat({
+  chatId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  chatId: string;
+}): Promise<
+  AuthResponseType & {
+    chat: ChatSchema;
+  }
+> {
+  const { userId, teamId, tmbId } = await parseHeaderCert(props);
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { chat, isOwner, canWrite } = await (async () => {
+    // get chat
+    const chat = (
+      await MongoChat.findOne({ chatId, teamId }).populate('appId')
+    )?.toJSON() as ChatWithAppSchema;
+
+    if (!chat) {
+      return Promise.reject('Chat is not exists');
+    }
+
+    const isOwner = role === TeamMemberRoleEnum.owner || String(chat.tmbId) === tmbId;
+    const canWrite = isOwner;
+
+    if (
+      per === 'r' &&
+      role !== TeamMemberRoleEnum.owner &&
+      chat.appId.permission !== PermissionTypeEnum.public
+    ) {
+      return Promise.reject(ChatErrEnum.unAuthChat);
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(ChatErrEnum.unAuthChat);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(ChatErrEnum.unAuthChat);
+    }
+
+    return {
+      chat,
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    userId,
+    teamId,
+    tmbId,
+    chat,
+    isOwner,
+    canWrite
+  };
+}

packages/service/support/permission/auth/common.ts

@@ -0,0 +1,12 @@
+import { parseHeaderCert } from '../controller';
+import { AuthModeType } from '../type';
+
+export const authCert = async (props: AuthModeType) => {
+  const result = await parseHeaderCert(props);
+
+  return {
+    ...result,
+    isOwner: true,
+    canWrite: true
+  };
+};

packages/service/support/permission/auth/dataset.ts

@@ -0,0 +1,181 @@
+import { AuthModeType } from '../type';
+import { parseHeaderCert } from '../controller';
+import { DatasetErrEnum } from '@fastgpt/global/common/error/code/dataset';
+import { MongoDataset } from '../../../core/dataset/schema';
+import { getCollectionWithDataset } from '../../../core/dataset/controller';
+import { PermissionTypeEnum } from '@fastgpt/global/support/permission/constant';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import {
+  CollectionWithDatasetType,
+  DatasetFileSchema,
+  DatasetSchemaType
+} from '@fastgpt/global/core/dataset/type';
+import { getFileById } from '../../../common/file/gridfs/controller';
+import { BucketNameEnum } from '@fastgpt/global/common/file/constants';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+
+export async function authDataset({
+  datasetId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  datasetId: string;
+}): Promise<
+  AuthResponseType & {
+    dataset: DatasetSchemaType;
+  }
+> {
+  const result = await parseHeaderCert(props);
+  const { userId, teamId, tmbId } = result;
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { dataset, isOwner, canWrite } = await (async () => {
+    const dataset = (await MongoDataset.findOne({ _id: datasetId, teamId }))?.toJSON();
+
+    if (!dataset) {
+      return Promise.reject(DatasetErrEnum.unAuthDataset);
+    }
+
+    const isOwner =
+      role !== TeamMemberRoleEnum.visitor &&
+      (String(dataset.tmbId) === tmbId || role === TeamMemberRoleEnum.owner);
+    const canWrite =
+      isOwner ||
+      (role !== TeamMemberRoleEnum.visitor && dataset.permission === PermissionTypeEnum.public);
+    if (per === 'r') {
+      if (!isOwner && dataset.permission !== PermissionTypeEnum.public) {
+        return Promise.reject(DatasetErrEnum.unAuthDataset);
+      }
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(DatasetErrEnum.unAuthDataset);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(DatasetErrEnum.unAuthDataset);
+    }
+
+    return { dataset, isOwner, canWrite };
+  })();
+
+  return {
+    ...result,
+    dataset,
+    isOwner,
+    canWrite
+  };
+}
+
+/* 
+   Read: in team and dataset permission is public
+   Write: in team, not visitor and dataset permission is public
+*/
+export async function authDatasetCollection({
+  collectionId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  collectionId: string;
+}): Promise<
+  AuthResponseType & {
+    collection: CollectionWithDatasetType;
+  }
+> {
+  const { userId, teamId, tmbId } = await parseHeaderCert(props);
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { collection, isOwner, canWrite } = await (async () => {
+    const collection = await getCollectionWithDataset(collectionId);
+
+    if (!collection || String(collection.teamId) !== teamId) {
+      return Promise.reject(DatasetErrEnum.unAuthDatasetCollection);
+    }
+
+    const isOwner =
+      String(collection.datasetId.tmbId) === tmbId || role === TeamMemberRoleEnum.owner;
+    const canWrite =
+      isOwner ||
+      (role !== TeamMemberRoleEnum.visitor &&
+        collection.datasetId.permission === PermissionTypeEnum.public);
+
+    if (per === 'r') {
+      if (!isOwner && collection.datasetId.permission !== PermissionTypeEnum.public) {
+        return Promise.reject(DatasetErrEnum.unAuthDatasetCollection);
+      }
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(DatasetErrEnum.unAuthDatasetCollection);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(DatasetErrEnum.unAuthDatasetCollection);
+    }
+
+    return {
+      collection,
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    userId,
+    teamId,
+    tmbId,
+    collection,
+    isOwner,
+    canWrite
+  };
+}
+
+export async function authDatasetFile({
+  fileId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  fileId: string;
+}): Promise<
+  AuthResponseType & {
+    file: DatasetFileSchema;
+  }
+> {
+  const { userId, teamId, tmbId } = await parseHeaderCert(props);
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const file = await getFileById({ bucketName: BucketNameEnum.dataset, fileId });
+
+  if (file.metadata.teamId !== teamId) {
+    return Promise.reject(DatasetErrEnum.unAuthDatasetFile);
+  }
+
+  const { dataset } = await authDataset({
+    ...props,
+    datasetId: file.metadata.datasetId,
+    per
+  });
+  const isOwner =
+    role !== TeamMemberRoleEnum.visitor &&
+    (String(dataset.tmbId) === tmbId || role === TeamMemberRoleEnum.owner);
+
+  const canWrite =
+    isOwner ||
+    (role !== TeamMemberRoleEnum.visitor && dataset.permission === PermissionTypeEnum.public);
+
+  if (per === 'r' && !isOwner && dataset.permission !== PermissionTypeEnum.public) {
+    return Promise.reject(DatasetErrEnum.unAuthDatasetFile);
+  }
+  if (per === 'w' && !canWrite) {
+    return Promise.reject(DatasetErrEnum.unAuthDatasetFile);
+  }
+  if (per === 'owner' && !isOwner) {
+    return Promise.reject(DatasetErrEnum.unAuthDatasetFile);
+  }
+
+  return {
+    userId,
+    teamId,
+    tmbId,
+    file,
+    isOwner,
+    canWrite
+  };
+}

packages/service/support/permission/auth/openapi.ts

@@ -0,0 +1,61 @@
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { AuthModeType } from '../type';
+import { OpenApiSchema } from '@fastgpt/global/support/openapi/type';
+import { parseHeaderCert } from '../controller';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+import { MongoOpenApi } from '../../openapi/schema';
+import { OpenApiErrEnum } from '@fastgpt/global/common/error/code/openapi';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { PermissionTypeEnum } from '@fastgpt/global/support/permission/constant';
+
+export async function authOpenApiKeyCrud({
+  id,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  id: string;
+}): Promise<
+  AuthResponseType & {
+    openapi: OpenApiSchema;
+  }
+> {
+  const result = await parseHeaderCert(props);
+  const { tmbId, teamId } = result;
+
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { openapi, isOwner, canWrite } = await (async () => {
+    const openapi = await MongoOpenApi.findOne({ _id: id, teamId });
+
+    if (!openapi) {
+      throw new Error(OpenApiErrEnum.unExist);
+    }
+
+    const isOwner = String(openapi.tmbId) === tmbId || role === TeamMemberRoleEnum.owner;
+    const canWrite =
+      isOwner || (String(openapi.tmbId) === tmbId && role !== TeamMemberRoleEnum.visitor);
+
+    if (per === 'r' && !canWrite) {
+      return Promise.reject(OpenApiErrEnum.unAuth);
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(OpenApiErrEnum.unAuth);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(OpenApiErrEnum.unAuth);
+    }
+
+    return {
+      openapi,
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    ...result,
+    openapi,
+    isOwner,
+    canWrite
+  };
+}

packages/service/support/permission/auth/outLink.ts

@@ -0,0 +1,98 @@
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { AuthModeType } from '../type';
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { AppDetailType } from '@fastgpt/global/core/app/type';
+import { OutLinkSchema } from '@fastgpt/global/support/outLink/type';
+import { parseHeaderCert } from '../controller';
+import { MongoOutLink } from '../../outLink/schema';
+import { MongoApp } from '../../../core/app/schema';
+import { OutLinkErrEnum } from '@fastgpt/global/common/error/code/outLink';
+import { PermissionTypeEnum } from '@fastgpt/global/support/permission/constant';
+import { AppErrEnum } from '@fastgpt/global/common/error/code/app';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+
+/* crud outlink permission */
+export async function authOutLinkCrud({
+  outLinkId,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  outLinkId: string;
+}): Promise<
+  AuthResponseType & {
+    app: AppDetailType;
+    outLink: OutLinkSchema;
+  }
+> {
+  const result = await parseHeaderCert(props);
+  const { tmbId, teamId } = result;
+
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { app, outLink, isOwner, canWrite } = await (async () => {
+    const outLink = await MongoOutLink.findOne({ _id: outLinkId, teamId });
+
+    if (!outLink) {
+      throw new Error(OutLinkErrEnum.unExist);
+    }
+
+    const app = await MongoApp.findById(outLink.appId);
+
+    if (!app) {
+      return Promise.reject(AppErrEnum.unExist);
+    }
+
+    const isOwner = String(outLink.tmbId) === tmbId || role === TeamMemberRoleEnum.owner;
+    const canWrite =
+      isOwner ||
+      (app.permission === PermissionTypeEnum.public && role !== TeamMemberRoleEnum.visitor);
+
+    if (per === 'r' && !isOwner && app.permission !== PermissionTypeEnum.public) {
+      return Promise.reject(OutLinkErrEnum.unAuthLink);
+    }
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(OutLinkErrEnum.unAuthLink);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(OutLinkErrEnum.unAuthLink);
+    }
+
+    return {
+      app: {
+        ...app,
+        isOwner: String(app.tmbId) === tmbId,
+        canWrite
+      },
+      outLink,
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    ...result,
+    app,
+    outLink,
+    isOwner,
+    canWrite
+  };
+}
+
+export async function authOutLinkValid({ shareId }: { shareId?: string }) {
+  const shareChat = await MongoOutLink.findOne({ shareId });
+
+  if (!shareChat) {
+    return Promise.reject(OutLinkErrEnum.linkUnInvalid);
+  }
+
+  const app = await MongoApp.findById(shareChat.appId);
+
+  if (!app) {
+    return Promise.reject(AppErrEnum.unExist);
+  }
+
+  return {
+    app,
+    shareChat
+  };
+}

packages/service/support/permission/auth/plugin.ts

@@ -0,0 +1,56 @@
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { AuthModeType } from '../type';
+import { parseHeaderCert } from '../controller';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { MongoPlugin } from '../../../core/plugin/schema';
+import { PluginErrEnum } from '@fastgpt/global/common/error/code/plugin';
+import { PluginItemSchema } from '@fastgpt/global/core/plugin/type';
+
+export async function authPluginCrud({
+  id,
+  per = 'owner',
+  ...props
+}: AuthModeType & {
+  id: string;
+}): Promise<
+  AuthResponseType & {
+    plugin: PluginItemSchema;
+  }
+> {
+  const result = await parseHeaderCert(props);
+  const { tmbId, teamId } = result;
+
+  const { role } = await getTeamInfoByTmbId({ tmbId });
+
+  const { plugin, isOwner, canWrite } = await (async () => {
+    const plugin = await MongoPlugin.findOne({ _id: id, teamId });
+
+    if (!plugin) {
+      throw new Error(PluginErrEnum.unExist);
+    }
+
+    const isOwner = String(plugin.tmbId) === tmbId || role === TeamMemberRoleEnum.owner;
+    const canWrite = isOwner;
+
+    if (per === 'w' && !canWrite) {
+      return Promise.reject(PluginErrEnum.unAuth);
+    }
+    if (per === 'owner' && !isOwner) {
+      return Promise.reject(PluginErrEnum.unAuth);
+    }
+
+    return {
+      plugin,
+      isOwner,
+      canWrite
+    };
+  })();
+
+  return {
+    ...result,
+    plugin,
+    isOwner,
+    canWrite
+  };
+}

packages/service/support/permission/auth/user.ts

@@ -0,0 +1,52 @@
+import { AuthResponseType } from '@fastgpt/global/support/permission/type';
+import { AuthModeType } from '../type';
+import { TeamItemType } from '@fastgpt/global/support/user/team/type';
+import { TeamMemberRoleEnum } from '@fastgpt/global/support/user/team/constant';
+import { parseHeaderCert } from '../controller';
+import { getTeamInfoByTmbId } from '../../user/team/controller';
+import { UserErrEnum } from '../../../../global/common/error/code/user';
+
+export async function authUserNotVisitor(props: AuthModeType): Promise<
+  AuthResponseType & {
+    team: TeamItemType;
+    role: `${TeamMemberRoleEnum}`;
+  }
+> {
+  const { userId, teamId, tmbId } = await parseHeaderCert(props);
+  const team = await getTeamInfoByTmbId({ tmbId });
+
+  if (team.role === TeamMemberRoleEnum.visitor) {
+    return Promise.reject(UserErrEnum.binVisitor);
+  }
+
+  return {
+    userId,
+    teamId,
+    tmbId,
+    team,
+    role: team.role,
+    isOwner: team.role === TeamMemberRoleEnum.owner, // teamOwner
+    canWrite: true
+  };
+}
+
+/* auth user role  */
+export async function authUserRole(props: AuthModeType): Promise<
+  AuthResponseType & {
+    role: `${TeamMemberRoleEnum}`;
+    teamOwner: boolean;
+  }
+> {
+  const { userId, teamId, tmbId } = await parseHeaderCert(props);
+  const { role: userRole, canWrite } = await getTeamInfoByTmbId({ tmbId });
+
+  return {
+    userId,
+    teamId,
+    tmbId,
+    isOwner: true,
+    role: userRole,
+    teamOwner: userRole === TeamMemberRoleEnum.owner,
+    canWrite
+  };
+}