perf: logs, auth root as super admin, etc (#2615)

* chore: usePagination hook type * feat: chat log show outlinkuid or tmb avatar and name * fix: ts error for pagination * feat: auth root
2025-10-15 15:41:05 +00:00 · 2024-09-09 10:05:18 +08:00
parent 91ec895fd2
commit a1ae08f62b
19 changed files with 127 additions and 66 deletions
--- a/packages/service/support/permission/app/auth.ts
+++ b/packages/service/support/permission/app/auth.ts
@@ -38,11 +38,13 @@ export const authPluginByTmbId = async ({
 export const authAppByTmbId = async ({
  tmbId,
  appId,
-  per
+  per,
+  isRoot
 }: {
  tmbId: string;
  appId: string;
  per: PermissionValueType;
+  isRoot?: boolean;
 }): Promise<{
  app: AppDetailType;
 }> => {
@@ -55,6 +57,14 @@ export const authAppByTmbId = async ({
      return Promise.reject(AppErrEnum.unExist);
    }

+    if (isRoot) {
+      return {
+        ...app,
+        defaultPermission: app.defaultPermission,
+        permission: new AppPermission({ isOwner: true })
+      };
+    }
+
    if (String(app.teamId) !== teamId) {
      return Promise.reject(AppErrEnum.unAuthApp);
    }
@@ -136,7 +146,8 @@ export const authApp = async ({
  const { app } = await authAppByTmbId({
    tmbId,
    appId,
-    per
+    per,
+    isRoot: result.isRoot
  });

  return {
--- a/packages/service/support/permission/controller.ts
+++ b/packages/service/support/permission/controller.ts
@@ -78,13 +78,18 @@ export const delResourcePermission = ({

 /* 下面代码等迁移 */
 /* create token */
-export function createJWT(user: { _id?: string; team?: { teamId?: string; tmbId: string } }) {
+export function createJWT(user: {
+  _id?: string;
+  team?: { teamId?: string; tmbId: string };
+  isRoot?: boolean;
+}) {
  const key = process.env.TOKEN_KEY as string;
  const token = jwt.sign(
    {
      userId: String(user._id),
      teamId: String(user.team?.teamId),
      tmbId: String(user.team?.tmbId),
+      isRoot: user.isRoot,
      exp: Math.floor(Date.now() / 1000) + 60 * 60 * 24 * 7
    },
    key
@@ -98,6 +103,7 @@ export function authJWT(token: string) {
    userId: string;
    teamId: string;
    tmbId: string;
+    isRoot: boolean;
  }>((resolve, reject) => {
    const key = process.env.TOKEN_KEY as string;

@@ -110,7 +116,8 @@ export function authJWT(token: string) {
      resolve({
        userId: decoded.userId,
        teamId: decoded.teamId || '',
-        tmbId: decoded.tmbId
+        tmbId: decoded.tmbId,
+        isRoot: decoded.isRoot
      });
    });
  });
@@ -183,7 +190,7 @@ export async function parseHeaderCert({

  const { cookie, token, rootkey, authorization } = (req.headers || {}) as ReqHeaderAuthType;

-  const { uid, teamId, tmbId, appId, openApiKey, authType } = await (async () => {
+  const { uid, teamId, tmbId, appId, openApiKey, authType, isRoot } = await (async () => {
    if (authApiKey && authorization) {
      // apikey from authorization
      const authResponse = await parseAuthorization(authorization);
@@ -205,7 +212,8 @@ export async function parseHeaderCert({
        tmbId: res.tmbId,
        appId: '',
        openApiKey: '',
-        authType: AuthUserTypeEnum.token
+        authType: AuthUserTypeEnum.token,
+        isRoot: res.isRoot
      };
    }
    if (authRoot && rootkey) {
@@ -217,7 +225,8 @@ export async function parseHeaderCert({
        tmbId: '',
        appId: '',
        openApiKey: '',
-        authType: AuthUserTypeEnum.root
+        authType: AuthUserTypeEnum.root,
+        isRoot: true
      };
    }

@@ -234,7 +243,8 @@ export async function parseHeaderCert({
    tmbId: String(tmbId),
    appId,
    authType,
-    apikey: openApiKey
+    apikey: openApiKey,
+    isRoot: !!isRoot
  };
 }

--- a/packages/service/support/permission/dataset/auth.ts
+++ b/packages/service/support/permission/dataset/auth.ts
@@ -24,11 +24,13 @@ import { ParentIdType } from '@fastgpt/global/common/parentFolder/type';
 export const authDatasetByTmbId = async ({
  tmbId,
  datasetId,
-  per
+  per,
+  isRoot = false
 }: {
  tmbId: string;
  datasetId: string;
  per: PermissionValueType;
+  isRoot?: boolean;
 }): Promise<{
  dataset: DatasetSchemaType & {
    permission: DatasetPermission;
@@ -44,6 +46,15 @@ export const authDatasetByTmbId = async ({
      return Promise.reject(DatasetErrEnum.unExist);
    }

+    if (isRoot) {
+      return {
+        ...dataset,
+        permission: new DatasetPermission({
+          isOwner: true
+        })
+      };
+    }
+
    if (String(dataset.teamId) !== teamId) {
      return Promise.reject(DatasetErrEnum.unAuthDataset);
    }
@@ -131,7 +142,8 @@ export const authDataset = async ({
  const { dataset } = await authDatasetByTmbId({
    tmbId,
    datasetId,
-    per
+    per,
+    isRoot: result.isRoot
  });

  return {
@@ -144,15 +156,17 @@ export const authDataset = async ({
 export async function authDatasetCollection({
  collectionId,
  per = NullPermission,
+  isRoot = false,
  ...props
 }: AuthModeType & {
  collectionId: string;
+  isRoot?: boolean;
 }): Promise<
  AuthResponseType<DatasetPermission> & {
    collection: CollectionWithDatasetType;
  }
 > {
-  const { teamId, tmbId } = await parseHeaderCert(props);
+  const { teamId, tmbId, isRoot: isRootFromHeader } = await parseHeaderCert(props);
  const collection = await getCollectionWithDataset(collectionId);

  if (!collection) {
@@ -162,7 +176,8 @@ export async function authDatasetCollection({
  const { dataset } = await authDatasetByTmbId({
    tmbId,
    datasetId: collection.datasetId._id,
-    per
+    per,
+    isRoot: isRootFromHeader || isRoot
  });

  return {
@@ -184,7 +199,7 @@ export async function authDatasetFile({
    file: DatasetFileSchema;
  }
 > {
-  const { teamId, tmbId } = await parseHeaderCert(props);
+  const { teamId, tmbId, isRoot } = await parseHeaderCert(props);

  const [file, collection] = await Promise.all([
    getFileById({ bucketName: BucketNameEnum.dataset, fileId }),
@@ -206,7 +221,8 @@ export async function authDatasetFile({
    const { permission } = await authDatasetCollection({
      ...props,
      collectionId: collection._id,
-      per
+      per,
+      isRoot
    });

    return {
--- a/packages/service/support/permission/user/auth.ts
+++ b/packages/service/support/permission/user/auth.ts
@@ -4,6 +4,7 @@ import { getTmbInfoByTmbId } from '../../user/team/controller';
 import { TeamErrEnum } from '@fastgpt/global/common/error/code/team';
 import { AuthModeType, AuthResponseType } from '../type';
 import { NullPermission } from '@fastgpt/global/support/permission/constant';
+import { TeamPermission } from '@fastgpt/global/support/permission/user/controller';

 /* auth user role  */
 export async function authUserPer(props: AuthModeType): Promise<
@@ -14,6 +15,15 @@ export async function authUserPer(props: AuthModeType): Promise<
  const result = await parseHeaderCert(props);
  const tmb = await getTmbInfoByTmbId({ tmbId: result.tmbId });

+  if (result.isRoot) {
+    return {
+      ...result,
+      permission: new TeamPermission({
+        isOwner: true
+      }),
+      tmb
+    };
+  }
  if (!tmb.permission.checkPer(props.per ?? NullPermission)) {
    return Promise.reject(TeamErrEnum.unAuthTeam);
  }