fix: permission (#3374)

* fix: permission * feat: create dataset per
2025-07-22 20:37:48 +00:00 · 2024-12-11 20:56:52 +08:00
parent 8a4715293e
commit c0135f5f21
4 changed files with 95 additions and 55 deletions
--- a/projects/app/src/pages/api/core/app/create.ts
+++ b/projects/app/src/pages/api/core/app/create.ts
@@ -35,12 +35,12 @@ async function handler(req: ApiRequestProps<CreateAppBody>) {
  }

  // 凭证校验
-  const { teamId, tmbId } = await authUserPer({ req, authToken: true, per: WritePermissionVal });
-  if (parentId) {
-    // if it is not a root app
-    // check the parent folder permission
-    await authApp({ req, appId: parentId, per: WritePermissionVal, authToken: true });
-  }
+  const [{ teamId, tmbId }] = await Promise.all([
+    authUserPer({ req, authToken: true, per: WritePermissionVal }),
+    ...(parentId
+      ? [authApp({ req, appId: parentId, per: WritePermissionVal, authToken: true })]
+      : [])
+  ]);

  // 上限校验
  await checkTeamAppLimit(teamId);
--- a/projects/app/src/pages/api/core/app/list.ts
+++ b/projects/app/src/pages/api/core/app/list.ts
@@ -25,6 +25,16 @@ export type ListAppBody = {
  searchKey?: string;
 };

+/* 
+  获取 APP 列表权限
+  1. 校验 folder 权限和获取 team 权限（owner 单独处理）
+  2. 获取 team 下所有 app 权限。获取我的所有组。并计算出我所有的app权限。
+  3. 过滤我有的权限的 app，以及当前 parentId 的 app（由于权限继承问题，这里没法一次性根据 id 去获取）
+  4. 根据过滤条件获取 app 列表
+  5. 遍历搜索出来的 app，并赋予权限（继承的 app，使用 parent 的权限）
+  6. 再根据 read 权限进行一次过滤。
+*/
+
 async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemType[]> {
  const { parentId, type, getRecentlyChat, searchKey } = req.body;

@@ -75,6 +85,24 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
  );

  const findAppsQuery = (() => {
+    if (getRecentlyChat) {
+      return {
+        // get all chat app
+        teamId,
+        type: { $in: [AppTypeEnum.workflow, AppTypeEnum.simple, AppTypeEnum.plugin] }
+      };
+    }
+
+    // Filter apps by permission, if not owner, only get apps that I have permission to access
+    const idList = { _id: { $in: myPerList.map((item) => item.resourceId) } };
+    const appPerQuery = teamPer.isOwner
+      ? {}
+      : parentId
+        ? {
+            $or: [idList, parseParentIdInMongo(parentId)]
+          }
+        : idList;
+
    const searchMatch = searchKey
      ? {
          $or: [
@@ -83,31 +111,17 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
          ]
        }
      : {};
-    // Filter apps by permission, if not owner, only get apps that I have permission to access
-    const appIdQuery = teamPer.isOwner
-      ? {}
-      : { _id: { $in: myPerList.map((item) => item.resourceId) } };
-
-    if (getRecentlyChat) {
-      return {
-        // get all chat app
-        ...appIdQuery,
-        teamId,
-        type: { $in: [AppTypeEnum.workflow, AppTypeEnum.simple, AppTypeEnum.plugin] },
-        ...searchMatch
-      };
-    }

    if (searchKey) {
      return {
-        ...appIdQuery,
+        ...appPerQuery,
        teamId,
        ...searchMatch
      };
    }

    return {
-      ...appIdQuery,
+      ...appPerQuery,
      teamId,
      ...(type && (Array.isArray(type) ? { type: { $in: type } } : { type })),
      ...parseParentIdInMongo(parentId)
@@ -144,7 +158,9 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
          );

          // Count app collaborators
-          const clbCount = perList.filter((item) => String(item.resourceId) === appId).length;
+          const clbCount = perList.filter(
+            (item) => String(item.resourceId) === String(app._id)
+          ).length;

          return {
            Per: new AppPermission({
@@ -156,8 +172,8 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
        };

        // Inherit app
-        if (app.inheritPermission && parentId && !AppFolderTypeList.includes(app.type)) {
-          return getPer(String(parentId));
+        if (app.inheritPermission && app.parentId && !AppFolderTypeList.includes(app.type)) {
+          return getPer(String(app.parentId));
        } else {
          return getPer(String(app._id));
        }
--- a/projects/app/src/pages/api/core/dataset/create.ts
+++ b/projects/app/src/pages/api/core/dataset/create.ts
@@ -9,6 +9,7 @@ import { NextAPI } from '@/service/middleware/entry';
 import { DatasetErrEnum } from '@fastgpt/global/common/error/code/dataset';
 import type { ApiRequestProps } from '@fastgpt/service/type/next';
 import { parseParentIdInMongo } from '@fastgpt/global/common/parentFolder/utils';
+import { authDataset } from '@fastgpt/service/support/permission/dataset/auth';

 export type DatasetCreateQuery = {};
 export type DatasetCreateBody = CreateDatasetParams;
@@ -29,12 +30,25 @@ async function handler(
  } = req.body;

  // auth
-  const { teamId, tmbId } = await authUserPer({
-    req,
-    authToken: true,
-    authApiKey: true,
-    per: WritePermissionVal
-  });
+  const [{ teamId, tmbId }] = await Promise.all([
+    authUserPer({
+      req,
+      authToken: true,
+      authApiKey: true,
+      per: WritePermissionVal
+    }),
+    ...(parentId
+      ? [
+          authDataset({
+            req,
+            datasetId: parentId,
+            authToken: true,
+            authApiKey: true,
+            per: WritePermissionVal
+          })
+        ]
+      : [])
+  ]);

  // check model valid
  const vectorModelStore = getVectorModel(vectorModel);
--- a/projects/app/src/pages/api/core/dataset/list.ts
+++ b/projects/app/src/pages/api/core/dataset/list.ts
@@ -74,6 +74,16 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
  );

  const findDatasetQuery = (() => {
+    // Filter apps by permission, if not owner, only get apps that I have permission to access
+    const idList = { _id: { $in: myPerList.map((item) => item.resourceId) } };
+    const datasetPerQuery = teamPer.isOwner
+      ? {}
+      : parentId
+        ? {
+            $or: [idList, parseParentIdInMongo(parentId)]
+          }
+        : idList;
+
    const searchMatch = searchKey
      ? {
          $or: [
@@ -82,21 +92,17 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
          ]
        }
      : {};
-    // Filter apps by permission, if not owner, only get apps that I have permission to access
-    const appIdQuery = teamPer.isOwner
-      ? {}
-      : { _id: { $in: myPerList.map((item) => item.resourceId) } };

    if (searchKey) {
      return {
-        ...appIdQuery,
+        ...datasetPerQuery,
        teamId,
        ...searchMatch
      };
    }

    return {
-      ...appIdQuery,
+      ...datasetPerQuery,
      teamId,
      ...(type ? (Array.isArray(type) ? { type: { $in: type } } : { type }) : {}),
      ...parseParentIdInMongo(parentId)
@@ -122,7 +128,9 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
              .map((item) => item.permission)
          );

-          const clbCount = perList.filter((item) => String(item.resourceId) === datasetId).length;
+          const clbCount = perList.filter(
+            (item) => String(item.resourceId) === String(dataset._id)
+          ).length;

          return {
            Per: new DatasetPermission({
@@ -133,8 +141,12 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
          };
        };
        // inherit
-        if (dataset.inheritPermission && parentId && dataset.type !== DatasetTypeEnum.folder) {
-          return getPer(String(parentId));
+        if (
+          dataset.inheritPermission &&
+          dataset.parentId &&
+          dataset.type !== DatasetTypeEnum.folder
+        ) {
+          return getPer(String(dataset.parentId));
        } else {
          return getPer(String(dataset._id));
        }
@@ -148,21 +160,19 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
    })
    .filter((app) => app.permission.hasReadPer);

-  const data = await Promise.all(
-    formatDatasets.map<DatasetListItemType>((item) => ({
-      _id: item._id,
-      avatar: item.avatar,
-      name: item.name,
-      intro: item.intro,
-      type: item.type,
-      permission: item.permission,
-      vectorModel: getVectorModel(item.vectorModel),
-      inheritPermission: item.inheritPermission,
-      tmbId: item.tmbId,
-      updateTime: item.updateTime,
-      private: item.privateDataset
-    }))
-  );
+  const data = formatDatasets.map<DatasetListItemType>((item) => ({
+    _id: item._id,
+    avatar: item.avatar,
+    name: item.name,
+    intro: item.intro,
+    type: item.type,
+    permission: item.permission,
+    vectorModel: getVectorModel(item.vectorModel),
+    inheritPermission: item.inheritPermission,
+    tmbId: item.tmbId,
+    updateTime: item.updateTime,
+    private: item.privateDataset
+  }));

  return data;
 }