Austin/dify
1
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2024-11-16 11:42:29 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

extract enum type for tenant account role (#3788)

Browse Source
This commit is contained in:
Bowen Liang 2024-04-25 18:20:08 +08:00 committed by GitHub
parent cde87cb225
commit c54fcfb45d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
6 changed files with 36 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
api/controllers/console/workspace/members.py
View File

@ -9,7 +9,7 @@ from controllers.console.wraps import account_initialization_required, cloud_edi
from extensions.ext_database import db from extensions.ext_database import db
from fields.member_fields import account_with_role_list_fields from fields.member_fields import account_with_role_list_fields
from libs.login import login_required from libs.login import login_required
from models.account import Account from models.account import Account, TenantAccountRole
from services.account_service import RegisterService, TenantService from services.account_service import RegisterService, TenantService
from services.errors.account import AccountAlreadyInTenantError from services.errors.account import AccountAlreadyInTenantError
@ -43,7 +43,7 @@ class MemberInviteEmailApi(Resource):
invitee_emails = args['emails'] invitee_emails = args['emails']
invitee_role = args['role'] invitee_role = args['role']
interface_language = args['language'] interface_language = args['language']
if invitee_role not in ['admin', 'normal']: if invitee_role not in [TenantAccountRole.ADMIN, TenantAccountRole.NORMAL]:
return {'code': 'invalid-role', 'message': 'Invalid role'}, 400 return {'code': 'invalid-role', 'message': 'Invalid role'}, 400
inviter = current_user inviter = current_user

5
api/controllers/console/workspace/models.py
View File

@ -11,6 +11,7 @@ from core.model_runtime.entities.model_entities import ModelType
from core.model_runtime.errors.validate import CredentialsValidateFailedError from core.model_runtime.errors.validate import CredentialsValidateFailedError
from core.model_runtime.utils.encoders import jsonable_encoder from core.model_runtime.utils.encoders import jsonable_encoder
from libs.login import login_required from libs.login import login_required
from models.account import TenantAccountRole
from services.model_provider_service import ModelProviderService from services.model_provider_service import ModelProviderService
@ -94,7 +95,7 @@ class ModelProviderModelApi(Resource):
@login_required @login_required
@account_initialization_required @account_initialization_required
def post(self, provider: str): def post(self, provider: str):
if current_user.current_tenant.current_role not in ['admin', 'owner']: if not TenantAccountRole.is_privileged_role(current_user.current_tenant.current_role):
raise Forbidden() raise Forbidden()
tenant_id = current_user.current_tenant_id tenant_id = current_user.current_tenant_id
@ -125,7 +126,7 @@ class ModelProviderModelApi(Resource):
@login_required @login_required
@account_initialization_required @account_initialization_required
def delete(self, provider: str): def delete(self, provider: str):
if current_user.current_tenant.current_role not in ['admin', 'owner']: if not TenantAccountRole.is_privileged_role(current_user.current_tenant.current_role):
raise Forbidden() raise Forbidden()
tenant_id = current_user.current_tenant_id tenant_id = current_user.current_tenant_id

13
api/models/account.py
View File

@ -100,10 +100,11 @@ class Account(UserMixin, db.Model):
return db.session.query(ai).filter( return db.session.query(ai).filter(
ai.account_id == self.id ai.account_id == self.id
).all() ).all()
# check current_user.current_tenant.current_role in ['admin', 'owner'] # check current_user.current_tenant.current_role in ['admin', 'owner']
@property @property
def is_admin_or_owner(self): def is_admin_or_owner(self):
return self._current_tenant.current_role in ['admin', 'owner'] return TenantAccountRole.is_privileged_role(self._current_tenant.current_role)
class TenantStatus(str, enum.Enum): class TenantStatus(str, enum.Enum):
@ -111,6 +112,16 @@ class TenantStatus(str, enum.Enum):
ARCHIVE = 'archive' ARCHIVE = 'archive'
class TenantAccountRole(str, enum.Enum):
OWNER = 'owner'
ADMIN = 'admin'
NORMAL = 'normal'
@staticmethod
def is_privileged_role(role: str) -> bool:
return role and role in {TenantAccountRole.ADMIN, TenantAccountRole.OWNER}
class Tenant(db.Model): class Tenant(db.Model):
__tablename__ = 'tenants' __tablename__ = 'tenants'
__table_args__ = ( __table_args__ = (

6
api/services/account_service.py
View File

@ -344,9 +344,9 @@ class TenantService:
def check_member_permission(tenant: Tenant, operator: Account, member: Account, action: str) -> None: def check_member_permission(tenant: Tenant, operator: Account, member: Account, action: str) -> None:
"""Check member permission""" """Check member permission"""
perms = { perms = {
'add': ['owner', 'admin'], 'add': [TenantAccountRole.OWNER, TenantAccountRole.ADMIN],
'remove': ['owner'], 'remove': [TenantAccountRole.OWNER],
'update': ['owner'] 'update': [TenantAccountRole.OWNER]
} }
if action not in ['add', 'remove', 'update']: if action not in ['add', 'remove', 'update']:
raise InvalidActionError("Invalid action.") raise InvalidActionError("Invalid action.")

4
api/services/billing_service.py
View File

@ -3,7 +3,7 @@ import os
import requests import requests
from extensions.ext_database import db from extensions.ext_database import db
from models.account import TenantAccountJoin from models.account import TenantAccountJoin, TenantAccountRole
class BillingService: class BillingService:
@ -74,5 +74,5 @@ class BillingService:
TenantAccountJoin.account_id == current_user.id TenantAccountJoin.account_id == current_user.id
).first() ).first()
if join.role not in ['owner', 'admin']: if TenantAccountRole.is_privileged_role(join.role):
raise ValueError('Only team owner or team admin can perform this action') raise ValueError('Only team owner or team admin can perform this action')

12
api/tests/unit_tests/models/test_account.py Normal file
View File

@ -0,0 +1,12 @@
from models.account import TenantAccountRole
def test_account_is_privileged_role() -> None:
assert TenantAccountRole.ADMIN == 'admin'
assert TenantAccountRole.OWNER == 'owner'
assert TenantAccountRole.NORMAL == 'normal'
assert TenantAccountRole.is_privileged_role(TenantAccountRole.ADMIN)
assert TenantAccountRole.is_privileged_role(TenantAccountRole.OWNER)
assert not TenantAccountRole.is_privileged_role(TenantAccountRole.NORMAL)
assert not TenantAccountRole.is_privileged_role('')