fix: The permissions issue of the editor role accessing some backend … (#6945)

Co-authored-by: liuzhenghua-jk <liuzhenghua-jk@360shuke.com>
2024-11-16 03:32:23 +08:00 · 2024-08-05 04:55:55 +00:00 · 2024-08-05 04:55:55 +00:00 · ef616c604a
commit ef616c604a
parent 2288efbf48
4 changed files with 17 additions and 31 deletions
--- a/api/controllers/console/app/annotation.py
+++ b/api/controllers/console/app/annotation.py
@ -23,8 +23,7 @@ class AnnotationReplyActionApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check('annotation')
    def post(self, app_id, action):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        app_id = str(app_id)
@ -47,8 +46,7 @@ class AppAnnotationSettingDetailApi(Resource):
    @login_required
    @account_initialization_required
    def get(self, app_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        app_id = str(app_id)
@ -61,8 +59,7 @@ class AppAnnotationSettingUpdateApi(Resource):
    @login_required
    @account_initialization_required
    def post(self, app_id, annotation_setting_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        app_id = str(app_id)
@ -82,8 +79,7 @@ class AnnotationReplyActionStatusApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check('annotation')
    def get(self, app_id, job_id, action):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        job_id = str(job_id)
@ -110,8 +106,7 @@ class AnnotationListApi(Resource):
    @login_required
    @account_initialization_required
    def get(self, app_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        page = request.args.get('page', default=1, type=int)
@ -135,8 +130,7 @@ class AnnotationExportApi(Resource):
    @login_required
    @account_initialization_required
    def get(self, app_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        app_id = str(app_id)
@ -154,8 +148,7 @@ class AnnotationCreateApi(Resource):
    @cloud_edition_billing_resource_check('annotation')
    @marshal_with(annotation_fields)
    def post(self, app_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        app_id = str(app_id)
@ -174,8 +167,7 @@ class AnnotationUpdateDeleteApi(Resource):
    @cloud_edition_billing_resource_check('annotation')
    @marshal_with(annotation_fields)
    def post(self, app_id, annotation_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        app_id = str(app_id)
@ -191,8 +183,7 @@ class AnnotationUpdateDeleteApi(Resource):
    @login_required
    @account_initialization_required
    def delete(self, app_id, annotation_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        app_id = str(app_id)
@ -207,8 +198,7 @@ class AnnotationBatchImportApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check('annotation')
    def post(self, app_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        app_id = str(app_id)
@ -232,8 +222,7 @@ class AnnotationBatchImportStatusApi(Resource):
    @account_initialization_required
    @cloud_edition_billing_resource_check('annotation')
    def get(self, app_id, job_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        job_id = str(job_id)
@ -259,8 +248,7 @@ class AnnotationHitHistoryListApi(Resource):
    @login_required
    @account_initialization_required
    def get(self, app_id, annotation_id):
-        # The role of the current user in the table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        page = request.args.get('page', default=1, type=int)
--- a/api/controllers/console/app/conversation.py
+++ b/api/controllers/console/app/conversation.py
@ -143,7 +143,7 @@ class ChatConversationApi(Resource):
    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
    @marshal_with(conversation_with_summary_pagination_fields)
    def get(self, app_model):
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()
        parser = reqparse.RequestParser()
        parser.add_argument('keyword', type=str, location='args')
@ -245,7 +245,7 @@ class ChatConversationDetailApi(Resource):
    @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
    @marshal_with(conversation_detail_fields)
    def get(self, app_model, conversation_id):
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()
        conversation_id = str(conversation_id)

--- a/api/controllers/console/app/message.py
+++ b/api/controllers/console/app/message.py
@ -149,8 +149,7 @@ class MessageAnnotationApi(Resource):
    @get_app_model
    @marshal_with(annotation_fields)
    def post(self, app_model):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()

        parser = reqparse.RequestParser()
--- a/api/controllers/console/datasets/datasets_segments.py
+++ b/api/controllers/console/datasets/datasets_segments.py
@ -223,8 +223,7 @@ class DatasetDocumentSegmentAddApi(Resource):
        document = DocumentService.get_document(dataset_id, document_id)
        if not document:
            raise NotFound('Document not found.')
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()
        # check embedding model setting
        if dataset.indexing_technique == 'high_quality':
@ -347,7 +346,7 @@ class DatasetDocumentSegmentUpdateApi(Resource):
        if not segment:
            raise NotFound('Segment not found.')
        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
            raise Forbidden()
        try:
            DatasetService.check_dataset_permission(dataset, current_user)