feat: org auth for app & dataset (#3498)

* feat: auth org resource permission * feat: org auth support for app & dataset
labring · Dec 30, 2024 · f46427e · f46427e
1 parent f3e5900
commit f46427e
Show file tree

Hide file tree

Showing 5 changed files with 108 additions and 53 deletions.
diff --git a/packages/service/support/permission/controller.ts b/packages/service/support/permission/controller.ts
@@ -22,6 +22,7 @@ import { MemberGroupSchemaType } from '@fastgpt/global/support/permission/member
 import { TeamMemberSchema } from '@fastgpt/global/support/user/team/type';
 import { UserModelSchema } from '@fastgpt/global/support/user/type';
 import { OrgSchemaType } from '@fastgpt/global/support/user/team/org/type';
+import { getOrgsWithParentByTmbId } from './org/controllers';
 
 /** get resource permission for a team member
  * If there is no permission for the team member, it will return undefined
@@ -40,15 +41,15 @@ export const getResourcePermission = async ({
   teamId: string;
   tmbId: string;
 } & (
-  | {
+    | {
       resourceType: 'team';
       resourceId?: undefined;
     }
-  | {
+    | {
       resourceType: Omit<PerResourceTypeEnum, 'team'>;
       resourceId: string;
     }
-)): Promise<PermissionValueType | undefined> => {
+  )): Promise<PermissionValueType | undefined> => {
   // Personal permission has the highest priority
   const tmbPer = (
     await MongoResourcePermission.findOne(
@@ -68,30 +69,61 @@ export const getResourcePermission = async ({
   }
 
   // If there is no personal permission, get the group permission
-  const groupIdList = (await getGroupsByTmbId({ tmbId, teamId })).map((item) => item._id);
+  const groupPer = await (async () => {
+    const groupIdList = (await getGroupsByTmbId({ tmbId, teamId })).map((item) => item._id);
 
-  if (groupIdList.length === 0) {
-    return undefined;
+    if (groupIdList.length === 0) {
+      return undefined;
+    }
+
+    // get the maximum permission of the group
+    const pers = (
+      await MongoResourcePermission.find(
+        {
+          teamId,
+          resourceType,
+          groupId: {
+            $in: groupIdList
+          },
+          resourceId
+        },
+        'permission'
+      ).lean()
+    ).map((item) => item.permission);
+
+    return getGroupPer(pers);
+  })();
+
+  const orgIds = await getOrgsWithParentByTmbId({ tmbId, teamId }).then((item) => Array.from(item));
+
+  if (orgIds.length === 0) {
+    return groupPer;
   }
 
-  // get the maximum permission of the group
-  const pers = (
+  // get the maximum permission of the org
+  const orgPers = (
     await MongoResourcePermission.find(
       {
         teamId,
         resourceType,
-        groupId: {
-          $in: groupIdList
+        orgId: {
+          $in: Array.from(orgIds)
         },
         resourceId
       },
       'permission'
     ).lean()
   ).map((item) => item.permission);
 
-  const groupPer = getGroupPer(pers);
+  const orgPer = getGroupPer(orgPers);
+
+  if (groupPer === undefined) {
+    return orgPer;
+  } else if (orgPer === undefined) {
+    return groupPer;
+  }
 
-  return groupPer;
+  return new Permission().addPer(groupPer, orgPer).value;
 };
 
 /* 仅取 members 不取 groups */
@@ -104,15 +136,15 @@ export async function getResourceAllClbs({
   teamId: string;
   session?: ClientSession;
 } & (
-  | {
+    | {
       resourceType: 'team';
       resourceId?: undefined;
     }
-  | {
+    | {
       resourceType: Omit<PerResourceTypeEnum, 'team'>;
       resourceId?: string | null;
     }
-)): Promise<ResourcePermissionType[]> {
+  )): Promise<ResourcePermissionType[]> {
   return MongoResourcePermission.find(
     {
       resourceType: resourceType,

diff --git a/packages/service/support/permission/org/controllers.ts b/packages/service/support/permission/org/controllers.ts
@@ -36,6 +36,19 @@ import { MongoOrgMemberModel } from './orgMemberSchema';
 export const getOrgsByTmbId = async ({ teamId, tmbId }: { teamId: string; tmbId: string }) =>
   MongoOrgMemberModel.find({ teamId, tmbId }, 'orgId').lean();
 
+export const getOrgsWithParentByTmbId = async ({ teamId, tmbId }: { teamId: string; tmbId: string }) =>
+  MongoOrgMemberModel.find({ teamId, tmbId }, 'orgId').lean().then((orgs) => {
+    const orgIds = new Set<string>();
+    for (const org of orgs) {
+      const orgId = String(org.orgId);
+      const parentIds = orgId.split('/').filter((id) => id);
+      for (const parentId of parentIds) {
+        orgIds.add(parentId);
+      }
+    }
+    return orgIds;
+  });
+
 export const getChildrenByOrg = async ({
   org,
   teamId,

diff --git a/projects/app/src/components/support/permission/MemberManager/AddMemberModal.tsx b/projects/app/src/components/support/permission/MemberManager/AddMemberModal.tsx
@@ -75,7 +75,7 @@ function AddMemberModal({ onClose, mode = 'member' }: AddModalPropsType) {
     if (mode !== 'all') return [];
     return orgs.filter((item) => {
       if (item.path === '') return false; // exclude root org
-      if (!permission.isOwner && myOrgs.find((i) => String(i._id) !== String(item._id)))
+      if (!permission.isOwner && !myOrgs.find((i) => String(i._id) === String(item._id)))
         return false;
       if (!searchText) return true;
       return item.name.includes(searchText);

diff --git a/projects/app/src/pages/api/core/app/list.ts b/projects/app/src/pages/api/core/app/list.ts
@@ -17,6 +17,7 @@ import { authUserPer } from '@fastgpt/service/support/permission/user/auth';
 import { replaceRegChars } from '@fastgpt/global/common/string/tools';
 import { getGroupPer } from '@fastgpt/service/support/permission/controller';
 import { getGroupsByTmbId } from '@fastgpt/service/support/permission/memberGroup/controllers';
+import { getOrgsWithParentByTmbId } from '@fastgpt/service/support/permission/org/controllers';
 
 export type ListAppBody = {
   parentId?: ParentIdType;
@@ -25,7 +26,7 @@ export type ListAppBody = {
   searchKey?: string;
 };
 
-/* 
+/*
   获取 APP 列表权限
   1. 校验 folder 权限和获取 team 权限（owner 单独处理）
   2. 获取 team 下所有 app 权限。获取我的所有组。并计算出我所有的app权限。
@@ -48,19 +49,19 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
     }),
     ...(parentId
       ? [
-          authApp({
-            req,
-            authToken: true,
-            authApiKey: true,
-            appId: parentId,
-            per: ReadPermissionVal
-          })
-        ]
+        authApp({
+          req,
+          authToken: true,
+          authApiKey: true,
+          appId: parentId,
+          per: ReadPermissionVal
+        })
+      ]
       : [])
   ]);
 
   // Get team all app permissions
-  const [perList, myGroupMap] = await Promise.all([
+  const [perList, myGroupMap, myOrgSet] = await Promise.all([
     MongoResourcePermission.find({
       resourceType: PerResourceTypeEnum.app,
       teamId,
@@ -77,11 +78,15 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
         map.set(String(item._id), 1);
       });
       return map;
+    }),
+    getOrgsWithParentByTmbId({
+      teamId,
+      tmbId
     })
   ]);
   // Get my permissions
   const myPerList = perList.filter(
-    (item) => String(item.tmbId) === String(tmbId) || myGroupMap.has(String(item.groupId))
+    (item) => String(item.tmbId) === String(tmbId) || myGroupMap.has(String(item.groupId)) || myOrgSet.has(String(item.orgId))
   );
 
   const findAppsQuery = (() => {
@@ -99,17 +104,17 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
       ? {}
       : parentId
         ? {
-            $or: [idList, parseParentIdInMongo(parentId)]
-          }
+          $or: [idList, parseParentIdInMongo(parentId)]
+        }
         : { $or: [idList, { parentId: null }] };
 
     const searchMatch = searchKey
       ? {
-          $or: [
-            { name: { $regex: new RegExp(`${replaceRegChars(searchKey)}`, 'i') } },
-            { intro: { $regex: new RegExp(`${replaceRegChars(searchKey)}`, 'i') } }
-          ]
-        }
+        $or: [
+          { name: { $regex: new RegExp(`${replaceRegChars(searchKey)}`, 'i') } },
+          { intro: { $regex: new RegExp(`${replaceRegChars(searchKey)}`, 'i') } }
+        ]
+      }
       : {};
 
     if (searchKey) {
@@ -153,7 +158,7 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
           )?.permission;
           const groupPer = getGroupPer(
             myPerList
-              .filter((item) => String(item.resourceId) === appId && !!item.groupId)
+              .filter((item) => String(item.resourceId) === appId && (!!item.groupId || !!item.orgId))
               .map((item) => item.permission)
           );
 

diff --git a/projects/app/src/pages/api/core/dataset/list.ts b/projects/app/src/pages/api/core/dataset/list.ts
@@ -18,6 +18,7 @@ import { authDataset } from '@fastgpt/service/support/permission/dataset/auth';
 import { replaceRegChars } from '@fastgpt/global/common/string/tools';
 import { getGroupsByTmbId } from '@fastgpt/service/support/permission/memberGroup/controllers';
 import { getGroupPer } from '@fastgpt/service/support/permission/controller';
+import { getOrgsWithParentByTmbId } from '@fastgpt/service/support/permission/org/controllers';
 
 export type GetDatasetListBody = {
   parentId: ParentIdType;
@@ -38,19 +39,19 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
     }),
     ...(parentId
       ? [
-          authDataset({
-            req,
-            authToken: true,
-            authApiKey: true,
-            per: ReadPermissionVal,
-            datasetId: parentId
-          })
-        ]
+        authDataset({
+          req,
+          authToken: true,
+          authApiKey: true,
+          per: ReadPermissionVal,
+          datasetId: parentId
+        })
+      ]
       : [])
   ]);
 
   // Get team all app permissions
-  const [perList, myGroupMap] = await Promise.all([
+  const [perList, myGroupMap, myOrgSet] = await Promise.all([
     MongoResourcePermission.find({
       resourceType: PerResourceTypeEnum.dataset,
       teamId,
@@ -67,10 +68,14 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
         map.set(String(item._id), 1);
       });
       return map;
+    }),
+    getOrgsWithParentByTmbId({
+      teamId,
+      tmbId
     })
   ]);
   const myPerList = perList.filter(
-    (item) => String(item.tmbId) === String(tmbId) || myGroupMap.has(String(item.groupId))
+    (item) => String(item.tmbId) === String(tmbId) || myGroupMap.has(String(item.groupId)) || myOrgSet.has(String(item.orgId))
   );
 
   const findDatasetQuery = (() => {
@@ -80,17 +85,17 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
       ? {}
       : parentId
         ? {
-            $or: [idList, parseParentIdInMongo(parentId)]
-          }
+          $or: [idList, parseParentIdInMongo(parentId)]
+        }
         : { $or: [idList, { parentId: null }] };
 
     const searchMatch = searchKey
       ? {
-          $or: [
-            { name: { $regex: new RegExp(`${replaceRegChars(searchKey)}`, 'i') } },
-            { intro: { $regex: new RegExp(`${replaceRegChars(searchKey)}`, 'i') } }
-          ]
-        }
+        $or: [
+          { name: { $regex: new RegExp(`${replaceRegChars(searchKey)}`, 'i') } },
+          { intro: { $regex: new RegExp(`${replaceRegChars(searchKey)}`, 'i') } }
+        ]
+      }
       : {};
 
     if (searchKey) {
@@ -124,7 +129,7 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
           )?.permission;
           const groupPer = getGroupPer(
             myPerList
-              .filter((item) => String(item.resourceId) === datasetId && !!item.groupId)
+              .filter((item) => String(item.resourceId) === datasetId && (!!item.groupId || !!item.orgId))
               .map((item) => item.permission)
           );
           return new DatasetPermission({