diff --git a/api/controllers/console/apikey.py b/api/controllers/console/apikey.py index 23b11afe1c..b8dd1ed5bf 100644 --- a/api/controllers/console/apikey.py +++ b/api/controllers/console/apikey.py @@ -61,9 +61,7 @@ class BaseApiKeyListResource(Resource): resource_id = str(resource_id) _get_resource(resource_id, current_user.current_tenant_id, self.resource_model) - - # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() current_key_count = db.session.query(ApiToken). \ @@ -102,7 +100,7 @@ class BaseApiKeyResource(Resource): self.resource_model) # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() key = db.session.query(ApiToken). \ diff --git a/api/controllers/console/app/annotation.py b/api/controllers/console/app/annotation.py index 439ed07345..8c7cae9519 100644 --- a/api/controllers/console/app/annotation.py +++ b/api/controllers/console/app/annotation.py @@ -21,7 +21,7 @@ class AnnotationReplyActionApi(Resource): @cloud_edition_billing_resource_check('annotation') def post(self, app_id, action): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() app_id = str(app_id) @@ -45,7 +45,7 @@ class AppAnnotationSettingDetailApi(Resource): @account_initialization_required def get(self, app_id): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() app_id = str(app_id) @@ -59,7 +59,7 @@ class AppAnnotationSettingUpdateApi(Resource): @account_initialization_required def post(self, app_id, annotation_setting_id): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() app_id = str(app_id) @@ -80,7 +80,7 @@ class AnnotationReplyActionStatusApi(Resource): @cloud_edition_billing_resource_check('annotation') def get(self, app_id, job_id, action): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() job_id = str(job_id) @@ -108,7 +108,7 @@ class AnnotationListApi(Resource): @account_initialization_required def get(self, app_id): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() page = request.args.get('page', default=1, type=int) @@ -133,7 +133,7 @@ class AnnotationExportApi(Resource): @account_initialization_required def get(self, app_id): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() app_id = str(app_id) @@ -152,7 +152,7 @@ class AnnotationCreateApi(Resource): @marshal_with(annotation_fields) def post(self, app_id): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() app_id = str(app_id) @@ -172,7 +172,7 @@ class AnnotationUpdateDeleteApi(Resource): @marshal_with(annotation_fields) def post(self, app_id, annotation_id): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() app_id = str(app_id) @@ -189,7 +189,7 @@ class AnnotationUpdateDeleteApi(Resource): @account_initialization_required def delete(self, app_id, annotation_id): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() app_id = str(app_id) @@ -205,7 +205,7 @@ class AnnotationBatchImportApi(Resource): @cloud_edition_billing_resource_check('annotation') def post(self, app_id): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() app_id = str(app_id) @@ -230,7 +230,7 @@ class AnnotationBatchImportStatusApi(Resource): @cloud_edition_billing_resource_check('annotation') def get(self, app_id, job_id): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() job_id = str(job_id) @@ -257,7 +257,7 @@ class AnnotationHitHistoryListApi(Resource): @account_initialization_required def get(self, app_id, annotation_id): # The role of the current user in the table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() page = request.args.get('page', default=1, type=int) diff --git a/api/controllers/console/app/app.py b/api/controllers/console/app/app.py index c9ba778cc7..8e1dc598d0 100644 --- a/api/controllers/console/app/app.py +++ b/api/controllers/console/app/app.py @@ -88,7 +88,7 @@ class AppListApi(Resource): args = parser.parse_args() # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() try: @@ -237,7 +237,7 @@ class AppApi(Resource): """Delete app""" app_id = str(app_id) - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() app = _get_app(app_id, current_user.current_tenant_id) diff --git a/api/controllers/console/app/message.py b/api/controllers/console/app/message.py index f26c89d843..50b4e2d983 100644 --- a/api/controllers/console/app/message.py +++ b/api/controllers/console/app/message.py @@ -157,7 +157,7 @@ class MessageAnnotationApi(Resource): @marshal_with(annotation_fields) def post(self, app_id): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() app_id = str(app_id) diff --git a/api/controllers/console/app/site.py b/api/controllers/console/app/site.py index 4ef313d644..0dc3ecc1e6 100644 --- a/api/controllers/console/app/site.py +++ b/api/controllers/console/app/site.py @@ -42,7 +42,7 @@ class AppSite(Resource): app_model = _get_app(app_id) # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() site = db.session.query(Site). \ @@ -88,7 +88,7 @@ class AppSiteAccessTokenReset(Resource): app_model = _get_app(app_id) # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() site = db.session.query(Site).filter(Site.app_id == app_model.id).first() diff --git a/api/controllers/console/auth/data_source_oauth.py b/api/controllers/console/auth/data_source_oauth.py index ff9084db30..d0b28c6d4b 100644 --- a/api/controllers/console/auth/data_source_oauth.py +++ b/api/controllers/console/auth/data_source_oauth.py @@ -30,7 +30,7 @@ def get_oauth_providers(): class OAuthDataSource(Resource): def get(self, provider: str): # The role of the current user in the table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() OAUTH_DATASOURCE_PROVIDERS = get_oauth_providers() with current_app.app_context(): diff --git a/api/controllers/console/datasets/datasets.py b/api/controllers/console/datasets/datasets.py index 8d315460d3..01700ea63b 100644 --- a/api/controllers/console/datasets/datasets.py +++ b/api/controllers/console/datasets/datasets.py @@ -103,7 +103,7 @@ class DatasetListApi(Resource): args = parser.parse_args() # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() try: @@ -187,7 +187,7 @@ class DatasetApi(Resource): args = parser.parse_args() # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() dataset = DatasetService.update_dataset( @@ -205,7 +205,7 @@ class DatasetApi(Resource): dataset_id_str = str(dataset_id) # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() if DatasetService.delete_dataset(dataset_id_str, current_user): @@ -391,7 +391,7 @@ class DatasetApiKeyApi(Resource): @marshal_with(api_key_fields) def post(self): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() current_key_count = db.session.query(ApiToken). \ @@ -425,7 +425,7 @@ class DatasetApiDeleteApi(Resource): api_key_id = str(api_key_id) # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() key = db.session.query(ApiToken). \ diff --git a/api/controllers/console/datasets/datasets_document.py b/api/controllers/console/datasets/datasets_document.py index b3830dcb75..586bbafbb0 100644 --- a/api/controllers/console/datasets/datasets_document.py +++ b/api/controllers/console/datasets/datasets_document.py @@ -204,7 +204,7 @@ class DatasetDocumentListApi(Resource): raise NotFound('Dataset not found.') # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() try: @@ -256,7 +256,7 @@ class DatasetInitApi(Resource): @cloud_edition_billing_resource_check('vector_space') def post(self): # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() parser = reqparse.RequestParser() @@ -599,7 +599,7 @@ class DocumentProcessingApi(DocumentResource): document = self.get_document(dataset_id, document_id) # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() if action == "pause": @@ -663,7 +663,7 @@ class DocumentMetadataApi(DocumentResource): doc_metadata = req_data.get('doc_metadata') # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() if doc_type is None or doc_metadata is None: @@ -710,7 +710,7 @@ class DocumentStatusApi(DocumentResource): document = self.get_document(dataset_id, document_id) # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() indexing_cache_key = 'document_{}_indexing'.format(document.id) diff --git a/api/controllers/console/datasets/datasets_segments.py b/api/controllers/console/datasets/datasets_segments.py index befe7f30d4..8de5bc91d7 100644 --- a/api/controllers/console/datasets/datasets_segments.py +++ b/api/controllers/console/datasets/datasets_segments.py @@ -123,7 +123,7 @@ class DatasetDocumentSegmentApi(Resource): # check user's model setting DatasetService.check_dataset_model_setting(dataset) # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() try: @@ -219,7 +219,7 @@ class DatasetDocumentSegmentAddApi(Resource): if not document: raise NotFound('Document not found.') # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() # check embedding model setting if dataset.indexing_technique == 'high_quality': @@ -298,7 +298,7 @@ class DatasetDocumentSegmentUpdateApi(Resource): if not segment: raise NotFound('Segment not found.') # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() try: DatasetService.check_dataset_permission(dataset, current_user) @@ -342,7 +342,7 @@ class DatasetDocumentSegmentUpdateApi(Resource): if not segment: raise NotFound('Segment not found.') # The role of the current user in the ta table must be admin or owner - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() try: DatasetService.check_dataset_permission(dataset, current_user) diff --git a/api/controllers/console/workspace/model_providers.py b/api/controllers/console/workspace/model_providers.py index a78a253dd0..1bd67427db 100644 --- a/api/controllers/console/workspace/model_providers.py +++ b/api/controllers/console/workspace/model_providers.py @@ -98,7 +98,7 @@ class ModelProviderApi(Resource): @login_required @account_initialization_required def post(self, provider: str): - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() parser = reqparse.RequestParser() @@ -122,7 +122,7 @@ class ModelProviderApi(Resource): @login_required @account_initialization_required def delete(self, provider: str): - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() model_provider_service = ModelProviderService() @@ -159,7 +159,7 @@ class PreferredProviderTypeUpdateApi(Resource): @login_required @account_initialization_required def post(self, provider: str): - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() tenant_id = current_user.current_tenant_id diff --git a/api/controllers/console/workspace/tool_providers.py b/api/controllers/console/workspace/tool_providers.py index b694e0bef7..196747a163 100644 --- a/api/controllers/console/workspace/tool_providers.py +++ b/api/controllers/console/workspace/tool_providers.py @@ -43,7 +43,7 @@ class ToolBuiltinProviderDeleteApi(Resource): @login_required @account_initialization_required def post(self, provider): - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() user_id = current_user.id @@ -60,7 +60,7 @@ class ToolBuiltinProviderUpdateApi(Resource): @login_required @account_initialization_required def post(self, provider): - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() user_id = current_user.id @@ -90,7 +90,7 @@ class ToolApiProviderAddApi(Resource): @login_required @account_initialization_required def post(self): - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() user_id = current_user.id @@ -159,7 +159,7 @@ class ToolApiProviderUpdateApi(Resource): @login_required @account_initialization_required def post(self): - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() user_id = current_user.id @@ -193,7 +193,7 @@ class ToolApiProviderDeleteApi(Resource): @login_required @account_initialization_required def post(self): - if current_user.current_tenant.current_role not in ['admin', 'owner']: + if not current_user.is_admin_or_owner: raise Forbidden() user_id = current_user.id diff --git a/api/controllers/service_api/wraps.py b/api/controllers/service_api/wraps.py index c8c170c535..60e573ec93 100644 --- a/api/controllers/service_api/wraps.py +++ b/api/controllers/service_api/wraps.py @@ -76,7 +76,7 @@ def validate_dataset_token(view=None): .filter(Tenant.id == api_token.tenant_id) \ .filter(TenantAccountJoin.tenant_id == Tenant.id) \ .filter(TenantAccountJoin.role.in_(['owner'])) \ - .one_or_none() + .one_or_none() # TODO: only owner information is required, so only one is returned. if tenant_account_join: tenant, ta = tenant_account_join account = Account.query.filter_by(id=ta.account_id).first() @@ -86,9 +86,9 @@ def validate_dataset_token(view=None): current_app.login_manager._update_request_context_with_user(account) user_logged_in.send(current_app._get_current_object(), user=_get_user()) else: - raise Unauthorized("Tenant owner account is not exist.") + raise Unauthorized("Tenant owner account does not exist.") else: - raise Unauthorized("Tenant is not exist.") + raise Unauthorized("Tenant does not exist.") return view(api_token.tenant_id, *args, **kwargs) return decorated diff --git a/api/models/account.py b/api/models/account.py index 81d56d974e..322e2670a3 100644 --- a/api/models/account.py +++ b/api/models/account.py @@ -101,7 +101,10 @@ class Account(UserMixin, db.Model): return db.session.query(ai).filter( ai.account_id == self.id ).all() - + # check current_user.current_tenant.current_role in ['admin', 'owner'] + @property + def is_admin_or_owner(self): + return self._current_tenant.current_role in ['admin', 'owner'] class Tenant(db.Model): __tablename__ = 'tenants'