fix: multiple rows were found correctly (#2219)

2025-08-12 15:39:05 +08:00 · 2024-01-26 12:47:42 +08:00 · 2024-01-26 12:47:42 +08:00 · 828822243a
commit 828822243a
parent 2068ae215e
13 changed files with 49 additions and 48 deletions
--- a/api/controllers/console/apikey.py
+++ b/api/controllers/console/apikey.py
@ -61,9 +61,7 @@ class BaseApiKeyListResource(Resource):
        resource_id = str(resource_id)
        _get_resource(resource_id, current_user.current_tenant_id,
                      self.resource_model)
-
+        if not current_user.is_admin_or_owner:
        # The role of the current user in the ta table must be admin or owner
        if current_user.current_tenant.current_role not in ['admin', 'owner']:
            raise Forbidden()
        current_key_count = db.session.query(ApiToken). \
@ -102,7 +100,7 @@ class BaseApiKeyResource(Resource):
                      self.resource_model)
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        key = db.session.query(ApiToken). \
--- a/api/controllers/console/app/annotation.py
+++ b/api/controllers/console/app/annotation.py
@ -21,7 +21,7 @@ class AnnotationReplyActionApi(Resource):
    @cloud_edition_billing_resource_check('annotation')
    def post(self, app_id, action):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        app_id = str(app_id)
@ -45,7 +45,7 @@ class AppAnnotationSettingDetailApi(Resource):
    @account_initialization_required
    def get(self, app_id):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        app_id = str(app_id)
@ -59,7 +59,7 @@ class AppAnnotationSettingUpdateApi(Resource):
    @account_initialization_required
    def post(self, app_id, annotation_setting_id):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        app_id = str(app_id)
@ -80,7 +80,7 @@ class AnnotationReplyActionStatusApi(Resource):
    @cloud_edition_billing_resource_check('annotation')
    def get(self, app_id, job_id, action):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        job_id = str(job_id)
@ -108,7 +108,7 @@ class AnnotationListApi(Resource):
    @account_initialization_required
    def get(self, app_id):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        page = request.args.get('page', default=1, type=int)
@ -133,7 +133,7 @@ class AnnotationExportApi(Resource):
    @account_initialization_required
    def get(self, app_id):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        app_id = str(app_id)
@ -152,7 +152,7 @@ class AnnotationCreateApi(Resource):
    @marshal_with(annotation_fields)
    def post(self, app_id):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        app_id = str(app_id)
@ -172,7 +172,7 @@ class AnnotationUpdateDeleteApi(Resource):
    @marshal_with(annotation_fields)
    def post(self, app_id, annotation_id):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        app_id = str(app_id)
@ -189,7 +189,7 @@ class AnnotationUpdateDeleteApi(Resource):
    @account_initialization_required
    def delete(self, app_id, annotation_id):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        app_id = str(app_id)
@ -205,7 +205,7 @@ class AnnotationBatchImportApi(Resource):
    @cloud_edition_billing_resource_check('annotation')
    def post(self, app_id):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        app_id = str(app_id)
@ -230,7 +230,7 @@ class AnnotationBatchImportStatusApi(Resource):
    @cloud_edition_billing_resource_check('annotation')
    def get(self, app_id, job_id):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        job_id = str(job_id)
@ -257,7 +257,7 @@ class AnnotationHitHistoryListApi(Resource):
    @account_initialization_required
    def get(self, app_id, annotation_id):
        # The role of the current user in the table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        page = request.args.get('page', default=1, type=int)
--- a/api/controllers/console/app/app.py
+++ b/api/controllers/console/app/app.py
@ -88,7 +88,7 @@ class AppListApi(Resource):
        args = parser.parse_args()
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        try:
@ -237,7 +237,7 @@ class AppApi(Resource):
        """Delete app"""
        app_id = str(app_id)
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        app = _get_app(app_id, current_user.current_tenant_id)
--- a/api/controllers/console/app/message.py
+++ b/api/controllers/console/app/message.py
@ -157,7 +157,7 @@ class MessageAnnotationApi(Resource):
    @marshal_with(annotation_fields)
    def post(self, app_id):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        app_id = str(app_id)
--- a/api/controllers/console/app/site.py
+++ b/api/controllers/console/app/site.py
@ -42,7 +42,7 @@ class AppSite(Resource):
        app_model = _get_app(app_id)
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        site = db.session.query(Site). \
@ -88,7 +88,7 @@ class AppSiteAccessTokenReset(Resource):
        app_model = _get_app(app_id)
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        site = db.session.query(Site).filter(Site.app_id == app_model.id).first()
--- a/api/controllers/console/auth/data_source_oauth.py
+++ b/api/controllers/console/auth/data_source_oauth.py
@ -30,7 +30,7 @@ def get_oauth_providers():
 class OAuthDataSource(Resource):
    def get(self, provider: str):
        # The role of the current user in the table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        OAUTH_DATASOURCE_PROVIDERS = get_oauth_providers()
        with current_app.app_context():
--- a/api/controllers/console/datasets/datasets.py
+++ b/api/controllers/console/datasets/datasets.py
@ -103,7 +103,7 @@ class DatasetListApi(Resource):
        args = parser.parse_args()
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        try:
@ -187,7 +187,7 @@ class DatasetApi(Resource):
        args = parser.parse_args()
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        dataset = DatasetService.update_dataset(
@ -205,7 +205,7 @@ class DatasetApi(Resource):
        dataset_id_str = str(dataset_id)
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        if DatasetService.delete_dataset(dataset_id_str, current_user):
@ -391,7 +391,7 @@ class DatasetApiKeyApi(Resource):
    @marshal_with(api_key_fields)
    def post(self):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        current_key_count = db.session.query(ApiToken). \
@ -425,7 +425,7 @@ class DatasetApiDeleteApi(Resource):
        api_key_id = str(api_key_id)
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        key = db.session.query(ApiToken). \
--- a/api/controllers/console/datasets/datasets_document.py
+++ b/api/controllers/console/datasets/datasets_document.py
@ -204,7 +204,7 @@ class DatasetDocumentListApi(Resource):
            raise NotFound('Dataset not found.')
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        try:
@ -256,7 +256,7 @@ class DatasetInitApi(Resource):
    @cloud_edition_billing_resource_check('vector_space')
    def post(self):
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        parser = reqparse.RequestParser()
@ -599,7 +599,7 @@ class DocumentProcessingApi(DocumentResource):
        document = self.get_document(dataset_id, document_id)
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        if action == "pause":
@ -663,7 +663,7 @@ class DocumentMetadataApi(DocumentResource):
        doc_metadata = req_data.get('doc_metadata')
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        if doc_type is None or doc_metadata is None:
@ -710,7 +710,7 @@ class DocumentStatusApi(DocumentResource):
        document = self.get_document(dataset_id, document_id)
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        indexing_cache_key = 'document_{}_indexing'.format(document.id)
--- a/api/controllers/console/datasets/datasets_segments.py
+++ b/api/controllers/console/datasets/datasets_segments.py
@ -123,7 +123,7 @@ class DatasetDocumentSegmentApi(Resource):
        # check user's model setting
        DatasetService.check_dataset_model_setting(dataset)
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        try:
@ -219,7 +219,7 @@ class DatasetDocumentSegmentAddApi(Resource):
        if not document:
            raise NotFound('Document not found.')
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        # check embedding model setting
        if dataset.indexing_technique == 'high_quality':
@ -298,7 +298,7 @@ class DatasetDocumentSegmentUpdateApi(Resource):
        if not segment:
            raise NotFound('Segment not found.')
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        try:
            DatasetService.check_dataset_permission(dataset, current_user)
@ -342,7 +342,7 @@ class DatasetDocumentSegmentUpdateApi(Resource):
        if not segment:
            raise NotFound('Segment not found.')
        # The role of the current user in the ta table must be admin or owner
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        try:
            DatasetService.check_dataset_permission(dataset, current_user)
--- a/api/controllers/console/workspace/model_providers.py
+++ b/api/controllers/console/workspace/model_providers.py
@ -98,7 +98,7 @@ class ModelProviderApi(Resource):
    @login_required
    @account_initialization_required
    def post(self, provider: str):
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        parser = reqparse.RequestParser()
@ -122,7 +122,7 @@ class ModelProviderApi(Resource):
    @login_required
    @account_initialization_required
    def delete(self, provider: str):
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        model_provider_service = ModelProviderService()
@ -159,7 +159,7 @@ class PreferredProviderTypeUpdateApi(Resource):
    @login_required
    @account_initialization_required
    def post(self, provider: str):
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        tenant_id = current_user.current_tenant_id
--- a/api/controllers/console/workspace/tool_providers.py
+++ b/api/controllers/console/workspace/tool_providers.py
@ -43,7 +43,7 @@ class ToolBuiltinProviderDeleteApi(Resource):
    @login_required
    @account_initialization_required
    def post(self, provider):
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        user_id = current_user.id
@ -60,7 +60,7 @@ class ToolBuiltinProviderUpdateApi(Resource):
    @login_required
    @account_initialization_required
    def post(self, provider):
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        user_id = current_user.id
@ -90,7 +90,7 @@ class ToolApiProviderAddApi(Resource):
    @login_required
    @account_initialization_required
    def post(self):
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        user_id = current_user.id
@ -159,7 +159,7 @@ class ToolApiProviderUpdateApi(Resource):
    @login_required
    @account_initialization_required
    def post(self):
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        user_id = current_user.id
@ -193,7 +193,7 @@ class ToolApiProviderDeleteApi(Resource):
    @login_required
    @account_initialization_required
    def post(self):
-        if current_user.current_tenant.current_role not in ['admin', 'owner']:
+        if not current_user.is_admin_or_owner:
            raise Forbidden()
        user_id = current_user.id
--- a/api/controllers/service_api/wraps.py
+++ b/api/controllers/service_api/wraps.py
@ -76,7 +76,7 @@ def validate_dataset_token(view=None):
                .filter(Tenant.id == api_token.tenant_id) \
                .filter(TenantAccountJoin.tenant_id == Tenant.id) \
                .filter(TenantAccountJoin.role.in_(['owner'])) \
-                .one_or_none()
+                .one_or_none() # TODO: only owner information is required, so only one is returned.
            if tenant_account_join:
                tenant, ta = tenant_account_join
                account = Account.query.filter_by(id=ta.account_id).first()
@ -86,9 +86,9 @@ def validate_dataset_token(view=None):
                    current_app.login_manager._update_request_context_with_user(account)
                    user_logged_in.send(current_app._get_current_object(), user=_get_user())
                else:
-                    raise Unauthorized("Tenant owner account is not exist.")
+                    raise Unauthorized("Tenant owner account does not exist.")
            else:
-                raise Unauthorized("Tenant is not exist.")
+                raise Unauthorized("Tenant does not exist.")
            return view(api_token.tenant_id, *args, **kwargs)
        return decorated
--- a/api/models/account.py
+++ b/api/models/account.py
@ -101,7 +101,10 @@ class Account(UserMixin, db.Model):
        return db.session.query(ai).filter(
            ai.account_id == self.id
        ).all()
-
+    # check current_user.current_tenant.current_role in ['admin', 'owner']
    @property
    def is_admin_or_owner(self):
        return self._current_tenant.current_role in ['admin', 'owner']
 class Tenant(db.Model):
    __tablename__ = 'tenants'