owner and admin have all permission of knowledge base (#12157)

api/services/dataset_service.py

@@ -86,25 +86,30 @@ class DatasetService:
                 else:
                     return [], 0
             else:
-                # show all datasets that the user has permission to access
+                if user.current_role not in (TenantAccountRole.OWNER, TenantAccountRole.ADMIN):
-                if permitted_dataset_ids:
+                    # show all datasets that the user has permission to access
-                    query = query.filter(
+                    if permitted_dataset_ids:
-                        db.or_(
+                        query = query.filter(
-                            Dataset.permission == DatasetPermissionEnum.ALL_TEAM,
+                            db.or_(
-                            db.and_(Dataset.permission == DatasetPermissionEnum.ONLY_ME, Dataset.created_by == user.id),
+                                Dataset.permission == DatasetPermissionEnum.ALL_TEAM,
-                            db.and_(
+                                db.and_(
-                                Dataset.permission == DatasetPermissionEnum.PARTIAL_TEAM,
+                                    Dataset.permission == DatasetPermissionEnum.ONLY_ME, Dataset.created_by == user.id
-                                Dataset.id.in_(permitted_dataset_ids),
+                                ),
-                            ),
+                                db.and_(
+                                    Dataset.permission == DatasetPermissionEnum.PARTIAL_TEAM,
+                                    Dataset.id.in_(permitted_dataset_ids),
+                                ),
+                            )
                         )
-                    )
+                    else:
-                else:
+                        query = query.filter(
-                    query = query.filter(
+                            db.or_(
-                        db.or_(
+                                Dataset.permission == DatasetPermissionEnum.ALL_TEAM,
-                            Dataset.permission == DatasetPermissionEnum.ALL_TEAM,
+                                db.and_(
-                            db.and_(Dataset.permission == DatasetPermissionEnum.ONLY_ME, Dataset.created_by == user.id),
+                                    Dataset.permission == DatasetPermissionEnum.ONLY_ME, Dataset.created_by == user.id
+                                ),
+                            )
                         )
-                    )
         else:
             # if no user, only show datasets that are shared with all team members
             query = query.filter(Dataset.permission == DatasetPermissionEnum.ALL_TEAM)
@@ -377,14 +382,19 @@ class DatasetService:
         if dataset.tenant_id != user.current_tenant_id:
             logging.debug(f"User {user.id} does not have permission to access dataset {dataset.id}")
             raise NoPermissionError("You do not have permission to access this dataset.")
-        if dataset.permission == DatasetPermissionEnum.ONLY_ME and dataset.created_by != user.id:
+        if user.current_role not in (TenantAccountRole.OWNER, TenantAccountRole.ADMIN):
-            logging.debug(f"User {user.id} does not have permission to access dataset {dataset.id}")
+            if dataset.permission == DatasetPermissionEnum.ONLY_ME and dataset.created_by != user.id:
-            raise NoPermissionError("You do not have permission to access this dataset.")
-        if dataset.permission == "partial_members":
-            user_permission = DatasetPermission.query.filter_by(dataset_id=dataset.id, account_id=user.id).first()
-            if not user_permission and dataset.tenant_id != user.current_tenant_id and dataset.created_by != user.id:
                 logging.debug(f"User {user.id} does not have permission to access dataset {dataset.id}")
                 raise NoPermissionError("You do not have permission to access this dataset.")
+            if dataset.permission == "partial_members":
+                user_permission = DatasetPermission.query.filter_by(dataset_id=dataset.id, account_id=user.id).first()
+                if (
+                    not user_permission
+                    and dataset.tenant_id != user.current_tenant_id
+                    and dataset.created_by != user.id
+                ):
+                    logging.debug(f"User {user.id} does not have permission to access dataset {dataset.id}")
+                    raise NoPermissionError("You do not have permission to access this dataset.")
 
     @staticmethod
     def check_dataset_operator_permission(user: Optional[Account] = None, dataset: Optional[Dataset] = None):
@@ -394,15 +404,16 @@ class DatasetService:
         if not user:
             raise ValueError("User not found")
 
-        if dataset.permission == DatasetPermissionEnum.ONLY_ME:
+        if user.current_role not in (TenantAccountRole.OWNER, TenantAccountRole.ADMIN):
-            if dataset.created_by != user.id:
+            if dataset.permission == DatasetPermissionEnum.ONLY_ME:
-                raise NoPermissionError("You do not have permission to access this dataset.")
+                if dataset.created_by != user.id:
+                    raise NoPermissionError("You do not have permission to access this dataset.")
 
-        elif dataset.permission == DatasetPermissionEnum.PARTIAL_TEAM:
+            elif dataset.permission == DatasetPermissionEnum.PARTIAL_TEAM:
-            if not any(
+                if not any(
-                dp.dataset_id == dataset.id for dp in DatasetPermission.query.filter_by(account_id=user.id).all()
+                    dp.dataset_id == dataset.id for dp in DatasetPermission.query.filter_by(account_id=user.id).all()
-            ):
+                ):
-                raise NoPermissionError("You do not have permission to access this dataset.")
+                    raise NoPermissionError("You do not have permission to access this dataset.")
 
     @staticmethod
     def get_dataset_queries(dataset_id: str, page: int, per_page: int):