Skip to content

feat: Knowledge permission constants #3759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
zhanweizhang7 merged 1 commit into from
Jul 29, 2025
Merged

feat: Knowledge permission constants #3759

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
60 changes: 40 additions & 20 deletions apps/common/constants/permission_constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,10 @@ class Group(Enum):
SYSTEM_RES_KNOWLEDGE_PROBLEM = "SYSTEM_RESOURCE_KNOWLEDGE_PROBLEM"

SYSTEM_KNOWLEDGE_HIT_TEST = "SYSTEM_KNOWLEDGE_HIT_TEST"
SYSTEM_RES_KNOWLEDGE_HIT_TEST = "SYSTEM_RESOURCE_KNOWLEDGE_HIT_TEST"
SYSTEM_KNOWLEDGE_CHAT_USER = "SYSTEM_KNOWLEDGE_CHAT_USER"
SYSTEM_RES_KNOWLEDGE_CHAT_USER = "SYSTEM_RESOURCE_KNOWLEDGE_CHAT_USER"


MODEL = "MODEL"
SYSTEM_MODEL = "SYSTEM_MODEL"
Expand Down Expand Up @@ -367,6 +370,10 @@ def get_workspace_role(self):
Group.MODEL_WORKSPACE_USER_RESOURCE_PERMISSION.value: _("Model"),
Group.TOOL_WORKSPACE_USER_RESOURCE_PERMISSION.value: _("Tool"),
Group.SYSTEM_RES_APPLICATION.value: _("Application"),
Group.SYSTEM_RES_APPLICATION_OVERVIEW.value: _("Overview"),
Group.SYSTEM_RES_APPLICATION_ACCESS.value: _("Application Access"),
Group.SYSTEM_RES_APPLICATION_CHAT_USER.value: _("Dialogue users"),
Group.SYSTEM_RES_APPLICATION_CHAT_LOG.value: _("Conversation log"),
# SystemGroup.RESOURCE.value: _("Resource"),
}

Expand Down Expand Up @@ -1285,34 +1292,31 @@ class PermissionConstants(Enum):
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_CREATE = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.CREATE, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_EDIT = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_SYNC = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.SYNC, role_list=[RoleConstants.ADMIN],
RESOURCE_KNOWLEDGE_DELETE = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_VECTOR = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.VECTOR, role_list=[RoleConstants.ADMIN],
RESOURCE_KNOWLEDGE_SYNC = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.SYNC, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_EXPORT = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.EXPORT, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_GENERATE = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.GENERATE, role_list=[RoleConstants.ADMIN],
RESOURCE_KNOWLEDGE_VECTOR = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.VECTOR, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_DELETE = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN],
RESOURCE_KNOWLEDGE_GENERATE = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE, operate=Operate.GENERATE, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
# 文档
RESOURCE_KNOWLEDGE_DOCUMENT_READ = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_DOCUMENT, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
Expand Down Expand Up @@ -1341,18 +1345,22 @@ class PermissionConstants(Enum):
group=Group.SYSTEM_RES_KNOWLEDGE_DOCUMENT, operate=Operate.DOWNLOAD, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_DOCUMENT_VECTOR = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_DOCUMENT, operate=Operate.VECTOR, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_DOCUMENT_GENERATE = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_DOCUMENT, operate=Operate.GENERATE, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_DOCUMENT_VECTOR = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_DOCUMENT, operate=Operate.VECTOR, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_DOCUMENT_MIGRATE = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_DOCUMENT, operate=Operate.MIGRATE, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_HIT_TEST = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_HIT_TEST, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_PROBLEM_READ = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_PROBLEM, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
Expand All @@ -1369,6 +1377,18 @@ class PermissionConstants(Enum):
group=Group.SYSTEM_RES_KNOWLEDGE_PROBLEM, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_PROBLEM_RELATE = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_PROBLEM, operate=Operate.RELATE, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_CHAT_USER_READ = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_CHAT_USER, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_KNOWLEDGE_CHAT_USER_EDIT = Permission(
group=Group.SYSTEM_RES_KNOWLEDGE_CHAT_USER, operate=Operate.EDIT, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
)
RESOURCE_TOOL_READ = Permission(
group=Group.SYSTEM_RES_TOOL, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_TOOL]
Expand All @@ -1385,6 +1405,10 @@ class PermissionConstants(Enum):
group=Group.SYSTEM_RES_TOOL, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_TOOL]
)
RESOURCE_TOOL_DEBUG = Permission(
group=Group.SYSTEM_RES_TOOL, operate=Operate.DEBUG, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_TOOL]
)
RESOURCE_TOOL_IMPORT = Permission(
group=Group.SYSTEM_RES_TOOL, operate=Operate.IMPORT, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_TOOL]
Expand All @@ -1393,10 +1417,6 @@ class PermissionConstants(Enum):
group=Group.SYSTEM_RES_TOOL, operate=Operate.EXPORT, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_TOOL]
)
RESOURCE_TOOL_DEBUG = Permission(
group=Group.SYSTEM_RES_TOOL, operate=Operate.DEBUG, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_TOOL]
)
RESOURCE_MODEL_READ = Permission(
group=Group.SYSTEM_RES_MODEL, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
parent_group=[SystemGroup.RESOURCE_MODEL]
Copy link
Copy Markdown
Contributor Author

@shaohuzhang1 shaohuzhang1 Jul 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are several issues and improvements that can be made in the provided code:

Issues:

  1. Duplicate Entries: There are duplicate entries for OPERATE READ under different groups like Group.SYSTEM_KNOWLEDGE, Group.SYSTEM_RES_APPLICATION, etc.
  2. Incorrect Permissions: Some permissions (like RESOURCE_TOOL_DEBUG) are listed twice without a difference between their names or operation types.

Improvements:

  1. Consistent Permissions:

    • Remove duplicates and ensure each permission is unique with proper roles and operations.
    • For example, if a user needs to read from knowledge documents, they should have access through either RESOURCE_KNOWLEDGE_DOCUMENT_READ or RESOURCE_KNOWLEDGE_DOCUMENT_DOWNLOAD.

  2. Detailed Operations:

    • Clearly define what each operation does. For instance, clarify what "VECTOR" means in terms of knowledge resources.

  3. User-Centric Roles:

    • Ensure roles align with user-specific responsibilities rather than blanket administration rights across all systems.

  4. Parent Groups Clarification:

    • If a particular feature spans multiple resource categories (like system tools and models), specify which category it belongs too.

Here’s an updated version considering these points:

from enum import Enum

# Define the main group structure
class Group(Enum):
    SYSTEM_RES_KNOWLEDGE = "SYSTEM_RESOURCE_KNOWLEDGE"
    
    SYSTEM_KNOWLEDGE_HIT_TEST = "SYSTEM_KNOWLEDGE_HIT_TEST"
    SYSTEM_RES_KNOWLEDGE_CHAT_USER = "SYSTEM_RESOURCE_KNOWLEDGE_CHAT_USER"
    

    MODEL = "MODEL"
    SYSTEM_MODEL = "SYSTEM_MODEL"


# Documentation-related constants
class PermissionConstants(Enum):
    RESOURCE_DOC_READ = Permission(
        group=Group.SYSTEM_RES_KNOWLEDGE_DOCUMENT, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
        parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
    )

    RESOURCE_DOC_DOWNLOAD = Permission(
        group=Group.SYSTEM_RES_KNOWLEDGE_DOCUMENT, operate=Operate.DOWNLOAD, role_list=[RoleConstants.ADMIN],
        parent_group=[SystemGroup.RESOURCE_KNOWLEDGE]
    )

    # Other related document actions...

    SYSTEM_APP_OVERVIEW = Permission(
        group=Group.SYSTEM_RES_APPLICATION, operate=Operate.READ, role_list=[RoleConstants.USER],
        parent_group=[SystemGroup.APPLICATIONS_OVERVIEW]
    )

    SYSTEM_APP_ACCESS = Permission(
        group=Group.SYSTEM_RES_APPLICATION, operate=Operate.WRITE, role_list=[RoleConstants.ADMIN],
        parent_group=[SystemGroup.APPLICATIONS_ACCESS]
    )

    SYSTEM_APP_CHAT_USER = Permission(
        group=Group.SYSTEM_RES_APPLICATION, operate=Operate.READ_WRITE,
        role_list=[RoleConstants.CHAT_USER],
        parent_group=[SystemGroup.APPLICATIONS_CHATS]

    SYSTEM_APP_CHAT_LOG = Permission(
        group=Group.SYSTEM_RES_APPLICATION, operate=Operate.READ_ONLY,
        role_list=[RoleConstants.UTILITY_USER],
        parent_group=[SystemGroup.APPLICATIONS_CHATS]
    )


# Tools management
class ToolPermissions(Enum):
    TOOL_READ = Permission(
        group=Group.SYSTEM_RES_TOOL, operate=Operate.READ, role_list=[RoleConstants.MANAGER],
        parent_group=[]
    )
    TOOLS_DELETE = Permission(
        group=Group.SYSTEM_RES_SYSTEM, operate=Operate.DELETE, role_list=[RoleConstants.ADMIN],
        parent_group=[SystemGroup.TOOLS]
    )    
    TOOL_DEBUG = Permission(
        group=Group.SYSTEM_RES_TOOL, operate=Operate.DEBUG, role_list=[RoleConstants.ADMIN],
        parent_group []
    )

This revised code ensures consistency across permissions, clearly defined user roles, and categorization of features based on functionality.

Expand Down
Loading