From 9b153b1c556f87ab1748c7c145faa1f690c7f0b7 Mon Sep 17 00:00:00 2001 From: shaohuzhang1 Date: Tue, 23 Sep 2025 14:52:38 +0800 Subject: [PATCH] fix: Application log permission error --- .../views/application_version_views.py | 15 ++++++- apps/application/views/chat_views.py | 40 ++++++++++++------- 2 files changed, 39 insertions(+), 16 deletions(-) diff --git a/apps/application/views/application_version_views.py b/apps/application/views/application_version_views.py index de900936268..1cd42a643a0 100644 --- a/apps/application/views/application_version_views.py +++ b/apps/application/views/application_version_views.py @@ -48,7 +48,11 @@ class Page(APIView): ApplicationVersionApi.Query.get_request_params_api()), responses=result.get_page_api_response(ApplicationVersionApi.get_response_body_api()), tags=[_('Application/Version')]) - @has_permissions(PermissionConstants.APPLICATION_READ, compare=CompareConstants.AND) + @has_permissions(PermissionConstants.APPLICATION_READ, + ViewPermission([RoleConstants.ADMIN, RoleConstants.USER], + [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, + dynamic_tag=keywords.get('application_id'))], + compare=CompareConstants.AND), compare=CompareConstants.AND) def get(self, request: Request, application_id: str, current_page: int, page_size: int): return result.success( ApplicationVersionSerializer.Query( @@ -65,7 +69,14 @@ class Operate(APIView): manual_parameters=ApplicationVersionApi.Operate.get_request_params_api(), responses=result.get_api_response(ApplicationVersionApi.get_response_body_api()), tags=[_('Application/Version')]) - @has_permissions(PermissionConstants.APPLICATION_READ, compare=CompareConstants.AND) + @has_permissions(PermissionConstants.APPLICATION_READ, ViewPermission([RoleConstants.ADMIN, RoleConstants.USER], + [lambda r, keywords: Permission( + group=Group.APPLICATION, + operate=Operate.USE, + dynamic_tag=keywords.get( + 'application_id'))], + compare=CompareConstants.AND), + compare=CompareConstants.AND) def get(self, request: Request, application_id: str, work_flow_version_id: str): return result.success( ApplicationVersionSerializer.Operate( diff --git a/apps/application/views/chat_views.py b/apps/application/views/chat_views.py index b0f42c020b9..30d54fa65a4 100644 --- a/apps/application/views/chat_views.py +++ b/apps/application/views/chat_views.py @@ -59,7 +59,8 @@ class Export(APIView): @has_permissions( ViewPermission([RoleConstants.ADMIN, RoleConstants.USER, RoleConstants.APPLICATION_KEY], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, - dynamic_tag=keywords.get('application_id'))]) + dynamic_tag=keywords.get('application_id'))], + compare=CompareConstants.AND) ) @log(menu='Conversation Log', operate="Export conversation", get_operation_object=lambda r, k: get_application_operation_object(k.get('application_id'))) @@ -164,7 +165,9 @@ def post(self, request: Request, chat_id: str): @has_permissions( ViewPermission([RoleConstants.ADMIN, RoleConstants.USER, RoleConstants.APPLICATION_KEY], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, - dynamic_tag=keywords.get('application_id'))]) + dynamic_tag=keywords.get('application_id'))], + compare=CompareConstants.AND + ) ) def get(self, request: Request, application_id: str): return result.success(ChatSerializers.Query( @@ -182,8 +185,7 @@ class Operate(APIView): [RoleConstants.ADMIN, RoleConstants.USER], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.MANAGE, dynamic_tag=keywords.get('application_id'))], - compare=CompareConstants.AND), - compare=CompareConstants.AND) + compare=CompareConstants.AND)) @log(menu='Conversation Log', operate="Delete a conversation", get_operation_object=lambda r, k: get_application_operation_object(k.get('application_id'))) def delete(self, request: Request, application_id: str, chat_id: str): @@ -206,7 +208,8 @@ class ClientChatHistoryPage(APIView): @has_permissions( ViewPermission([RoleConstants.APPLICATION_ACCESS_TOKEN], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, - dynamic_tag=keywords.get('application_id'))]) + dynamic_tag=keywords.get('application_id'))], + compare=CompareConstants.AND) ) def get(self, request: Request, application_id: str, current_page: int, page_size: int): return result.success(ChatSerializers.ClientChatHistory( @@ -267,7 +270,8 @@ class Page(APIView): @has_permissions( ViewPermission([RoleConstants.ADMIN, RoleConstants.USER, RoleConstants.APPLICATION_KEY], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, - dynamic_tag=keywords.get('application_id'))]) + dynamic_tag=keywords.get('application_id'))], + compare=CompareConstants.AND) ) def get(self, request: Request, application_id: str, current_page: int, page_size: int): return result.success(ChatSerializers.Query( @@ -292,7 +296,8 @@ class Operate(APIView): ViewPermission([RoleConstants.ADMIN, RoleConstants.USER, RoleConstants.APPLICATION_KEY, RoleConstants.APPLICATION_ACCESS_TOKEN], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, - dynamic_tag=keywords.get('application_id'))]) + dynamic_tag=keywords.get('application_id'))], + compare=CompareConstants.AND) ) def get(self, request: Request, application_id: str, chat_id: str, chat_record_id: str): return result.success(ChatRecordSerializer.Operate( @@ -310,7 +315,8 @@ def get(self, request: Request, application_id: str, chat_id: str, chat_record_i @has_permissions( ViewPermission([RoleConstants.ADMIN, RoleConstants.USER, RoleConstants.APPLICATION_KEY], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, - dynamic_tag=keywords.get('application_id'))]) + dynamic_tag=keywords.get('application_id'))], + compare=CompareConstants.AND) ) def get(self, request: Request, application_id: str, chat_id: str): return result.success(ChatRecordSerializer.Query( @@ -329,9 +335,11 @@ class Page(APIView): tags=[_("Application/Conversation Log")] ) @has_permissions( - ViewPermission([RoleConstants.ADMIN, RoleConstants.USER, RoleConstants.APPLICATION_KEY], + ViewPermission([RoleConstants.ADMIN, RoleConstants.USER, RoleConstants.APPLICATION_KEY, + RoleConstants.APPLICATION_ACCESS_TOKEN], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, - dynamic_tag=keywords.get('application_id'))]) + dynamic_tag=keywords.get('application_id'))], + compare=CompareConstants.AND) ) def get(self, request: Request, application_id: str, chat_id: str, current_page: int, page_size: int): return result.success(ChatRecordSerializer.Query( @@ -354,7 +362,8 @@ class Vote(APIView): ViewPermission([RoleConstants.ADMIN, RoleConstants.USER, RoleConstants.APPLICATION_KEY, RoleConstants.APPLICATION_ACCESS_TOKEN], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, - dynamic_tag=keywords.get('application_id'))]) + dynamic_tag=keywords.get('application_id'))], + compare=CompareConstants.AND) ) @log(menu='Conversation Log', operate="Like, Dislike", get_operation_object=lambda r, k: get_application_operation_object(k.get('application_id'))) @@ -377,7 +386,7 @@ class ChatRecordImprove(APIView): ViewPermission([RoleConstants.ADMIN, RoleConstants.USER], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, dynamic_tag=keywords.get('application_id'))] - )) + , compare=CompareConstants.AND)) def get(self, request: Request, application_id: str, chat_id: str, chat_record_id: str): return result.success(ChatRecordSerializer.ChatRecordImprove( data={'chat_id': chat_id, 'chat_record_id': chat_record_id}).get()) @@ -397,7 +406,7 @@ class Improve(APIView): ViewPermission([RoleConstants.ADMIN, RoleConstants.USER], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, dynamic_tag=keywords.get('application_id'))], - + compare=CompareConstants.AND ), ViewPermission([RoleConstants.ADMIN, RoleConstants.USER], [lambda r, keywords: Permission(group=Group.DATASET, operate=Operate.MANAGE, @@ -424,6 +433,7 @@ def put(self, request: Request, application_id: str, chat_id: str, chat_record_i ViewPermission([RoleConstants.ADMIN, RoleConstants.USER], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, dynamic_tag=keywords.get('application_id'))], + compare=CompareConstants.AND ), ViewPermission([RoleConstants.ADMIN, RoleConstants.USER], [lambda r, keywords: Permission(group=Group.DATASET, @@ -451,6 +461,7 @@ class Operate(APIView): ViewPermission([RoleConstants.ADMIN, RoleConstants.USER], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, dynamic_tag=keywords.get('application_id'))], + compare=CompareConstants.AND ), ViewPermission([RoleConstants.ADMIN, RoleConstants.USER], [lambda r, keywords: Permission(group=Group.DATASET, @@ -499,7 +510,8 @@ class UploadFile(APIView): ViewPermission([RoleConstants.ADMIN, RoleConstants.USER, RoleConstants.APPLICATION_KEY, RoleConstants.APPLICATION_ACCESS_TOKEN], [lambda r, keywords: Permission(group=Group.APPLICATION, operate=Operate.USE, - dynamic_tag=keywords.get('application_id'))]) + dynamic_tag=keywords.get('application_id'))] + , compare=CompareConstants.AND) ) def post(self, request: Request, application_id: str, chat_id: str): files = request.FILES.getlist('file')