fix: 获取助手和技能详情时校验下是否有操作权限

dataelement · Jun 18, 2024 · 6e5b36b · 6e5b36b
1 parent f7cbcdd
commit 6e5b36b
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 11 deletions.
diff --git a/src/backend/bisheng/api/services/assistant.py b/src/backend/bisheng/api/services/assistant.py
@@ -71,10 +71,14 @@ def return_simple_assistant_info(cls, one: Assistant) -> AssistantSimpleInfo:
         return AssistantSimpleInfo(**simple_dict)
 
     @classmethod
-    def get_assistant_info(cls, assistant_id: UUID, user_id: str):
+    def get_assistant_info(cls, assistant_id: UUID, login_user: UserPayload):
         assistant = AssistantDao.get_one_assistant(assistant_id)
         if not assistant:
             return AssistantNotExistsError.return_resp()
+        # 检查是否有权限获取信息
+        if not login_user.access_check(assistant.user_id, assistant.id.hex, AccessType.ASSISTANT_READ):
+            return UnAuthorizedError.return_resp()
+
         tool_list = []
         flow_list = []
         knowledge_list = []

diff --git a/src/backend/bisheng/api/v1/assistant.py b/src/backend/bisheng/api/v1/assistant.py
@@ -6,6 +6,7 @@
 import yaml
 from bisheng_langchain.gpts.tools.api_tools.openapi import OpenApiTools
 
+from bisheng.api.JWT import get_login_user
 from bisheng.api.services.assistant import AssistantService
 from bisheng.api.services.openapi import OpenApiSchema
 from bisheng.api.services.user_service import UserPayload
@@ -42,10 +43,9 @@ def get_assistant(*,
 
 # 获取某个助手的详细信息
 @router.get('/info/{assistant_id}', response_model=UnifiedResponseModel[AssistantInfo])
-def get_assistant_info(*, assistant_id: UUID, Authorize: AuthJWT = Depends()):
-    Authorize.jwt_required()
-    current_user = json.loads(Authorize.get_jwt_subject())
-    return AssistantService.get_assistant_info(assistant_id, current_user.get('user_id'))
+def get_assistant_info(*, assistant_id: UUID, login_user: UserPayload = Depends(get_login_user)):
+    """获取助手信息"""
+    return AssistantService.get_assistant_info(assistant_id, login_user)
 
 
 @router.post('/delete', response_model=UnifiedResponseModel)

diff --git a/src/backend/bisheng/api/v1/flows.py b/src/backend/bisheng/api/v1/flows.py
@@ -161,13 +161,15 @@ def read_flows(*,
 
 
 @router.get('/{flow_id}', response_model=UnifiedResponseModel[FlowReadWithStyle], status_code=200)
-def read_flow(*, flow_id: UUID):
+def read_flow(*, flow_id: UUID, login_user: UserPayload = Depends(get_login_user)):
     """Read a flow."""
-    with session_getter() as session:
-        if flow := session.get(Flow, flow_id):
-            return resp_200(flow)
-
-    raise HTTPException(status_code=404, detail='Flow not found')
+    db_flow = FlowDao.get_flow_by_id(flow_id.hex)
+    if not db_flow:
+        raise HTTPException(status_code=404, detail='Flow not found')
+    # 判断授权
+    if not login_user.access_check(db_flow.user_id, flow_id.hex, AccessType.FLOW):
+        return HTTPException(status_code=500, detail='No right access this flow')
+    return resp_200(db_flow)
 
 
 @router.patch('/{flow_id}', response_model=UnifiedResponseModel[FlowRead], status_code=200)