feat(access): add SUPER_ADMIN platform role support#304
Merged
Conversation
## Summary - Add UPLOADED status for PRIVATE skills after security scan passes - PRIVATE skill owners can test before confirming publish or submitting for review - Rerelease now follows visibility rules (PRIVATE→UPLOADED, PUBLIC→PENDING_REVIEW) - Auto-withdraw changes status to UPLOADED (not DRAFT) to keep versions visible ## Changes - SkillVersionStatus: Add UPLOADED enum value - SkillPublishService: PRIVATE skills go to UPLOADED after scan - SecurityScanService: Visibility-based status transition after scan - SkillGovernanceService: Withdraw→UPLOADED, delete allows UPLOADED - SkillQueryService: Include UPLOADED in version list filters - SkillReviewSubmitService: New service for submit-review and confirm-publish - SkillLifecycleController: Add submit-review and confirm-publish endpoints - Frontend: Add buttons, dialogs, and hooks for new operations ## Workflow - PRIVATE: Publish → SCANNING → UPLOADED → confirm-publish → PUBLISHED - PUBLIC: Publish → SCANNING → PENDING_REVIEW → PUBLISHED
Support both DRAFT (legacy) and UPLOADED (new flow) status in: - SkillReviewSubmitService.submitForReview - SkillReviewSubmitService.confirmPublish - ReviewService.submitReview (both overloads) This ensures existing data with DRAFT status continues to work with the new visibility-based workflow introduced in OSS-02.
…status-semantic # Conflicts: # README.md # README_zh.md
- Add platformRoles parameter to VisibilityChecker.canAccess() for platform-level access control - SUPER_ADMIN can access all skills regardless of visibility or publication status - Add archived namespace check to SkillQueryService.getSkillDetail() - Extract platformRoles from AuthContext in SkillController - Replace VisibilityChecker mock with real instance in SkillQueryServiceTest - Add 5 new tests for SUPER_ADMIN access scenarios - Add version-status-badge.tsx component for frontend status display Tests: 347 domain tests + 16 app tests passing
|
|
dongmucat
reviewed
Apr 14, 2026
Collaborator
dongmucat
left a comment
dongmucat
left a comment
There was a problem hiding this comment.
- 高风险:
SUPER_ADMIN权限只打通了 skill detail,没有打通其余读取主链路,和这个 PR 的目标不一致。现在只有getSkillDetail()传入了platformRoles并走了新判定,但listVersions、getVersionDetail、listFiles、resolveVersion以及下载链路仍然只按userId/userNsRoles走旧权限逻辑。
相关位置:
server/skillhub-app/src/main/java/com/iflytek/skillhub/controller/portal/SkillController.javaserver/skillhub-domain/src/main/java/com/iflytek/skillhub/domain/skill/service/SkillQueryService.javaserver/skillhub-domain/src/main/java/com/iflytek/skillhub/domain/skill/service/SkillDownloadService.java
这会导致超级管理员出现“详情页能看,但版本列表/文件预览/解析/下载仍受限”的半生效状态,属于功能级不一致。建议把 platformRoles 沿所有 read/download 链路继续透传,并补齐对应测试。
- 中风险:
getSkillDetail()放行了SUPER_ADMIN,但生命周期投影仍按 owner / namespace admin 计算,导致详情页返回的数据语义不一致。
相关位置:
server/skillhub-domain/src/main/java/com/iflytek/skillhub/domain/skill/service/SkillQueryService.javaserver/skillhub-domain/src/main/java/com/iflytek/skillhub/domain/skill/service/SkillLifecycleProjectionService.java
目前 canManageLifecycle() 已经会对 SUPER_ADMIN 返回 true,但 headlineVersion / ownerPreviewVersion / resolutionMode 还是按普通 viewer 逻辑算,未发布 skill 上会出现“有管理权限但看不到对应预览版本”的错位。建议让 lifecycle projection 也识别 SUPER_ADMIN,否则前端展示和权限标记会互相打架。
…d SCAN_FAILED The error message for unsupported version deletion still referenced only DRAFT/REJECTED. Updated both EN and ZH messages to reflect the actual deletable statuses: DRAFT, UPLOADED, REJECTED, SCAN_FAILED. Also updated OSS-02 design doc to mark all blocking items as completed.
Collaborator
Author
变更说明本次调整回收了 portal 侧已经引入的 本次修改
设计取舍不继续把 验证已通过:
说明:
|
dongmucat
approved these changes
Apr 14, 2026
dongmucat
approved these changes
Apr 14, 2026
Rsweater
pushed a commit
to Rsweater/skillhub
that referenced
this pull request
Apr 16, 2026
…isibility feat(access): add SUPER_ADMIN platform role support
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add SUPER_ADMIN platform role support for unrestricted skill access across all visibility levels and publication states.
Changes
Backend:
platformRolesparameter toVisibilityChecker.canAccess()for platform-level access controlSkillQueryService.getSkillDetail()Tests:
Frontend:
version-status-badge.tsxcomponent for skill version status displayTest Results
Related
Part of OSS-02 core semantic rules implementation.