Skip to content

feat: add per-credential access scope for builtin tool providers (#34…#35162

Open
smartcoder0777 wants to merge 2 commits intolanggenius:mainfrom
smartcoder0777:feat/tool-credential-access-scope-34925
Open

feat: add per-credential access scope for builtin tool providers (#34…#35162
smartcoder0777 wants to merge 2 commits intolanggenius:mainfrom
smartcoder0777:feat/tool-credential-access-scope-34925

Conversation

@smartcoder0777
Copy link
Copy Markdown

@smartcoder0777 smartcoder0777 commented Apr 14, 2026
edited
Loading

Fixes: #34925

Summary

Implements per-credential access control for built-in plugin tool credentials in console and runtime.

  • Adds credential visibility/usage scopes: workspace, private, and restricted (selected members).
  • Enforces access at both listing and execution time: users only see/use credentials allowed by scope; runtime blocks unauthorized credential usage.
  • Extends console API payloads and frontend auth UI to set/update scope and restricted member list.
  • Persists scope and restricted-member mappings with new DB schema/migration and service-layer sync/validation.
  • Updates unit tests for backend services/controllers to cover new access-control behavior.

Checklist

  • This change requires a documentation update, included: Dify Document
  • I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
  • I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
  • I've updated the documentation accordingly.
  • I ran make lint && make type-check (backend) and cd web && pnpm exec vp staged (frontend) to appease the lint gods

@smartcoder0777 smartcoder0777 requested a review from a team April 14, 2026 08:16
@dosubot dosubot bot added the size:L This PR changes 100-499 lines, ignoring generated files. label Apr 14, 2026
@github-actions github-actions bot added the web This relates to changes on the web. label Apr 14, 2026
@smartcoder0777
Merge branch 'main' of github.com:smartcoder0777/dify into feat/tool-…
1d87816 
…credential-access-scope-34925

# Conflicts:
#	api/services/tools/tools_transform_service.py
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@iamjoel iamjoel Awaiting requested review from iamjoel iamjoel is a code owner

@zhsama zhsama Awaiting requested review from zhsama zhsama is a code owner

@snakevash snakevash Awaiting requested review from snakevash snakevash is a code owner

@laipz8200 laipz8200 Awaiting requested review from laipz8200 laipz8200 is a code owner

@MRZHUH MRZHUH Awaiting requested review from MRZHUH MRZHUH is a code owner

@QuantumGhost QuantumGhost Awaiting requested review from QuantumGhost QuantumGhost is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size:L This PR changes 100-499 lines, ignoring generated files. web This relates to changes on the web.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature Request: Per-user access control for plugin credentials (OAuth tokens, API keys, and all authorization methods)

1 participant

@smartcoder0777