fix: The permissions issue of the editor role accessing some backend … (

#6945) Co-authored-by: liuzhenghua-jk <liuzhenghua-jk@360shuke.com>
langgenius · Aug 5, 2024 · ef616c6 · ef616c6
1 parent 2288efb
commit ef616c6
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 31 deletions.
diff --git a/api/controllers/console/app/annotation.py b/api/controllers/console/app/annotation.py
@@ -23,8 +23,7 @@ class AnnotationReplyActionApi(Resource):
     @account_initialization_required
     @cloud_edition_billing_resource_check('annotation')
     def post(self, app_id, action):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         app_id = str(app_id)
@@ -47,8 +46,7 @@ class AppAnnotationSettingDetailApi(Resource):
     @login_required
     @account_initialization_required
     def get(self, app_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         app_id = str(app_id)
@@ -61,8 +59,7 @@ class AppAnnotationSettingUpdateApi(Resource):
     @login_required
     @account_initialization_required
     def post(self, app_id, annotation_setting_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         app_id = str(app_id)
@@ -82,8 +79,7 @@ class AnnotationReplyActionStatusApi(Resource):
     @account_initialization_required
     @cloud_edition_billing_resource_check('annotation')
     def get(self, app_id, job_id, action):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         job_id = str(job_id)
@@ -110,8 +106,7 @@ class AnnotationListApi(Resource):
     @login_required
     @account_initialization_required
     def get(self, app_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         page = request.args.get('page', default=1, type=int)
@@ -135,8 +130,7 @@ class AnnotationExportApi(Resource):
     @login_required
     @account_initialization_required
     def get(self, app_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         app_id = str(app_id)
@@ -154,8 +148,7 @@ class AnnotationCreateApi(Resource):
     @cloud_edition_billing_resource_check('annotation')
     @marshal_with(annotation_fields)
     def post(self, app_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         app_id = str(app_id)
@@ -174,8 +167,7 @@ class AnnotationUpdateDeleteApi(Resource):
     @cloud_edition_billing_resource_check('annotation')
     @marshal_with(annotation_fields)
     def post(self, app_id, annotation_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         app_id = str(app_id)
@@ -191,8 +183,7 @@ def post(self, app_id, annotation_id):
     @login_required
     @account_initialization_required
     def delete(self, app_id, annotation_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         app_id = str(app_id)
@@ -207,8 +198,7 @@ class AnnotationBatchImportApi(Resource):
     @account_initialization_required
     @cloud_edition_billing_resource_check('annotation')
     def post(self, app_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         app_id = str(app_id)
@@ -232,8 +222,7 @@ class AnnotationBatchImportStatusApi(Resource):
     @account_initialization_required
     @cloud_edition_billing_resource_check('annotation')
     def get(self, app_id, job_id):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         job_id = str(job_id)
@@ -259,8 +248,7 @@ class AnnotationHitHistoryListApi(Resource):
     @login_required
     @account_initialization_required
     def get(self, app_id, annotation_id):
-        # The role of the current user in the table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         page = request.args.get('page', default=1, type=int)

diff --git a/api/controllers/console/app/conversation.py b/api/controllers/console/app/conversation.py
@@ -143,7 +143,7 @@ class ChatConversationApi(Resource):
     @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
     @marshal_with(conversation_with_summary_pagination_fields)
     def get(self, app_model):
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
         parser = reqparse.RequestParser()
         parser.add_argument('keyword', type=str, location='args')
@@ -245,7 +245,7 @@ class ChatConversationDetailApi(Resource):
     @get_app_model(mode=[AppMode.CHAT, AppMode.AGENT_CHAT, AppMode.ADVANCED_CHAT])
     @marshal_with(conversation_detail_fields)
     def get(self, app_model, conversation_id):
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
         conversation_id = str(conversation_id)
 

diff --git a/api/controllers/console/app/message.py b/api/controllers/console/app/message.py
@@ -149,8 +149,7 @@ class MessageAnnotationApi(Resource):
     @get_app_model
     @marshal_with(annotation_fields)
     def post(self, app_model):
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
 
         parser = reqparse.RequestParser()

diff --git a/api/controllers/console/datasets/datasets_segments.py b/api/controllers/console/datasets/datasets_segments.py
@@ -223,8 +223,7 @@ def post(self, dataset_id, document_id):
         document = DocumentService.get_document(dataset_id, document_id)
         if not document:
             raise NotFound('Document not found.')
-        # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
         # check embedding model setting
         if dataset.indexing_technique == 'high_quality':
@@ -347,7 +346,7 @@ def delete(self, dataset_id, document_id, segment_id):
         if not segment:
             raise NotFound('Segment not found.')
         # The role of the current user in the ta table must be admin or owner
-        if not current_user.is_admin_or_owner:
+        if not current_user.is_editor:
             raise Forbidden()
         try:
             DatasetService.check_dataset_permission(dataset, current_user)