feat: org permission for app

labring · Dec 26, 2024 · 7f7d93e · 7f7d93e
1 parent 1f7ddaa
commit 7f7d93e
Show file tree

Hide file tree

Showing 11 changed files with 299 additions and 119 deletions.
diff --git a/packages/global/core/app/collaborator.d.ts b/packages/global/core/app/collaborator.d.ts
@@ -1,6 +1,6 @@
-import { RequireOnlyOne } from '../../common/type/utils';
+import type { RequireOnlyOne } from '../../common/type/utils';
 import {
-  UpdateClbPermissionProps,
+  type UpdateClbPermissionProps,
   UpdatePermissionBody
 } from '../../support/permission/collaborator';
 import { PermissionValueType } from '../../support/permission/type';
@@ -14,4 +14,5 @@ export type AppCollaboratorDeleteParams = {
 } & RequireOnlyOne<{
   tmbId: string;
   groupId: string;
+  orgId: string;
 }>;
diff --git a/packages/global/support/permission/collaborator.d.ts b/packages/global/support/permission/collaborator.d.ts
@@ -10,22 +10,26 @@ export type CollaboratorItemType = {
 } & RequireOnlyOne<{
   tmbId: string;
   groupId: string;
+  orgId: string;
 }>;
 
 export type UpdateClbPermissionProps = {
   members?: string[];
   groups?: string[];
+  orgs?: string[];
   permission: PermissionValueType;
 };
 
 export type DeleteClbPermissionProps = RequireOnlyOne<{
   tmbId: string;
   groupId: string;
+  orgId: string;
 }>;
 
 export type UpdatePermissionBody = {
   permission: PermissionValueType;
 } & RequireOnlyOne<{
   memberId: string;
   groupId: string;
+  orgId: string;
 }>;
diff --git a/packages/global/support/permission/type.d.ts b/packages/global/support/permission/type.d.ts
@@ -1,7 +1,7 @@
-import { RequireOnlyOne } from '../../common/type/utils';
-import { TeamMemberWithUserSchema } from '../user/team/type';
-import { AuthUserTypeEnum, PermissionKeyEnum, PerResourceTypeEnum } from './constant';
-import { MemberGroupSchemaType } from './memberGroup/type';
+import type { RequireOnlyOne } from '../../common/type/utils';
+import type { TeamMemberWithUserSchema } from '../user/team/type';
+import { AuthUserTypeEnum, type PermissionKeyEnum, type PerResourceTypeEnum } from './constant';
+import type { MemberGroupSchemaType } from './memberGroup/type';
 
 // PermissionValueType, the type of permission's value is a number, which is a bit field actually.
 // It is spired by the permission system in Linux.
@@ -28,6 +28,7 @@ export type ResourcePermissionType = {
 } & RequireOnlyOne<{
   tmbId: string;
   groupId: string;
+  orgId: string;
 }>;
 
 export type ResourcePerWithTmbWithUser = Omit<ResourcePermissionType, 'tmbId'> & {
@@ -38,6 +39,10 @@ export type ResourcePerWithGroup = Omit<ResourcePermissionType, 'groupId'> & {
   groupId: MemberGroupSchemaType;
 };
 
+export type ResourcePerWithOrg = Omit<ResourcePermissionType, 'orgId'> & {
+  orgId: OrgSchemaType;
+};
+
 export type PermissionSchemaType = {
   defaultPermission: PermissionValueType;
   inheritPermission: boolean;

diff --git a/packages/service/support/permission/controller.ts b/packages/service/support/permission/controller.ts
@@ -1,26 +1,30 @@
-import Cookie from 'cookie';
+import { CommonErrEnum } from '@fastgpt/global/common/error/code/common';
 import { ERROR_ENUM } from '@fastgpt/global/common/error/errorCode';
-import jwt from 'jsonwebtoken';
-import { NextApiResponse } from 'next';
-import type { AuthModeType, ReqHeaderAuthType } from './type.d';
-import { AuthUserTypeEnum, PerResourceTypeEnum } from '@fastgpt/global/support/permission/constant';
-import { authOpenApiKey } from '../openapi/auth';
-import { FileTokenQuery } from '@fastgpt/global/common/file/type';
-import { MongoResourcePermission } from './schema';
-import { ClientSession } from 'mongoose';
+import { bucketNameMap } from '@fastgpt/global/common/file/constants';
+import type { FileTokenQuery } from '@fastgpt/global/common/file/type';
+import type { ParentIdType } from '@fastgpt/global/common/parentFolder/type';
+import { RequireOnlyOne } from '@fastgpt/global/common/type/utils';
 import {
+  AuthUserTypeEnum,
+  type PerResourceTypeEnum
+} from '@fastgpt/global/support/permission/constant';
+import { Permission } from '@fastgpt/global/support/permission/controller';
+import type {
   PermissionValueType,
-  ResourcePermissionType,
   ResourcePerWithGroup,
-  ResourcePerWithTmbWithUser
+  ResourcePerWithOrg,
+  ResourcePerWithTmbWithUser,
+  ResourcePermissionType
 } from '@fastgpt/global/support/permission/type';
-import { bucketNameMap } from '@fastgpt/global/common/file/constants';
+import Cookie from 'cookie';
 import { addMinutes } from 'date-fns';
+import jwt from 'jsonwebtoken';
+import type { ClientSession } from 'mongoose';
+import type { NextApiResponse } from 'next';
+import { authOpenApiKey } from '../openapi/auth';
 import { getGroupsByTmbId } from './memberGroup/controllers';
-import { Permission } from '@fastgpt/global/support/permission/controller';
-import { ParentIdType } from '@fastgpt/global/common/parentFolder/type';
-import { RequireOnlyOne } from '@fastgpt/global/common/type/utils';
-import { CommonErrEnum } from '@fastgpt/global/common/error/code/common';
+import { MongoResourcePermission } from './schema';
+import type { AuthModeType, ReqHeaderAuthType } from './type.d';
 
 /** get resource permission for a team member
  * If there is no permission for the team member, it will return undefined
@@ -185,7 +189,15 @@ export const getClbsAndGroupsWithInfo = async ({
     }).populate({
       path: 'groupId',
       select: 'name avatar'
-    })) as ResourcePerWithGroup[]
+    })) as ResourcePerWithGroup[],
+    (await MongoResourcePermission.find({
+      teamId,
+      resourceId,
+      resourceType,
+      orgId: {
+        $exists: true
+      }
+    }).populate({ path: 'orgId', select: 'name avatar' })) as ResourcePerWithOrg[]
   ]);
 
 export const delResourcePermissionById = (id: string) => {
@@ -195,6 +207,7 @@ export const delResourcePermission = ({
   session,
   tmbId,
   groupId,
+  orgId,
   ...props
 }: {
   resourceType: PerResourceTypeEnum;
@@ -203,15 +216,18 @@ export const delResourcePermission = ({
   session?: ClientSession;
   tmbId?: string;
   groupId?: string;
+  orgId?: string;
 }) => {
-  // tmbId or groupId only one and not both
-  if (!!tmbId === !!groupId) {
+  // tmbId, groupId, orgId 三选一
+  if (!tmbId && !groupId && !orgId) {
     return Promise.reject(CommonErrEnum.missingParams);
   }
+
   return MongoResourcePermission.deleteOne(
     {
       ...(tmbId ? { tmbId } : {}),
       ...(groupId ? { groupId } : {}),
+      ...(orgId ? { orgId } : {}),
       ...props
     },
     { session }
@@ -249,7 +265,7 @@ export function authJWT(token: string) {
   }>((resolve, reject) => {
     const key = process.env.TOKEN_KEY as string;
 
-    jwt.verify(token, key, function (err, decoded: any) {
+    jwt.verify(token, key, (err, decoded: any) => {
       if (err || !decoded?.userId) {
         reject(ERROR_ENUM.unAuthorization);
         return;
@@ -435,7 +451,7 @@ export const authFileToken = (token?: string) =>
     }
     const key = (process.env.FILE_TOKEN_KEY as string) ?? 'filetoken';
 
-    jwt.verify(token, key, function (err, decoded: any) {
+    jwt.verify(token, key, (err, decoded: any) => {
       if (err || !decoded.bucketName || !decoded?.teamId || !decoded?.fileId) {
         reject(ERROR_ENUM.unAuthFile);
         return;

diff --git a/packages/service/support/permission/inheritPermission.ts b/packages/service/support/permission/inheritPermission.ts
@@ -1,11 +1,11 @@
 import { mongoSessionRun } from '../../common/mongo/sessionRun';
 import { MongoResourcePermission } from './schema';
-import { ClientSession, Model } from 'mongoose';
-import { PerResourceTypeEnum } from '@fastgpt/global/support/permission/constant';
-import { PermissionValueType } from '@fastgpt/global/support/permission/type';
+import type { ClientSession, Model } from 'mongoose';
+import type { PerResourceTypeEnum } from '@fastgpt/global/support/permission/constant';
+import type { PermissionValueType } from '@fastgpt/global/support/permission/type';
 import { getResourceClbsAndGroups } from './controller';
-import { RequireOnlyOne } from '@fastgpt/global/common/type/utils';
-import { ParentIdType } from '@fastgpt/global/common/parentFolder/type';
+import type { RequireOnlyOne } from '@fastgpt/global/common/type/utils';
+import type { ParentIdType } from '@fastgpt/global/common/parentFolder/type';
 
 export type SyncChildrenPermissionResourceType = {
   _id: string;
@@ -18,6 +18,7 @@ export type UpdateCollaboratorItem = {
 } & RequireOnlyOne<{
   tmbId: string;
   groupId: string;
+  orgId: string;
 }>;
 
 // sync the permission to all children folders.
@@ -161,7 +162,7 @@ export async function resumeInheritPermission({
   }
 }
 
-/* 
+/*
   Delete all the collaborators and then insert the new collaborators.
 */
 export async function syncCollaborators({