feat: team permission refine (#4494) (#4498)

* feat: team permission refine (#4402)

* chore: team permission extend

* feat: manage team permission

* chore: api auth

* fix: i18n

* feat: add initv493

* fix: test, org auth manager

* test: app test for refined permission

* update init sh

* fix: add/remove manage permission (#4427)

* fix: add/remove manage permission

* fix: github action fastgpt-test

* fix: mock create model

* fix: team write permission

* fix: ts

* account permission

---------

Co-authored-by: Finley Ge <[email protected]>

Author: c121914yu

.github/workflows/fastgpt-test.yaml

@@ -15,6 +15,9 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
       - uses: pnpm/action-setup@v4
         with:
           version: 10

package.json

@@ -12,21 +12,20 @@
     "previewIcon": "node ./scripts/icon/index.js",
     "api:gen": "tsc ./scripts/openapi/index.ts && node ./scripts/openapi/index.js && npx @redocly/cli build-docs ./scripts/openapi/openapi.json -o ./projects/app/public/openapi/index.html",
     "create:i18n": "node ./scripts/i18n/index.js",
-    "test": "vitest run --exclude 'test/cases/spec'",
-    "test:all": "vitest run",
+    "test": "vitest run",
     "test:workflow": "vitest run workflow"
   },
   "devDependencies": {
     "@chakra-ui/cli": "^2.4.1",
-    "@vitest/coverage-v8": "^3.0.2",
+    "@vitest/coverage-v8": "^3.0.9",
     "husky": "^8.0.3",
     "i18next": "23.16.8",
     "lint-staged": "^13.3.0",
     "next-i18next": "15.4.2",
     "prettier": "3.2.4",
     "react-i18next": "14.1.2",
-    "vitest": "^3.0.2",
-    "vitest-mongodb": "^1.0.1",
+    "vitest": "^3.0.9",
+    "mongodb-memory-server": "^10.1.4",
     "zhlint": "^0.7.4"
   },
   "lint-staged": {

packages/global/support/permission/collaborator.d.ts

@@ -13,12 +13,15 @@ export type CollaboratorItemType = {
   orgId: string;
 }>;
 
-export type UpdateClbPermissionProps = {
+export type UpdateClbPermissionProps<addOnly = false> = {
   members?: string[];
   groups?: string[];
   orgs?: string[];
-  permission: PermissionValueType;
-};
+} & (addOnly extends true
+  ? {}
+  : {
+      permission: PermissionValueType;
+    });
 
 export type DeletePermissionQuery = RequireOnlyOne<{
   tmbId?: string;

packages/global/support/permission/controller.ts

@@ -5,15 +5,16 @@ export type PerConstructPros = {
   per?: PermissionValueType;
   isOwner?: boolean;
   permissionList?: PermissionListType;
+  childUpdatePermissionCallback?: () => void;
 };
 
 // the Permission helper class
 export class Permission {
   value: PermissionValueType;
-  isOwner: boolean;
-  hasManagePer: boolean;
-  hasWritePer: boolean;
-  hasReadPer: boolean;
+  isOwner: boolean = false;
+  hasManagePer: boolean = false;
+  hasWritePer: boolean = false;
+  hasReadPer: boolean = false;
   _permissionList: PermissionListType;
 
   constructor(props?: PerConstructPros) {
@@ -24,11 +25,8 @@ export class Permission {
       this.value = per;
     }
 
-    this.isOwner = isOwner;
     this._permissionList = permissionList;
-    this.hasManagePer = this.checkPer(this._permissionList['manage'].value);
-    this.hasWritePer = this.checkPer(this._permissionList['write'].value);
-    this.hasReadPer = this.checkPer(this._permissionList['read'].value);
+    this.updatePermissions();
   }
 
   // add permission(s)
@@ -68,10 +66,21 @@ export class Permission {
     return (this.value & perm) === perm;
   }
 
+  private updatePermissionCallback?: () => void;
+  setUpdatePermissionCallback(callback: () => void) {
+    callback();
+    this.updatePermissionCallback = callback;
+  }
+
   private updatePermissions() {
     this.isOwner = this.value === OwnerPermissionVal;
     this.hasManagePer = this.checkPer(this._permissionList['manage'].value);
     this.hasWritePer = this.checkPer(this._permissionList['write'].value);
     this.hasReadPer = this.checkPer(this._permissionList['read'].value);
+    this.updatePermissionCallback?.();
+  }
+
+  toBinary() {
+    return this.value.toString(2);
   }
 }

packages/global/support/permission/memberGroup/type.d.ts

@@ -17,23 +17,23 @@ type GroupMemberSchemaType = {
   role: `${GroupMemberRole}`;
 };
 
-type MemberGroupListItemType<T extends boolean | undefined> = MemberGroupSchemaType & {
-  members: T extends true
+type MemberGroupListItemType<WithMembers extends boolean | undefined> = MemberGroupSchemaType & {
+  members: WithMembers extends true
     ? {
         tmbId: string;
         name: string;
         avatar: string;
       }[]
     : undefined;
-  count: T extends true ? number : undefined;
-  owner?: T extends true
+  count: WithMembers extends true ? number : undefined;
+  owner?: WithMembers extends true
     ? {
         tmbId: string;
         name: string;
         avatar: string;
       }
     : undefined;
-  permission: T extends true ? Permission : undefined;
+  permission: WithMembers extends true ? Permission : undefined;
 };
 
 type GroupMemberItemType = {

packages/global/support/permission/user/constant.ts

@@ -1,22 +1,50 @@
 import { PermissionKeyEnum } from '../constant';
 import { PermissionListType } from '../type';
 import { PermissionList } from '../constant';
-export const TeamPermissionList: PermissionListType = {
+import { i18nT } from '../../../../web/i18n/utils';
+export enum TeamPermissionKeyEnum {
+  appCreate = 'appCreate',
+  datasetCreate = 'datasetCreate',
+  apikeyCreate = 'apikeyCreate'
+}
+
+export const TeamPermissionList: PermissionListType<TeamPermissionKeyEnum> = {
   [PermissionKeyEnum.read]: {
     ...PermissionList[PermissionKeyEnum.read],
-    value: 0b100
+    value: 0b000100
   },
   [PermissionKeyEnum.write]: {
     ...PermissionList[PermissionKeyEnum.write],
-    value: 0b010
+    value: 0b000010
   },
   [PermissionKeyEnum.manage]: {
     ...PermissionList[PermissionKeyEnum.manage],
-    value: 0b001
+    value: 0b000001
+  },
+  [TeamPermissionKeyEnum.appCreate]: {
+    checkBoxType: 'multiple',
+    description: '',
+    name: i18nT('account_team:permission_appCreate'),
+    value: 0b001000
+  },
+  [TeamPermissionKeyEnum.datasetCreate]: {
+    checkBoxType: 'multiple',
+    description: '',
+    name: i18nT('account_team:permission_datasetCreate'),
+    value: 0b010000
+  },
+  [TeamPermissionKeyEnum.apikeyCreate]: {
+    checkBoxType: 'multiple',
+    description: '',
+    name: i18nT('account_team:permission_apikeyCreate'),
+    value: 0b100000
   }
 };
 
 export const TeamReadPermissionVal = TeamPermissionList['read'].value;
 export const TeamWritePermissionVal = TeamPermissionList['write'].value;
 export const TeamManagePermissionVal = TeamPermissionList['manage'].value;
+export const TeamAppCreatePermissionVal = TeamPermissionList['appCreate'].value;
+export const TeamDatasetCreatePermissionVal = TeamPermissionList['datasetCreate'].value;
+export const TeamApikeyCreatePermissionVal = TeamPermissionList['apikeyCreate'].value;
 export const TeamDefaultPermissionVal = TeamReadPermissionVal;

packages/global/support/permission/user/controller.ts

@@ -1,7 +1,15 @@
 import { PerConstructPros, Permission } from '../controller';
-import { TeamDefaultPermissionVal, TeamPermissionList } from './constant';
+import {
+  TeamAppCreatePermissionVal,
+  TeamDefaultPermissionVal,
+  TeamPermissionList
+} from './constant';
 
 export class TeamPermission extends Permission {
+  hasAppCreatePer: boolean = false;
+  hasDatasetCreatePer: boolean = false;
+  hasApikeyCreatePer: boolean = false;
+
   constructor(props?: PerConstructPros) {
     if (!props) {
       props = {
@@ -12,5 +20,11 @@ export class TeamPermission extends Permission {
     }
     props.permissionList = TeamPermissionList;
     super(props);
+
+    this.setUpdatePermissionCallback(() => {
+      this.hasAppCreatePer = this.checkPer(TeamAppCreatePermissionVal);
+      this.hasDatasetCreatePer = this.checkPer(TeamAppCreatePermissionVal);
+      this.hasApikeyCreatePer = this.checkPer(TeamAppCreatePermissionVal);
+    });
   }
 }

packages/service/common/mongo/index.ts

@@ -69,7 +69,7 @@ const addCommonMiddleware = (schema: mongoose.Schema) => {
 
 export const getMongoModel = <T>(name: string, schema: mongoose.Schema) => {
   if (connectionMongo.models[name]) return connectionMongo.models[name] as Model<T>;
-  console.log('Load model======', name);
+  if (process.env.NODE_ENV !== 'test') console.log('Load model======', name);
   addCommonMiddleware(schema);
 
   const model = connectionMongo.model<T>(name, schema);

packages/service/support/permission/auth/org.ts

@@ -2,7 +2,7 @@ import { TeamPermission } from '@fastgpt/global/support/permission/user/controll
 import { AuthModeType, AuthResponseType } from '../type';
 import { TeamErrEnum } from '@fastgpt/global/common/error/code/team';
 import { authUserPer } from '../user/auth';
-import { ManagePermissionVal } from '@fastgpt/global/support/permission/constant';
+import { TeamManagePermissionVal } from '@fastgpt/global/support/permission/user/constant';
 
 /*
   Team manager can control org
@@ -15,7 +15,7 @@ export const authOrgMember = async ({
 } & AuthModeType): Promise<AuthResponseType> => {
   const result = await authUserPer({
     ...props,
-    per: ManagePermissionVal
+    per: TeamManagePermissionVal
   });
   const { teamId, tmbId, isRoot, tmb } = result;
 

packages/web/i18n/en/account_team.json

@@ -61,5 +61,13 @@
   "user_team_invite_member": "Invite members",
   "user_team_leave_team": "Leave the team",
   "user_team_leave_team_failed": "Failure to leave the team",
-  "waiting": "To be accepted"
+  "waiting": "To be accepted",
+  "permission_appCreate": "Create Application",
+  "permission_datasetCreate": "Create Knowledge Base",
+  "permission_apikeyCreate": "Create API Key",
+  "permission_appCreate_tip": "Can create applications in the root directory (creation permissions in folders are controlled by the folder)",
+  "permission_datasetCreate_Tip": "Can create knowledge bases in the root directory (creation permissions in folders are controlled by the folder)",
+  "permission_apikeyCreate_Tip": "Can create global APIKeys",
+  "permission_manage": "Admin",
+  "permission_manage_tip": "Can manage members, create groups, manage all groups, and assign permissions to groups and members"
 }