From c0135f5f21f2407a2140499a638c5bc93243d328 Mon Sep 17 00:00:00 2001
From: Archer <545436317@qq.com>
Date: Wed, 11 Dec 2024 20:56:52 +0800
Subject: [PATCH] fix: permission (#3374)

* fix: permission

* feat: create dataset per
---
 projects/app/src/pages/api/core/app/create.ts | 12 ++--
 projects/app/src/pages/api/core/app/list.ts   | 54 +++++++++++------
 .../app/src/pages/api/core/dataset/create.ts  | 26 +++++++--
 .../app/src/pages/api/core/dataset/list.ts    | 58 +++++++++++--------
 4 files changed, 95 insertions(+), 55 deletions(-)

diff --git a/projects/app/src/pages/api/core/app/create.ts b/projects/app/src/pages/api/core/app/create.ts
index 463baa2f2339..6122b58c9292 100644
--- a/projects/app/src/pages/api/core/app/create.ts
+++ b/projects/app/src/pages/api/core/app/create.ts
@@ -35,12 +35,12 @@ async function handler(req: ApiRequestProps<CreateAppBody>) {
   }
 
   // 凭证校验
-  const { teamId, tmbId } = await authUserPer({ req, authToken: true, per: WritePermissionVal });
-  if (parentId) {
-    // if it is not a root app
-    // check the parent folder permission
-    await authApp({ req, appId: parentId, per: WritePermissionVal, authToken: true });
-  }
+  const [{ teamId, tmbId }] = await Promise.all([
+    authUserPer({ req, authToken: true, per: WritePermissionVal }),
+    ...(parentId
+      ? [authApp({ req, appId: parentId, per: WritePermissionVal, authToken: true })]
+      : [])
+  ]);
 
   // 上限校验
   await checkTeamAppLimit(teamId);
diff --git a/projects/app/src/pages/api/core/app/list.ts b/projects/app/src/pages/api/core/app/list.ts
index 8fea85e53d4d..34c36dd65409 100644
--- a/projects/app/src/pages/api/core/app/list.ts
+++ b/projects/app/src/pages/api/core/app/list.ts
@@ -25,6 +25,16 @@ export type ListAppBody = {
   searchKey?: string;
 };
 
+/* 
+  获取 APP 列表权限
+  1. 校验 folder 权限和获取 team 权限（owner 单独处理）
+  2. 获取 team 下所有 app 权限。获取我的所有组。并计算出我所有的app权限。
+  3. 过滤我有的权限的 app，以及当前 parentId 的 app（由于权限继承问题，这里没法一次性根据 id 去获取）
+  4. 根据过滤条件获取 app 列表
+  5. 遍历搜索出来的 app，并赋予权限（继承的 app，使用 parent 的权限）
+  6. 再根据 read 权限进行一次过滤。
+*/
+
 async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemType[]> {
   const { parentId, type, getRecentlyChat, searchKey } = req.body;
 
@@ -75,6 +85,24 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
   );
 
   const findAppsQuery = (() => {
+    if (getRecentlyChat) {
+      return {
+        // get all chat app
+        teamId,
+        type: { $in: [AppTypeEnum.workflow, AppTypeEnum.simple, AppTypeEnum.plugin] }
+      };
+    }
+
+    // Filter apps by permission, if not owner, only get apps that I have permission to access
+    const idList = { _id: { $in: myPerList.map((item) => item.resourceId) } };
+    const appPerQuery = teamPer.isOwner
+      ? {}
+      : parentId
+        ? {
+            $or: [idList, parseParentIdInMongo(parentId)]
+          }
+        : idList;
+
     const searchMatch = searchKey
       ? {
           $or: [
@@ -83,31 +111,17 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
           ]
         }
       : {};
-    // Filter apps by permission, if not owner, only get apps that I have permission to access
-    const appIdQuery = teamPer.isOwner
-      ? {}
-      : { _id: { $in: myPerList.map((item) => item.resourceId) } };
-
-    if (getRecentlyChat) {
-      return {
-        // get all chat app
-        ...appIdQuery,
-        teamId,
-        type: { $in: [AppTypeEnum.workflow, AppTypeEnum.simple, AppTypeEnum.plugin] },
-        ...searchMatch
-      };
-    }
 
     if (searchKey) {
       return {
-        ...appIdQuery,
+        ...appPerQuery,
         teamId,
         ...searchMatch
       };
     }
 
     return {
-      ...appIdQuery,
+      ...appPerQuery,
       teamId,
       ...(type && (Array.isArray(type) ? { type: { $in: type } } : { type })),
       ...parseParentIdInMongo(parentId)
@@ -144,7 +158,9 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
           );
 
           // Count app collaborators
-          const clbCount = perList.filter((item) => String(item.resourceId) === appId).length;
+          const clbCount = perList.filter(
+            (item) => String(item.resourceId) === String(app._id)
+          ).length;
 
           return {
             Per: new AppPermission({
@@ -156,8 +172,8 @@ async function handler(req: ApiRequestProps<ListAppBody>): Promise<AppListItemTy
         };
 
         // Inherit app
-        if (app.inheritPermission && parentId && !AppFolderTypeList.includes(app.type)) {
-          return getPer(String(parentId));
+        if (app.inheritPermission && app.parentId && !AppFolderTypeList.includes(app.type)) {
+          return getPer(String(app.parentId));
         } else {
           return getPer(String(app._id));
         }
diff --git a/projects/app/src/pages/api/core/dataset/create.ts b/projects/app/src/pages/api/core/dataset/create.ts
index f8ae2bd284b5..ca5d7ae0a8af 100644
--- a/projects/app/src/pages/api/core/dataset/create.ts
+++ b/projects/app/src/pages/api/core/dataset/create.ts
@@ -9,6 +9,7 @@ import { NextAPI } from '@/service/middleware/entry';
 import { DatasetErrEnum } from '@fastgpt/global/common/error/code/dataset';
 import type { ApiRequestProps } from '@fastgpt/service/type/next';
 import { parseParentIdInMongo } from '@fastgpt/global/common/parentFolder/utils';
+import { authDataset } from '@fastgpt/service/support/permission/dataset/auth';
 
 export type DatasetCreateQuery = {};
 export type DatasetCreateBody = CreateDatasetParams;
@@ -29,12 +30,25 @@ async function handler(
   } = req.body;
 
   // auth
-  const { teamId, tmbId } = await authUserPer({
-    req,
-    authToken: true,
-    authApiKey: true,
-    per: WritePermissionVal
-  });
+  const [{ teamId, tmbId }] = await Promise.all([
+    authUserPer({
+      req,
+      authToken: true,
+      authApiKey: true,
+      per: WritePermissionVal
+    }),
+    ...(parentId
+      ? [
+          authDataset({
+            req,
+            datasetId: parentId,
+            authToken: true,
+            authApiKey: true,
+            per: WritePermissionVal
+          })
+        ]
+      : [])
+  ]);
 
   // check model valid
   const vectorModelStore = getVectorModel(vectorModel);
diff --git a/projects/app/src/pages/api/core/dataset/list.ts b/projects/app/src/pages/api/core/dataset/list.ts
index 7ac9db660a06..d8674bed5e58 100644
--- a/projects/app/src/pages/api/core/dataset/list.ts
+++ b/projects/app/src/pages/api/core/dataset/list.ts
@@ -74,6 +74,16 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
   );
 
   const findDatasetQuery = (() => {
+    // Filter apps by permission, if not owner, only get apps that I have permission to access
+    const idList = { _id: { $in: myPerList.map((item) => item.resourceId) } };
+    const datasetPerQuery = teamPer.isOwner
+      ? {}
+      : parentId
+        ? {
+            $or: [idList, parseParentIdInMongo(parentId)]
+          }
+        : idList;
+
     const searchMatch = searchKey
       ? {
           $or: [
@@ -82,21 +92,17 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
           ]
         }
       : {};
-    // Filter apps by permission, if not owner, only get apps that I have permission to access
-    const appIdQuery = teamPer.isOwner
-      ? {}
-      : { _id: { $in: myPerList.map((item) => item.resourceId) } };
 
     if (searchKey) {
       return {
-        ...appIdQuery,
+        ...datasetPerQuery,
         teamId,
         ...searchMatch
       };
     }
 
     return {
-      ...appIdQuery,
+      ...datasetPerQuery,
       teamId,
       ...(type ? (Array.isArray(type) ? { type: { $in: type } } : { type }) : {}),
       ...parseParentIdInMongo(parentId)
@@ -122,7 +128,9 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
               .map((item) => item.permission)
           );
 
-          const clbCount = perList.filter((item) => String(item.resourceId) === datasetId).length;
+          const clbCount = perList.filter(
+            (item) => String(item.resourceId) === String(dataset._id)
+          ).length;
 
           return {
             Per: new DatasetPermission({
@@ -133,8 +141,12 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
           };
         };
         // inherit
-        if (dataset.inheritPermission && parentId && dataset.type !== DatasetTypeEnum.folder) {
-          return getPer(String(parentId));
+        if (
+          dataset.inheritPermission &&
+          dataset.parentId &&
+          dataset.type !== DatasetTypeEnum.folder
+        ) {
+          return getPer(String(dataset.parentId));
         } else {
           return getPer(String(dataset._id));
         }
@@ -148,21 +160,19 @@ async function handler(req: ApiRequestProps<GetDatasetListBody>) {
     })
     .filter((app) => app.permission.hasReadPer);
 
-  const data = await Promise.all(
-    formatDatasets.map<DatasetListItemType>((item) => ({
-      _id: item._id,
-      avatar: item.avatar,
-      name: item.name,
-      intro: item.intro,
-      type: item.type,
-      permission: item.permission,
-      vectorModel: getVectorModel(item.vectorModel),
-      inheritPermission: item.inheritPermission,
-      tmbId: item.tmbId,
-      updateTime: item.updateTime,
-      private: item.privateDataset
-    }))
-  );
+  const data = formatDatasets.map<DatasetListItemType>((item) => ({
+    _id: item._id,
+    avatar: item.avatar,
+    name: item.name,
+    intro: item.intro,
+    type: item.type,
+    permission: item.permission,
+    vectorModel: getVectorModel(item.vectorModel),
+    inheritPermission: item.inheritPermission,
+    tmbId: item.tmbId,
+    updateTime: item.updateTime,
+    private: item.privateDataset
+  }));
 
   return data;
 }