Merge remote-tracking branch 'myori/main' into archive-workflow-backend

2026-05-04 01:18:05 +08:00 · 2026-01-20 22:47:39 +08:00
parent b4d29ad6ee 8f949d503a
commit 8118a2fc38
732 changed files with 60398 additions and 8034 deletions
--- a/api/libs/smtp.py
+++ b/api/libs/smtp.py
@ -3,6 +3,8 @@ import smtplib
 from email.mime.multipart import MIMEMultipart
 from email.mime.text import MIMEText

+from configs import dify_config
+
 logger = logging.getLogger(__name__)


@ -19,20 +21,21 @@ class SMTPClient:
        self.opportunistic_tls = opportunistic_tls

    def send(self, mail: dict):
-        smtp = None
+        smtp: smtplib.SMTP | None = None
+        local_host = dify_config.SMTP_LOCAL_HOSTNAME
        try:
-            if self.use_tls:
-                if self.opportunistic_tls:
-                    smtp = smtplib.SMTP(self.server, self.port, timeout=10)
-                    # Send EHLO command with the HELO domain name as the server address
-                    smtp.ehlo(self.server)
-                    smtp.starttls()
-                    # Resend EHLO command to identify the TLS session
-                    smtp.ehlo(self.server)
-                else:
-                    smtp = smtplib.SMTP_SSL(self.server, self.port, timeout=10)
+            if self.use_tls and not self.opportunistic_tls:
+                # SMTP with SSL (implicit TLS)
+                smtp = smtplib.SMTP_SSL(self.server, self.port, timeout=10, local_hostname=local_host)
            else:
-                smtp = smtplib.SMTP(self.server, self.port, timeout=10)
+                # Plain SMTP or SMTP with STARTTLS (explicit TLS)
+                smtp = smtplib.SMTP(self.server, self.port, timeout=10, local_hostname=local_host)
+
+            assert smtp is not None
+            if self.use_tls and self.opportunistic_tls:
+                smtp.ehlo(self.server)
+                smtp.starttls()
+                smtp.ehlo(self.server)

            # Only authenticate if both username and password are non-empty
            if self.username and self.password and self.username.strip() and self.password.strip():
--- a/api/libs/workspace_permission.py
+++ b/api/libs/workspace_permission.py
@ -0,0 +1,74 @@
+"""
+Workspace permission helper functions.
+
+These helpers check both billing/plan level and workspace-specific policy level permissions.
+Checks are performed at two levels:
+1. Billing/plan level - via FeatureService (e.g., SANDBOX plan restrictions)
+2. Workspace policy level - via EnterpriseService (admin-configured per workspace)
+"""
+
+import logging
+
+from werkzeug.exceptions import Forbidden
+
+from configs import dify_config
+from services.enterprise.enterprise_service import EnterpriseService
+from services.feature_service import FeatureService
+
+logger = logging.getLogger(__name__)
+
+
+def check_workspace_member_invite_permission(workspace_id: str) -> None:
+    """
+    Check if workspace allows member invitations at both billing and policy levels.
+
+    Checks performed:
+    1. Billing/plan level - For future expansion (currently no plan-level restriction)
+    2. Enterprise policy level - Admin-configured workspace permission
+
+    Args:
+        workspace_id: The workspace ID to check permissions for
+
+    Raises:
+        Forbidden: If either billing plan or workspace policy prohibits member invitations
+    """
+    # Check enterprise workspace policy level (only if enterprise enabled)
+    if dify_config.ENTERPRISE_ENABLED:
+        try:
+            permission = EnterpriseService.WorkspacePermissionService.get_permission(workspace_id)
+            if not permission.allow_member_invite:
+                raise Forbidden("Workspace policy prohibits member invitations")
+        except Forbidden:
+            raise
+        except Exception:
+            logger.exception("Failed to check workspace invite permission for %s", workspace_id)
+
+
+def check_workspace_owner_transfer_permission(workspace_id: str) -> None:
+    """
+    Check if workspace allows owner transfer at both billing and policy levels.
+
+    Checks performed:
+    1. Billing/plan level - SANDBOX plan blocks owner transfer
+    2. Enterprise policy level - Admin-configured workspace permission
+
+    Args:
+        workspace_id: The workspace ID to check permissions for
+
+    Raises:
+        Forbidden: If either billing plan or workspace policy prohibits ownership transfer
+    """
+    features = FeatureService.get_features(workspace_id)
+    if not features.is_allow_transfer_workspace:
+        raise Forbidden("Your current plan does not allow workspace ownership transfer")
+
+    # Check enterprise workspace policy level (only if enterprise enabled)
+    if dify_config.ENTERPRISE_ENABLED:
+        try:
+            permission = EnterpriseService.WorkspacePermissionService.get_permission(workspace_id)
+            if not permission.allow_owner_transfer:
+                raise Forbidden("Workspace policy prohibits ownership transfer")
+        except Forbidden:
+            raise
+        except Exception:
+            logger.exception("Failed to check workspace transfer permission for %s", workspace_id)