fix: adjust permission check logic to avoid sso_verified apps

2026-04-20 02:37:20 +08:00 · 2025-05-29 12:48:38 +08:00
parent 20ca9c6a3e
commit dc79ec52ea
5 changed files with 59 additions and 26 deletions
--- a/api/controllers/web/app.py
+++ b/api/controllers/web/app.py
@ -1,15 +1,16 @@
-from flask import request
-from flask_restful import Resource, marshal_with, reqparse
-
 from controllers.common import fields
 from controllers.web import api
 from controllers.web.error import AppUnavailableError
 from controllers.web.wraps import WebApiResource
-from core.app.app_config.common.parameters_mapping import get_parameters_from_feature_dict
+from core.app.app_config.common.parameters_mapping import \
+    get_parameters_from_feature_dict
+from flask import request
+from flask_restful import Resource, marshal_with, reqparse
 from libs.passport import PassportService
 from models.model import App, AppMode
 from services.app_service import AppService
 from services.enterprise.enterprise_service import EnterpriseService
+from services.webapp_auth_service import WebAppAuthService


 class AppParameterApi(WebApiResource):
@ -90,7 +91,9 @@ class AppWebAuthPermission(Resource):
        app_id = args["appId"]
        app_code = AppService.get_app_code_by_id(app_id)

-        res = EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(str(user_id), app_code)
+        res = True
+        if WebAppAuthService.is_app_require_permission_check(app_id=app_id):
+            res = EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(str(user_id), app_code)
        return {"result": res}


--- a/api/controllers/web/login.py
+++ b/api/controllers/web/login.py
@ -1,12 +1,11 @@
+from flask_restful import Resource, reqparse
+from jwt import InvalidTokenError  # type: ignore
+
 import services
-from controllers.console.auth.error import (EmailCodeError,
-                                            EmailOrPasswordMismatchError,
-                                            InvalidEmailError)
+from controllers.console.auth.error import EmailCodeError, EmailOrPasswordMismatchError, InvalidEmailError
 from controllers.console.error import AccountBannedError, AccountNotFound
 from controllers.console.wraps import only_edition_enterprise, setup_required
 from controllers.web import api
-from flask_restful import Resource, reqparse
-from jwt import InvalidTokenError  # type: ignore
 from libs.helper import email
 from libs.password import valid_password
 from services.account_service import AccountService
--- a/api/controllers/web/passport.py
+++ b/api/controllers/web/passport.py
@ -21,13 +21,13 @@ class PassportResource(Resource):
        system_features = FeatureService.get_system_features()
        app_code = request.headers.get("X-App-Code")
        user_id = request.args.get("user_id")
-        enterprise_login_token = request.args.get("enterprise_login_token")
+        web_app_access_token = request.args.get("web_app_access_token")

        if app_code is None:
            raise Unauthorized("X-App-Code header is missing.")

        # exchange token for enterprise logined web user
-        enterprise_user_decoded = decode_enterprise_webapp_user_id(enterprise_login_token)
+        enterprise_user_decoded = decode_enterprise_webapp_user_id(web_app_access_token)
        if enterprise_user_decoded:
            # a web user has already logged in, exchange a token for this app without redirecting to the login page
            return exchange_token_for_existing_web_user(
@ -122,7 +122,9 @@ def exchange_token_for_existing_web_user(app_code: str, enterprise_user_decoded:
    app_model = db.session.query(App).filter(App.id == site.app_id).first()
    if not app_model or app_model.status != "normal" or not app_model.enable_site:
        raise NotFound()
-    end_user = db.session.query(EndUser).filter(EndUser.id == end_user_id).first()
+    end_user = None
+    if end_user_id:
+        end_user = db.session.query(EndUser).filter(EndUser.id == end_user_id).first()
    if not end_user:
        end_user = EndUser(
            tenant_id=app_model.tenant_id,
--- a/api/controllers/web/wraps.py
+++ b/api/controllers/web/wraps.py
@ -1,15 +1,17 @@
 from functools import wraps

+from controllers.web.error import (WebAppAuthAccessDeniedError,
+                                   WebAppAuthRequiredError)
+from extensions.ext_database import db
 from flask import request
 from flask_restful import Resource
-from werkzeug.exceptions import BadRequest, NotFound, Unauthorized
-
-from controllers.web.error import WebAppAuthAccessDeniedError, WebAppAuthRequiredError
-from extensions.ext_database import db
 from libs.passport import PassportService
 from models.model import App, EndUser, Site
-from services.enterprise.enterprise_service import EnterpriseService, WebAppSettings
+from services.enterprise.enterprise_service import (EnterpriseService,
+                                                    WebAppSettings)
 from services.feature_service import FeatureService
+from services.webapp_auth_service import WebAppAuthService
+from werkzeug.exceptions import BadRequest, NotFound, Unauthorized


 def validate_jwt_token(view=None):
@ -45,7 +47,8 @@ def decode_jwt_token():
            raise Unauthorized("Invalid Authorization header format. Expected 'Bearer <api-key>' format.")
        decoded = PassportService().verify(tk)
        app_code = decoded.get("app_code")
-        app_model = db.session.query(App).filter(App.id == decoded["app_id"]).first()
+        app_id = decoded.get("app_id")
+        app_model = db.session.query(App).filter(App.id == app_id).first()
        site = db.session.query(Site).filter(Site.code == app_code).first()
        if not app_model:
            raise NotFound()
@ -53,7 +56,8 @@ def decode_jwt_token():
            raise BadRequest("Site URL is no longer valid.")
        if app_model.enable_site is False:
            raise BadRequest("Site is disabled.")
-        end_user = db.session.query(EndUser).filter(EndUser.id == decoded["end_user_id"]).first()
+        end_user_id = decoded.get("end_user_id")
+        end_user = db.session.query(EndUser).filter(EndUser.id == end_user_id).first()
        if not end_user:
            raise NotFound()

@ -115,9 +119,7 @@ def _validate_user_accessibility(
        if not webapp_settings:
            raise WebAppAuthRequiredError("Web app settings not found.")

-        access_modes_require_permission_check = ["private", "private_all"]
-
-        if webapp_settings.access_mode in access_modes_require_permission_check:
+        if WebAppAuthService.is_app_require_permission_check(access_mode=webapp_settings.access_mode):
            if not EnterpriseService.WebAppAuth.is_user_allowed_to_access_webapp(user_id, app_code=app_code):
                raise WebAppAuthAccessDeniedError()