Files
dify/api/controllers/openapi/auth/data.py
GareArc 8ce4477408 refactor(api): consolidate workspace role check into prepare/verify split
Fetch the caller's tenant role once in a new load_workspace_role prepare
step (stashed on AuthData.tenant_role) instead of querying TenantAccountJoin
twice — once for membership, once for role. check_workspace_role becomes a
pure assertion over the stashed role; non-members get 404 (no cross-tenant
ID leak), out-of-set roles 403.

Other cleanups:
- All prepare steps are now skip-if-already-loaded for safe re-entry.
- Move the app.enable_api policy check out of load_app into a dedicated
  check_app_api_enabled verify step (data-load vs policy-assert separation).
- Validate workspace_id is a UUID in load_tenant_from_request (malformed
  id -> 404, not 500).
- Collapse guard/guard_workspace duplication into a shared _make_decorator.
- Delete the now-unused role_gate.require_workspace_role decorator and its
  tests; enforcement lives entirely in the auth pipeline.
2026-06-02 01:57:18 -07:00

76 lines
2.2 KiB
Python

from __future__ import annotations
import uuid
from enum import StrEnum
from typing import Literal
from pydantic import BaseModel, ConfigDict, Field
from werkzeug.exceptions import InternalServerError
from configs import dify_config
from libs.oauth_bearer import Scope, TokenType
from models.account import Account, Tenant, TenantAccountRole
from models.model import App, EndUser
from services.enterprise.enterprise_service import WebAppAccessMode
class Edition(StrEnum):
CE = "ce"
EE = "ee"
SAAS = "saas"
def current_edition() -> Edition:
if dify_config.EDITION == "CLOUD":
return Edition.SAAS
if dify_config.ENTERPRISE_ENABLED:
return Edition.EE
return Edition.CE
class ExternalIdentity(BaseModel):
model_config = ConfigDict(frozen=True)
email: str
issuer: str | None = None
class RequestContext(BaseModel):
model_config = ConfigDict(frozen=True)
token_type: TokenType
scope: Scope | None = None
path_params: dict[str, str]
workspace_membership: bool = False
allowed_roles: frozenset[TenantAccountRole] | None = None
class AuthData(BaseModel):
model_config = ConfigDict(arbitrary_types_allowed=True)
required_scope: Scope | None = None
token_type: TokenType
account_id: uuid.UUID | None = None
token_hash: str
token_id: uuid.UUID | None = None
scopes: frozenset[Scope]
tenants: dict[str, bool] = Field(default_factory=dict)
external_identity: ExternalIdentity | None = None
path_params: dict[str, str] = Field(default_factory=dict)
allowed_roles: frozenset[TenantAccountRole] | None = None
app: App | None = None
tenant: Tenant | None = None
app_access_mode: WebAppAccessMode | None = None
tenant_role: TenantAccountRole | None = None
caller: Account | EndUser | None = None
caller_kind: Literal["account", "end_user"] | None = None
def require_app_context(self) -> tuple[App, Account | EndUser, Literal["account", "end_user"]]:
if self.app is None or self.caller is None or self.caller_kind is None:
raise InternalServerError("pipeline_invariant_violated: app context missing")
return self.app, self.caller, self.caller_kind