mirror of
https://github.com/langgenius/dify.git
synced 2026-07-15 17:37:38 +08:00
Fetch the caller's tenant role once in a new load_workspace_role prepare step (stashed on AuthData.tenant_role) instead of querying TenantAccountJoin twice — once for membership, once for role. check_workspace_role becomes a pure assertion over the stashed role; non-members get 404 (no cross-tenant ID leak), out-of-set roles 403. Other cleanups: - All prepare steps are now skip-if-already-loaded for safe re-entry. - Move the app.enable_api policy check out of load_app into a dedicated check_app_api_enabled verify step (data-load vs policy-assert separation). - Validate workspace_id is a UUID in load_tenant_from_request (malformed id -> 404, not 500). - Collapse guard/guard_workspace duplication into a shared _make_decorator. - Delete the now-unused role_gate.require_workspace_role decorator and its tests; enforcement lives entirely in the auth pipeline.
76 lines
2.2 KiB
Python
76 lines
2.2 KiB
Python
from __future__ import annotations
|
|
|
|
import uuid
|
|
from enum import StrEnum
|
|
from typing import Literal
|
|
|
|
from pydantic import BaseModel, ConfigDict, Field
|
|
from werkzeug.exceptions import InternalServerError
|
|
|
|
from configs import dify_config
|
|
from libs.oauth_bearer import Scope, TokenType
|
|
from models.account import Account, Tenant, TenantAccountRole
|
|
from models.model import App, EndUser
|
|
from services.enterprise.enterprise_service import WebAppAccessMode
|
|
|
|
|
|
class Edition(StrEnum):
|
|
CE = "ce"
|
|
EE = "ee"
|
|
SAAS = "saas"
|
|
|
|
|
|
def current_edition() -> Edition:
|
|
if dify_config.EDITION == "CLOUD":
|
|
return Edition.SAAS
|
|
if dify_config.ENTERPRISE_ENABLED:
|
|
return Edition.EE
|
|
return Edition.CE
|
|
|
|
|
|
class ExternalIdentity(BaseModel):
|
|
model_config = ConfigDict(frozen=True)
|
|
|
|
email: str
|
|
issuer: str | None = None
|
|
|
|
|
|
class RequestContext(BaseModel):
|
|
model_config = ConfigDict(frozen=True)
|
|
|
|
token_type: TokenType
|
|
scope: Scope | None = None
|
|
path_params: dict[str, str]
|
|
workspace_membership: bool = False
|
|
allowed_roles: frozenset[TenantAccountRole] | None = None
|
|
|
|
|
|
class AuthData(BaseModel):
|
|
model_config = ConfigDict(arbitrary_types_allowed=True)
|
|
|
|
required_scope: Scope | None = None
|
|
token_type: TokenType
|
|
account_id: uuid.UUID | None = None
|
|
token_hash: str
|
|
token_id: uuid.UUID | None = None
|
|
scopes: frozenset[Scope]
|
|
tenants: dict[str, bool] = Field(default_factory=dict)
|
|
external_identity: ExternalIdentity | None = None
|
|
path_params: dict[str, str] = Field(default_factory=dict)
|
|
|
|
allowed_roles: frozenset[TenantAccountRole] | None = None
|
|
|
|
app: App | None = None
|
|
tenant: Tenant | None = None
|
|
app_access_mode: WebAppAccessMode | None = None
|
|
|
|
tenant_role: TenantAccountRole | None = None
|
|
|
|
caller: Account | EndUser | None = None
|
|
caller_kind: Literal["account", "end_user"] | None = None
|
|
|
|
def require_app_context(self) -> tuple[App, Account | EndUser, Literal["account", "end_user"]]:
|
|
if self.app is None or self.caller is None or self.caller_kind is None:
|
|
raise InternalServerError("pipeline_invariant_violated: app context missing")
|
|
return self.app, self.caller, self.caller_kind
|