youngkingdom/dify
1
0
Fork 0
mirror of https://github.com/langgenius/dify.git synced 2026-03-27 09:09:54 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
7e9d00a5a6006d25d6e5276a31560784e0c07a9c
dify/api/core/app/file_access/protocols.py
-LAN- 56593f20b0 refactor(api): continue decoupling dify_graph from API concerns (#33580) 
Signed-off-by: -LAN- <laipz8200@outlook.com>
Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
Co-authored-by: WH-2099 <wh2099@pm.me>
2026-03-25 20:32:24 +08:00

82 lines
2.4 KiB
Python
Raw Blame History

from __future__ import annotations
from typing import Protocol
from sqlalchemy.orm import Session
from sqlalchemy.sql import Select
from models import ToolFile, UploadFile
from .scope import FileAccessScope
class FileAccessControllerProtocol(Protocol):
"""Contract for applying access rules to file lookups.
Implementations translate an optional execution scope into query constraints
and authorized record retrieval. The contract is intentionally limited to
ownership and tenancy rules for workflow-layer file access.
"""
def current_scope(self) -> FileAccessScope | None:
"""Return the scope active for the current execution, if one exists.
Callers use this to decide whether embedded file metadata may be trusted
or whether a fresh authorized lookup is required.
"""
...
def apply_upload_file_filters(
self,
stmt: Select[tuple[UploadFile]],
*,
scope: FileAccessScope | None = None,
) -> Select[tuple[UploadFile]]:
"""Return an upload-file query constrained by the supplied access scope.
The returned statement must preserve the caller's existing predicates and
append only access-control conditions.
"""
...
def apply_tool_file_filters(
self,
stmt: Select[tuple[ToolFile]],
*,
scope: FileAccessScope | None = None,
) -> Select[tuple[ToolFile]]:
"""Return a tool-file query constrained by the supplied access scope.
The returned statement must preserve the caller's existing predicates and
append only access-control conditions.
"""
...
def get_upload_file(
self,
*,
session: Session,
file_id: str,
scope: FileAccessScope | None = None,
) -> UploadFile | None:
"""Load one authorized upload-file record for the given identifier.
Returns ``None`` when the file does not exist or when the scope does not
permit access to that record.
"""
...
def get_tool_file(
self,
*,
session: Session,
file_id: str,
scope: FileAccessScope | None = None,
) -> ToolFile | None:
"""Load one authorized tool-file record for the given identifier.
Returns ``None`` when the file does not exist or when the scope does not
permit access to that record.
"""
...
Reference in New Issue View Git Blame Copy Permalink