mirror of
https://github.com/langgenius/dify.git
synced 2026-03-26 00:38:03 +08:00
9ef6b90843
Signed-off-by: majiayu000 <1835304752@qq.com> Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Signed-off-by: -LAN- <laipz8200@outlook.com> Signed-off-by: yihong0618 <zouzou0208@gmail.com> Co-authored-by: QuantumGhost <obelisk.reg+git@gmail.com> Co-authored-by: 盐粒 Yanli <yanli@dify.ai> Co-authored-by: wangxiaolei <fatelei@gmail.com> Co-authored-by: Stephen Zhou <38493346+hyoban@users.noreply.github.com> Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com> Co-authored-by: Cursx <33718736+Cursx@users.noreply.github.com> Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com> Co-authored-by: lif <1835304752@qq.com> Co-authored-by: 非法操作 <hjlarry@163.com> Co-authored-by: Asuka Minato <i@asukaminato.eu.org> Co-authored-by: fenglin <790872612@qq.com> Co-authored-by: qiaofenglin <qiaofenglin@baidu.com> Co-authored-by: -LAN- <laipz8200@outlook.com> Co-authored-by: TomoOkuyama <49631611+TomoOkuyama@users.noreply.github.com> Co-authored-by: Tomo Okuyama <tomo.okuyama@intersystems.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: zyssyz123 <916125788@qq.com> Co-authored-by: hj24 <mambahj24@gmail.com> Co-authored-by: Coding On Star <447357187@qq.com> Co-authored-by: CodingOnStar <hanxujiang@dify.ai> Co-authored-by: yyh <92089059+lyzno1@users.noreply.github.com> Co-authored-by: Xiangxuan Qu <fghpdf@outlook.com> Co-authored-by: fghpdf <fghpdf@users.noreply.github.com> Co-authored-by: coopercoder <whitetiger0127@163.com> Co-authored-by: zhaiguangpeng <zhaiguangpeng@didiglobal.com> Co-authored-by: Junyan Qin (Chin) <rockchinq@gmail.com> Co-authored-by: E.G <146701565+GlobalStar117@users.noreply.github.com> Co-authored-by: GlobalStar117 <GlobalStar117@users.noreply.github.com> Co-authored-by: Claude Haiku 4.5 <noreply@anthropic.com> Co-authored-by: CodingOnStar <hanxujiang@dify.com> Co-authored-by: crazywoola <100913391+crazywoola@users.noreply.github.com> Co-authored-by: heyszt <270985384@qq.com> Co-authored-by: NeatGuyCoding <15627489+NeatGuyCoding@users.noreply.github.com> Co-authored-by: Yeuoly <45712896+Yeuoly@users.noreply.github.com> Co-authored-by: zxhlyh <jasonapring2015@outlook.com> Co-authored-by: moonpanda <chuanzegao@163.com> Co-authored-by: warlocgao <warlocgao@tencent.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: KVOJJJin <jzongcode@gmail.com> Co-authored-by: eux <euxx@users.noreply.github.com> Co-authored-by: bangjiehan <bangjiehan@gmail.com> Co-authored-by: FFXN <31929997+FFXN@users.noreply.github.com> Co-authored-by: Jyong <76649700+JohnJyong@users.noreply.github.com> Co-authored-by: Nie Ronghua <nieronghua@sf-express.com> Co-authored-by: JQSevenMiao <141806521+JQSevenMiao@users.noreply.github.com> Co-authored-by: jiasiqi <jiasiqi3@tal.com> Co-authored-by: Seokrin Taron Sung <sungsjade@gmail.com> Co-authored-by: CrabSAMA <40541269+CrabSAMA@users.noreply.github.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Co-authored-by: yihong <zouzou0208@gmail.com> Co-authored-by: Joel <iamjoel007@gmail.com> Co-authored-by: Wu Tianwei <30284043+WTW0313@users.noreply.github.com> Co-authored-by: yessenia <yessenia.contact@gmail.com> Co-authored-by: Jax <anobaka@qq.com> Co-authored-by: niveshdandyan <155956228+niveshdandyan@users.noreply.github.com> Co-authored-by: OSS Contributor <oss-contributor@example.com> Co-authored-by: niveshdandyan <niveshdandyan@users.noreply.github.com> Co-authored-by: Sean Kenneth Doherty <Smaster7772@gmail.com>
390 lines
15 KiB
Python
390 lines
15 KiB
Python
from urllib import parse
|
|
|
|
from flask import abort, request
|
|
from flask_restx import Resource
|
|
from pydantic import BaseModel, Field, TypeAdapter
|
|
|
|
import services
|
|
from configs import dify_config
|
|
from controllers.common.schema import register_enum_models, register_schema_models
|
|
from controllers.console import console_ns
|
|
from controllers.console.auth.error import (
|
|
CannotTransferOwnerToSelfError,
|
|
EmailCodeError,
|
|
InvalidEmailError,
|
|
InvalidTokenError,
|
|
MemberNotInTenantError,
|
|
NotOwnerError,
|
|
OwnerTransferLimitError,
|
|
)
|
|
from controllers.console.error import EmailSendIpLimitError, WorkspaceMembersLimitExceeded
|
|
from controllers.console.wraps import (
|
|
account_initialization_required,
|
|
cloud_edition_billing_resource_check,
|
|
is_allow_transfer_owner,
|
|
setup_required,
|
|
)
|
|
from extensions.ext_database import db
|
|
from fields.member_fields import AccountWithRole, AccountWithRoleList
|
|
from libs.helper import extract_remote_ip
|
|
from libs.login import current_account_with_tenant, login_required
|
|
from models.account import Account, TenantAccountRole
|
|
from services.account_service import AccountService, RegisterService, TenantService
|
|
from services.errors.account import AccountAlreadyInTenantError
|
|
from services.feature_service import FeatureService
|
|
|
|
DEFAULT_REF_TEMPLATE_SWAGGER_2_0 = "#/definitions/{model}"
|
|
|
|
|
|
class MemberInvitePayload(BaseModel):
|
|
emails: list[str] = Field(default_factory=list)
|
|
role: TenantAccountRole
|
|
language: str | None = None
|
|
|
|
|
|
class MemberRoleUpdatePayload(BaseModel):
|
|
role: str
|
|
|
|
|
|
class OwnerTransferEmailPayload(BaseModel):
|
|
language: str | None = None
|
|
|
|
|
|
class OwnerTransferCheckPayload(BaseModel):
|
|
code: str
|
|
token: str
|
|
|
|
|
|
class OwnerTransferPayload(BaseModel):
|
|
token: str
|
|
|
|
|
|
def reg(cls: type[BaseModel]):
|
|
console_ns.schema_model(cls.__name__, cls.model_json_schema(ref_template=DEFAULT_REF_TEMPLATE_SWAGGER_2_0))
|
|
|
|
|
|
reg(MemberInvitePayload)
|
|
reg(MemberRoleUpdatePayload)
|
|
reg(OwnerTransferEmailPayload)
|
|
reg(OwnerTransferCheckPayload)
|
|
reg(OwnerTransferPayload)
|
|
register_enum_models(console_ns, TenantAccountRole)
|
|
register_schema_models(console_ns, AccountWithRole, AccountWithRoleList)
|
|
|
|
|
|
@console_ns.route("/workspaces/current/members")
|
|
class MemberListApi(Resource):
|
|
"""List all members of current tenant."""
|
|
|
|
@setup_required
|
|
@login_required
|
|
@account_initialization_required
|
|
@console_ns.response(200, "Success", console_ns.models[AccountWithRoleList.__name__])
|
|
def get(self):
|
|
current_user, _ = current_account_with_tenant()
|
|
if not current_user.current_tenant:
|
|
raise ValueError("No current tenant")
|
|
members = TenantService.get_tenant_members(current_user.current_tenant)
|
|
member_models = TypeAdapter(list[AccountWithRole]).validate_python(members, from_attributes=True)
|
|
response = AccountWithRoleList(accounts=member_models)
|
|
return response.model_dump(mode="json"), 200
|
|
|
|
|
|
@console_ns.route("/workspaces/current/members/invite-email")
|
|
class MemberInviteEmailApi(Resource):
|
|
"""Invite a new member by email."""
|
|
|
|
@console_ns.expect(console_ns.models[MemberInvitePayload.__name__])
|
|
@setup_required
|
|
@login_required
|
|
@account_initialization_required
|
|
@cloud_edition_billing_resource_check("members")
|
|
def post(self):
|
|
payload = console_ns.payload or {}
|
|
args = MemberInvitePayload.model_validate(payload)
|
|
|
|
invitee_emails = args.emails
|
|
invitee_role = args.role
|
|
interface_language = args.language
|
|
if not TenantAccountRole.is_non_owner_role(invitee_role):
|
|
return {"code": "invalid-role", "message": "Invalid role"}, 400
|
|
current_user, _ = current_account_with_tenant()
|
|
inviter = current_user
|
|
if not inviter.current_tenant:
|
|
raise ValueError("No current tenant")
|
|
|
|
# Check workspace permission for member invitations
|
|
from libs.workspace_permission import check_workspace_member_invite_permission
|
|
|
|
check_workspace_member_invite_permission(inviter.current_tenant.id)
|
|
|
|
invitation_results = []
|
|
console_web_url = dify_config.CONSOLE_WEB_URL
|
|
|
|
workspace_members = FeatureService.get_features(tenant_id=inviter.current_tenant.id).workspace_members
|
|
|
|
if not workspace_members.is_available(len(invitee_emails)):
|
|
raise WorkspaceMembersLimitExceeded()
|
|
|
|
for invitee_email in invitee_emails:
|
|
normalized_invitee_email = invitee_email.lower()
|
|
try:
|
|
if not inviter.current_tenant:
|
|
raise ValueError("No current tenant")
|
|
token = RegisterService.invite_new_member(
|
|
tenant=inviter.current_tenant,
|
|
email=invitee_email,
|
|
language=interface_language,
|
|
role=invitee_role,
|
|
inviter=inviter,
|
|
)
|
|
encoded_invitee_email = parse.quote(normalized_invitee_email)
|
|
invitation_results.append(
|
|
{
|
|
"status": "success",
|
|
"email": normalized_invitee_email,
|
|
"url": f"{console_web_url}/activate?email={encoded_invitee_email}&token={token}",
|
|
}
|
|
)
|
|
except AccountAlreadyInTenantError:
|
|
invitation_results.append(
|
|
{"status": "success", "email": normalized_invitee_email, "url": f"{console_web_url}/signin"}
|
|
)
|
|
except Exception as e:
|
|
invitation_results.append({"status": "failed", "email": normalized_invitee_email, "message": str(e)})
|
|
|
|
return {
|
|
"result": "success",
|
|
"invitation_results": invitation_results,
|
|
"tenant_id": str(inviter.current_tenant.id) if inviter.current_tenant else "",
|
|
}, 201
|
|
|
|
|
|
@console_ns.route("/workspaces/current/members/<uuid:member_id>")
|
|
class MemberCancelInviteApi(Resource):
|
|
"""Cancel an invitation by member id."""
|
|
|
|
@setup_required
|
|
@login_required
|
|
@account_initialization_required
|
|
def delete(self, member_id):
|
|
current_user, _ = current_account_with_tenant()
|
|
if not current_user.current_tenant:
|
|
raise ValueError("No current tenant")
|
|
member = db.session.query(Account).where(Account.id == str(member_id)).first()
|
|
if member is None:
|
|
abort(404)
|
|
else:
|
|
try:
|
|
TenantService.remove_member_from_tenant(current_user.current_tenant, member, current_user)
|
|
except services.errors.account.CannotOperateSelfError as e:
|
|
return {"code": "cannot-operate-self", "message": str(e)}, 400
|
|
except services.errors.account.NoPermissionError as e:
|
|
return {"code": "forbidden", "message": str(e)}, 403
|
|
except services.errors.account.MemberNotInTenantError as e:
|
|
return {"code": "member-not-found", "message": str(e)}, 404
|
|
except Exception as e:
|
|
raise ValueError(str(e))
|
|
|
|
return {
|
|
"result": "success",
|
|
"tenant_id": str(current_user.current_tenant.id) if current_user.current_tenant else "",
|
|
}, 200
|
|
|
|
|
|
@console_ns.route("/workspaces/current/members/<uuid:member_id>/update-role")
|
|
class MemberUpdateRoleApi(Resource):
|
|
"""Update member role."""
|
|
|
|
@console_ns.expect(console_ns.models[MemberRoleUpdatePayload.__name__])
|
|
@setup_required
|
|
@login_required
|
|
@account_initialization_required
|
|
def put(self, member_id):
|
|
payload = console_ns.payload or {}
|
|
args = MemberRoleUpdatePayload.model_validate(payload)
|
|
new_role = args.role
|
|
|
|
if not TenantAccountRole.is_valid_role(new_role):
|
|
return {"code": "invalid-role", "message": "Invalid role"}, 400
|
|
current_user, _ = current_account_with_tenant()
|
|
if not current_user.current_tenant:
|
|
raise ValueError("No current tenant")
|
|
member = db.session.get(Account, str(member_id))
|
|
if not member:
|
|
abort(404)
|
|
|
|
try:
|
|
assert member is not None, "Member not found"
|
|
TenantService.update_member_role(current_user.current_tenant, member, new_role, current_user)
|
|
except Exception as e:
|
|
raise ValueError(str(e))
|
|
|
|
# todo: 403
|
|
|
|
return {"result": "success"}
|
|
|
|
|
|
@console_ns.route("/workspaces/current/dataset-operators")
|
|
class DatasetOperatorMemberListApi(Resource):
|
|
"""List all members of current tenant."""
|
|
|
|
@setup_required
|
|
@login_required
|
|
@account_initialization_required
|
|
@console_ns.response(200, "Success", console_ns.models[AccountWithRoleList.__name__])
|
|
def get(self):
|
|
current_user, _ = current_account_with_tenant()
|
|
if not current_user.current_tenant:
|
|
raise ValueError("No current tenant")
|
|
members = TenantService.get_dataset_operator_members(current_user.current_tenant)
|
|
member_models = TypeAdapter(list[AccountWithRole]).validate_python(members, from_attributes=True)
|
|
response = AccountWithRoleList(accounts=member_models)
|
|
return response.model_dump(mode="json"), 200
|
|
|
|
|
|
@console_ns.route("/workspaces/current/members/send-owner-transfer-confirm-email")
|
|
class SendOwnerTransferEmailApi(Resource):
|
|
"""Send owner transfer email."""
|
|
|
|
@console_ns.expect(console_ns.models[OwnerTransferEmailPayload.__name__])
|
|
@setup_required
|
|
@login_required
|
|
@account_initialization_required
|
|
@is_allow_transfer_owner
|
|
def post(self):
|
|
payload = console_ns.payload or {}
|
|
args = OwnerTransferEmailPayload.model_validate(payload)
|
|
ip_address = extract_remote_ip(request)
|
|
if AccountService.is_email_send_ip_limit(ip_address):
|
|
raise EmailSendIpLimitError()
|
|
current_user, _ = current_account_with_tenant()
|
|
# check if the current user is the owner of the workspace
|
|
if not current_user.current_tenant:
|
|
raise ValueError("No current tenant")
|
|
if not TenantService.is_owner(current_user, current_user.current_tenant):
|
|
raise NotOwnerError()
|
|
|
|
if args.language is not None and args.language == "zh-Hans":
|
|
language = "zh-Hans"
|
|
else:
|
|
language = "en-US"
|
|
|
|
email = current_user.email
|
|
|
|
token = AccountService.send_owner_transfer_email(
|
|
account=current_user,
|
|
email=email,
|
|
language=language,
|
|
workspace_name=current_user.current_tenant.name if current_user.current_tenant else "",
|
|
)
|
|
|
|
return {"result": "success", "data": token}
|
|
|
|
|
|
@console_ns.route("/workspaces/current/members/owner-transfer-check")
|
|
class OwnerTransferCheckApi(Resource):
|
|
@console_ns.expect(console_ns.models[OwnerTransferCheckPayload.__name__])
|
|
@setup_required
|
|
@login_required
|
|
@account_initialization_required
|
|
@is_allow_transfer_owner
|
|
def post(self):
|
|
payload = console_ns.payload or {}
|
|
args = OwnerTransferCheckPayload.model_validate(payload)
|
|
# check if the current user is the owner of the workspace
|
|
current_user, _ = current_account_with_tenant()
|
|
if not current_user.current_tenant:
|
|
raise ValueError("No current tenant")
|
|
if not TenantService.is_owner(current_user, current_user.current_tenant):
|
|
raise NotOwnerError()
|
|
|
|
user_email = current_user.email
|
|
|
|
is_owner_transfer_error_rate_limit = AccountService.is_owner_transfer_error_rate_limit(user_email)
|
|
if is_owner_transfer_error_rate_limit:
|
|
raise OwnerTransferLimitError()
|
|
|
|
token_data = AccountService.get_owner_transfer_data(args.token)
|
|
if token_data is None:
|
|
raise InvalidTokenError()
|
|
|
|
if user_email != token_data.get("email"):
|
|
raise InvalidEmailError()
|
|
|
|
if args.code != token_data.get("code"):
|
|
AccountService.add_owner_transfer_error_rate_limit(user_email)
|
|
raise EmailCodeError()
|
|
|
|
# Verified, revoke the first token
|
|
AccountService.revoke_owner_transfer_token(args.token)
|
|
|
|
# Refresh token data by generating a new token
|
|
_, new_token = AccountService.generate_owner_transfer_token(user_email, code=args.code, additional_data={})
|
|
|
|
AccountService.reset_owner_transfer_error_rate_limit(user_email)
|
|
return {"is_valid": True, "email": token_data.get("email"), "token": new_token}
|
|
|
|
|
|
@console_ns.route("/workspaces/current/members/<uuid:member_id>/owner-transfer")
|
|
class OwnerTransfer(Resource):
|
|
@console_ns.expect(console_ns.models[OwnerTransferPayload.__name__])
|
|
@setup_required
|
|
@login_required
|
|
@account_initialization_required
|
|
@is_allow_transfer_owner
|
|
def post(self, member_id):
|
|
payload = console_ns.payload or {}
|
|
args = OwnerTransferPayload.model_validate(payload)
|
|
|
|
# check if the current user is the owner of the workspace
|
|
current_user, _ = current_account_with_tenant()
|
|
if not current_user.current_tenant:
|
|
raise ValueError("No current tenant")
|
|
if not TenantService.is_owner(current_user, current_user.current_tenant):
|
|
raise NotOwnerError()
|
|
|
|
if current_user.id == str(member_id):
|
|
raise CannotTransferOwnerToSelfError()
|
|
|
|
transfer_token_data = AccountService.get_owner_transfer_data(args.token)
|
|
if not transfer_token_data:
|
|
raise InvalidTokenError()
|
|
|
|
if transfer_token_data.get("email") != current_user.email:
|
|
raise InvalidEmailError()
|
|
|
|
AccountService.revoke_owner_transfer_token(args.token)
|
|
|
|
member = db.session.get(Account, str(member_id))
|
|
if not member:
|
|
abort(404)
|
|
return # Never reached, but helps type checker
|
|
|
|
if not current_user.current_tenant:
|
|
raise ValueError("No current tenant")
|
|
if not TenantService.is_member(member, current_user.current_tenant):
|
|
raise MemberNotInTenantError()
|
|
|
|
try:
|
|
assert member is not None, "Member not found"
|
|
TenantService.update_member_role(current_user.current_tenant, member, "owner", current_user)
|
|
|
|
AccountService.send_new_owner_transfer_notify_email(
|
|
account=member,
|
|
email=member.email,
|
|
workspace_name=current_user.current_tenant.name if current_user.current_tenant else "",
|
|
)
|
|
|
|
AccountService.send_old_owner_transfer_notify_email(
|
|
account=current_user,
|
|
email=current_user.email,
|
|
workspace_name=current_user.current_tenant.name if current_user.current_tenant else "",
|
|
new_owner_email=member.email,
|
|
)
|
|
|
|
except Exception as e:
|
|
raise ValueError(str(e))
|
|
|
|
return {"result": "success"}
|