diff --git a/apps/homepage/serializers/homepage.py b/apps/homepage/serializers/homepage.py index 428ba3f564e..734069ab0a9 100644 --- a/apps/homepage/serializers/homepage.py +++ b/apps/homepage/serializers/homepage.py @@ -48,6 +48,10 @@ def is_workspace_manage(auth, workspace_id): return RoleConstants.WORKSPACE_MANAGE.value.__str__() + ":/WORKSPACE/" + workspace_id in auth.role_list +def is_extends_workspace_manage(auth, workspace_id): + return RoleConstants.EXTENDS_WORKSPACE_MANAGE.value.__str__() + ":/WORKSPACE/" + workspace_id in auth.role_list + + def get_start_time(date_time): d = datetime.datetime.strptime(date_time, '%Y-%m-%d').date() naive = datetime.datetime.combine(d, datetime.time.min) @@ -76,6 +80,7 @@ def aggregation(self, auth, with_valid=True): start_time = get_start_time(data.get('start_time')) end_time = get_end_time(data.get('end_time')) workspace_manage = is_workspace_manage(auth, workspace_id) + extends_workspace_manage = is_extends_workspace_manage(auth, workspace_id) query = ChatRecord.objects.filter( create_time__gte=start_time, create_time__lte=end_time, @@ -84,7 +89,13 @@ def aggregation(self, auth, with_valid=True): query = query.filter( chat__application__workspace_id=workspace_id ) - + elif extends_workspace_manage: + if hasPermission(auth, "APPLICATION:READ"): + query = query.filter( + chat__application__workspace_id=workspace_id + ) + else: + return 0 else: permission_list = ( ["VIEW", "MANAGE", "ROLE"] @@ -130,6 +141,7 @@ def aggregation(self, auth, with_valid=True): start_time = get_start_time(data["start_time"]) end_time = get_end_time(data["end_time"]) workspace_manage = is_workspace_manage(auth, workspace_id) + extends_workspace_manage = is_extends_workspace_manage(auth, workspace_id) query = ChatRecord.objects.filter( create_time__gte=start_time, create_time__lte=end_time, @@ -138,6 +150,13 @@ def aggregation(self, auth, with_valid=True): query = query.filter( chat__application__workspace_id=workspace_id ) + elif extends_workspace_manage: + if hasPermission(auth, "APPLICATION:READ"): + query = query.filter( + chat__application__workspace_id=workspace_id + ) + else: + return 0 else: permission_list = ( ["VIEW", "MANAGE", "ROLE"] @@ -296,7 +315,11 @@ def _apply_permission_filter(self, queryset, auth, workspace_id, user_id): """根据用户角色过滤可见的应用范围""" if is_workspace_manage(auth, workspace_id): return queryset.filter(application__workspace_id=workspace_id) - + elif is_extends_workspace_manage(auth, workspace_id): + if hasPermission(auth, "APPLICATION:READ"): + return queryset.filter(application__workspace_id=workspace_id) + else: + return queryset.filter(application_id__in=[]) permission_list = ( _PERM_WITH_ROLE if hasPermission(auth, "APPLICATION:READ") @@ -358,6 +381,9 @@ def get_queryset(self, auth): if name: queryset = queryset.filter(name__contains=name) workspace_manage = is_workspace_manage(auth, workspace_id) + if is_extends_workspace_manage(auth, workspace_id): + if not hasPermission(auth, "APPLICATION:READ"): + queryset = queryset.filter(workspace_id__in=[]) if not workspace_manage: permission_list = ( ["VIEW", "MANAGE", "ROLE"] @@ -488,7 +514,8 @@ def get_queryset(self, auth): queryset = queryset.filter(name__contains=name) workspace_manage = is_workspace_manage(auth, workspace_id) - + if is_extends_workspace_manage(auth, workspace_id): + queryset = queryset.filter(workspace_id__in=[]) if not workspace_manage: permission_list = ["VIEW", "MANAGE", "ROLE"] if hasPermission( auth, @@ -677,6 +704,8 @@ def get_aggregation_query_set(self, auth): workspace_manage = is_workspace_manage(auth, workspace_id) if workspace_manage: return QuerySet(Application).filter(workspace_id=workspace_id) + if is_extends_workspace_manage(auth, workspace_id): + return QuerySet(Application).filter(workspace_id__in=[]) permission_list = ["VIEW", "MANAGE", "ROLE"] if hasPermission(auth, "APPLICATION:READ") else ['VIEW', 'MANAGE'] return QuerySet(Application).filter( @@ -712,8 +741,12 @@ def get_aggregation_query_set(self, auth): user_id = self.data.get("user_id") if is_workspace_manage(auth, workspace_id): return QuerySet(Knowledge).filter(workspace_id=workspace_id) - permission_list = ["VIEW", "MANAGE", "ROLE"] if hasPermission(auth, "APPLICATION:READ") else ['VIEW', - 'MANAGE'] + if is_extends_workspace_manage(auth, workspace_id): + if hasPermission(auth, "KNOWLEDGE:READ"): + return QuerySet(Knowledge).filter(workspace_id=workspace_id) + return QuerySet(Knowledge).none() + permission_list = ["VIEW", "MANAGE", "ROLE"] if hasPermission(auth, "KNOWLEDGE:READ") else ['VIEW', + 'MANAGE'] return QuerySet(Knowledge).filter( id__in=QuerySet(WorkspaceUserResourcePermission).filter(workspace_id=workspace_id, user_id=user_id, @@ -756,8 +789,12 @@ def get_aggregation_query_set(self, auth): user_id = self.data.get("user_id") if is_workspace_manage(auth, workspace_id): return QuerySet(Tool).filter(workspace_id=workspace_id) - permission_list = ["VIEW", "MANAGE", "ROLE"] if hasPermission(auth, "APPLICATION:READ") else ['VIEW', - 'MANAGE'] + if is_extends_workspace_manage(auth, workspace_id): + if hasPermission(auth, "TOOL:READ"): + return QuerySet(Tool).filter(workspace_id=workspace_id) + return QuerySet(Tool).none() + permission_list = ["VIEW", "MANAGE", "ROLE"] if hasPermission(auth, "TOOL:READ") else ['VIEW', + 'MANAGE'] return QuerySet(Tool).filter( id__in=QuerySet(WorkspaceUserResourcePermission).filter(workspace_id=workspace_id, user_id=user_id, @@ -797,7 +834,11 @@ def get_aggregation_query_set(self, auth): user_id = self.data.get("user_id") if is_workspace_manage(auth, workspace_id): return QuerySet(Model).filter(workspace_id=workspace_id) - permission_list = ["VIEW", "MANAGE", "ROLE"] if hasPermission(auth, "APPLICATION:READ") else ['VIEW', + if is_extends_workspace_manage(auth, workspace_id): + if hasPermission(auth, 'MODEL:READ'): + return QuerySet(Model).filter(workspace_id=workspace_id) + return QuerySet(Model).none() + permission_list = ["VIEW", "MANAGE", "ROLE"] if hasPermission(auth, "MODEL:READ") else ['VIEW', 'MANAGE'] return QuerySet(Model).filter( id__in=QuerySet(WorkspaceUserResourcePermission).filter(workspace_id=workspace_id,