From 10dd2d02ab22e895ba52975b30dd0d3169df47a0 Mon Sep 17 00:00:00 2001 From: shaohuzhang1 Date: Wed, 3 Jun 2026 11:22:18 +0800 Subject: [PATCH] fix: [Resource Permissions] Resources created by regular users in the workspace are not visible to workspace administrators --- apps/users/serializers/user.py | 23 ++++++++++++++--------- 1 file changed, 14 insertions(+), 9 deletions(-) diff --git a/apps/users/serializers/user.py b/apps/users/serializers/user.py index 858144cad08..3a141206b10 100644 --- a/apps/users/serializers/user.py +++ b/apps/users/serializers/user.py @@ -87,18 +87,23 @@ def is_workspace_manage_permission_read(user_id: str, workspace_id: str, permiss role_permission_mapping_model = DatabaseModelManage.get_model("role_permission_mapping_model") is_x_pack_ee = workspace_user_role_mapping_model is not None and role_permission_mapping_model is not None if is_x_pack_ee: + # 内置工作空间管理员(role_id 固定为 'WORKSPACE_MANAGE')拥有全量权限,直接放行 + is_builtin_manage = QuerySet(workspace_user_role_mapping_model).filter( + user_id=user_id, + workspace_id=workspace_id, + role_id=RoleConstants.WORKSPACE_MANAGE.value.__str__() + ).exists() + if is_builtin_manage: + return True + # 继承(自定义)工作空间管理员:需被显式授予对应权限 has_permission = QuerySet(role_permission_mapping_model).filter( - Q(role__userrolerelation__user_id=user_id, - role__userrolerelation__workspace_id=workspace_id, - permission_id=permission_id, - role__type=RoleConstants.WORKSPACE_MANAGE.value.__str__()) | - Q(role__userrolerelation__user_id=user_id, - role__userrolerelation__workspace_id=workspace_id, - role__id=RoleConstants.WORKSPACE_MANAGE.value.__str__() - ) + role__userrolerelation__user_id=user_id, + role__userrolerelation__workspace_id=workspace_id, + permission_id=permission_id, + role__type=RoleConstants.WORKSPACE_MANAGE.value.__str__() ).exists() return has_permission - return True + return QuerySet(User).filter(id=user_id, role=RoleConstants.ADMIN.value.__str__()).exists() def get_workspace_list_by_user(user_id):