TanWenyan/leaudit-platform-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add tenant-scoped rule and permission management

Browse Source
This commit is contained in:
wren
2026-05-21 22:03:08 +08:00
parent a2c2bf1969
commit 1f1bccf3b3
193 changed files with 64463 additions and 1771 deletions
Download Patch File Download Diff File Expand all files Collapse all files
fastapi_modules/fastapi_leaudit/controllers/ragChatController.py
+102 -54
View File
@@ -64,6 +64,15 @@ class RagChatController(BaseController):
"dataset_delete": "rag:dataset:delete",
}
@staticmethod
def _tenant_context(payload: dict[str, Any]) -> dict[str, str | None]:
return {
"UserArea": payload.get("area"),
"UserRole": payload.get("user_role"),
"TenantCode": payload.get("tenant_code"),
"TenantName": payload.get("tenant_name"),
}
def __init__(self):
super().__init__(prefix="/v3/rag", tags=["RAG 聊天"])
self.RagChatService: IRagChatService = RagChatServiceImpl()
@@ -74,10 +83,10 @@ class RagChatController(BaseController):
async def GetApps(payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["app_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看聊天应用权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagChatService.GetApps(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
)
return Result.success(data=data)
@@ -85,10 +94,10 @@ class RagChatController(BaseController):
async def GetDefaultApp(payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["app_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看默认聊天应用权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagChatService.GetDefaultApp(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
)
return Result.success(data=data)
@@ -96,16 +105,17 @@ class RagChatController(BaseController):
async def GetMyDatasets(payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看知识库权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagDatasetService.GetMyDatasets(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
)
return Result.success(data=data)
@self.router.get("/datasets/admin", response_model=Result[RagDatasetPageVO])
async def GetAdminDatasets(
area: str | None = Query(None),
tenant_code: str | None = Query(None, description="租户编码,支持逗号分隔"),
onlyEnabled: bool | None = Query(None),
page: int = Query(1, ge=1),
pageSize: int = Query(20, ge=1, le=200),
@@ -113,11 +123,12 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_manage"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有管理知识库权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagDatasetService.GetAdminDatasets(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
Area=area,
TenantFilterCode=tenant_code,
OnlyEnabled=onlyEnabled,
Page=page,
PageSize=pageSize,
@@ -128,10 +139,10 @@ class RagChatController(BaseController):
async def CreateAdminDataset(Body: dict[str, Any], payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_create"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有创建知识库权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagDatasetService.CreateAdminDataset(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
Body=Body,
)
return Result.success(data=data)
@@ -140,10 +151,10 @@ class RagChatController(BaseController):
async def UpdateAdminDataset(DatasetId: int, Body: dict[str, Any], payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_update"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有更新知识库权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagDatasetService.UpdateAdminDataset(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
Body=Body,
)
@@ -153,10 +164,10 @@ class RagChatController(BaseController):
async def DeleteAdminDataset(DatasetId: int, payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_delete"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有删除知识库权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagDatasetService.DeleteAdminDataset(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
)
return Result.success(data=data)
@@ -165,10 +176,10 @@ class RagChatController(BaseController):
async def GetDatasetDetail(DatasetId: int, payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看知识库权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagDatasetService.GetDatasetDetail(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
)
return Result.success(data=data)
@@ -177,10 +188,10 @@ class RagChatController(BaseController):
async def UpdateDataset(DatasetId: int, Body: RagDatasetUpdateDTO, payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_update"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有修改知识库权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagDatasetService.UpdateDataset(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
Body=Body,
)
@@ -196,10 +207,10 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看知识库文档权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagDatasetService.GetDatasetDocuments(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
Page=page,
Limit=limit,
@@ -215,10 +226,10 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看知识库文档权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagDatasetService.GetDatasetDocumentDetail(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
DocumentId=DocumentId,
)
@@ -235,10 +246,10 @@ class RagChatController(BaseController):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有上传知识库文档权限", "data": None})
process_config = json.loads(data) if data else None
file_bytes = await file.read()
tenant_context = self._tenant_context(payload)
result = await self.RagDatasetService.UploadDatasetDocument(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
FileName=file.filename or "document",
ContentType=file.content_type,
@@ -259,10 +270,10 @@ class RagChatController(BaseController):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有重处理知识库文档权限", "data": None})
process_config = json.loads(data) if data else None
file_bytes = await file.read()
tenant_context = self._tenant_context(payload)
result = await self.RagDatasetService.UpdateDatasetDocumentByFile(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
DocumentId=DocumentId,
FileName=file.filename or "document",
@@ -280,10 +291,10 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看知识库处理进度权限", "data": None})
tenant_context = self._tenant_context(payload)
result = await self.RagDatasetService.GetDatasetDocumentIndexingStatus(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
DocumentId=DocumentId,
)
@@ -302,10 +313,10 @@ class RagChatController(BaseController):
if Action not in {"enable", "disable"}:
return JSONResponse(status_code=400, content={"code": 400, "msg": "当前仅支持启用和禁用", "data": None})
document_ids = Body.get("document_ids") or []
tenant_context = self._tenant_context(payload)
result = await self.RagDatasetService.BatchUpdateDatasetDocumentStatus(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
DocumentIds=[int(item) for item in document_ids],
Enabled=enabled,
@@ -323,10 +334,10 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看知识库分段权限", "data": None})
tenant_context = self._tenant_context(payload)
result = await self.RagDatasetService.GetDatasetDocumentSegments(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
DocumentId=DocumentId,
Page=page,
@@ -343,10 +354,10 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_delete"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有删除知识库文档权限", "data": None})
tenant_context = self._tenant_context(payload)
result = await self.RagDatasetService.DeleteDatasetDocument(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
DocumentId=DocumentId,
)
@@ -360,10 +371,10 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_delete"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有删除知识库文档权限", "data": None})
tenant_context = self._tenant_context(payload)
result = await self.RagDatasetService.BatchDeleteDatasetDocuments(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
DocumentIds=Body.document_ids,
)
@@ -377,10 +388,10 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有检索知识库权限", "data": None})
tenant_context = self._tenant_context(payload)
result = await self.RagDatasetService.RetrieveDataset(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
Query=str(Body.get("query") or ""),
RetrievalModel=Body.get("retrieval_model") if isinstance(Body.get("retrieval_model"), dict) else None,
@@ -396,10 +407,10 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看知识库分段权限", "data": None})
tenant_context = self._tenant_context(payload)
result = await self.RagDatasetService.GetDatasetDocumentSegmentDetail(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
DocumentId=DocumentId,
SegmentId=SegmentId,
@@ -416,10 +427,10 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_update"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有修改知识库分段权限", "data": None})
tenant_context = self._tenant_context(payload)
result = await self.RagDatasetService.UpdateDatasetDocumentSegment(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
DocumentId=DocumentId,
SegmentId=SegmentId,
@@ -436,10 +447,10 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_delete"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有删除知识库分段权限", "data": None})
tenant_context = self._tenant_context(payload)
result = await self.RagDatasetService.DeleteDatasetDocumentSegment(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
DatasetId=DatasetId,
DocumentId=DocumentId,
SegmentId=SegmentId,
@@ -453,10 +464,10 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["chat_use"], self._PERMISSIONS["app_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看聊天配置权限", "data": None})
tenant_context = self._tenant_context(payload)
data = await self.RagChatService.GetAppParameters(
CurrentUserId=int(payload["user_id"]),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
AppId=appId,
)
return Result.success(data=data)
@@ -465,11 +476,11 @@ class RagChatController(BaseController):
async def SendMessage(Body: RagChatSendMessageDTO, payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["chat_use"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有使用 RAG 对话权限", "data": None})
tenant_context = self._tenant_context(payload)
stream = self.RagChatService.SendMessage(
CurrentUserId=int(payload["user_id"]),
UserName=payload.get("username") or str(payload.get("user_id")),
UserArea=payload.get("area"),
UserRole=payload.get("user_role"),
**tenant_context,
Query=Body.query,
ConversationId=Body.conversationId,
AppId=Body.appId,
@@ -488,7 +499,13 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["chat_use"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有停止 RAG 对话权限", "data": None})
data = await self.RagChatService.StopMessage(int(payload["user_id"]), MessageId, Body)
tenant_context = self._tenant_context(payload)
data = await self.RagChatService.StopMessage(
CurrentUserId=int(payload["user_id"]),
**tenant_context,
MessageId=MessageId,
Body=Body,
)
return Result.success(data=data)
@self.router.get("/chat/conversations", response_model=Result[RagConversationPageVO])
@@ -500,7 +517,14 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["conversation_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看聊天会话权限", "data": None})
data = await self.RagChatService.GetConversations(int(payload["user_id"]), appId, page, pageSize)
tenant_context = self._tenant_context(payload)
data = await self.RagChatService.GetConversations(
CurrentUserId=int(payload["user_id"]),
**tenant_context,
AppId=appId,
Page=page,
PageSize=pageSize,
)
return Result.success(data=data)
@self.router.get("/chat/conversations/{ConversationId}/messages", response_model=Result[RagMessagePageVO])
@@ -512,7 +536,14 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["conversation_read"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有查看聊天消息权限", "data": None})
data = await self.RagChatService.GetConversationMessages(int(payload["user_id"]), ConversationId, page, pageSize)
tenant_context = self._tenant_context(payload)
data = await self.RagChatService.GetConversationMessages(
CurrentUserId=int(payload["user_id"]),
**tenant_context,
ConversationId=ConversationId,
Page=page,
PageSize=pageSize,
)
return Result.success(data=data)
@self.router.patch("/chat/conversations/{ConversationId}", response_model=Result[RagConversationRenameVO])
@@ -523,14 +554,25 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["conversation_update"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有修改聊天会话权限", "data": None})
data = await self.RagChatService.RenameConversation(int(payload["user_id"]), ConversationId, Body)
tenant_context = self._tenant_context(payload)
data = await self.RagChatService.RenameConversation(
CurrentUserId=int(payload["user_id"]),
**tenant_context,
ConversationId=ConversationId,
Body=Body,
)
return Result.success(data=data)
@self.router.delete("/chat/conversations/{ConversationId}", response_model=Result[RagOperationResultVO])
async def DeleteConversation(ConversationId: str, payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["conversation_delete"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有删除聊天会话权限", "data": None})
data = await self.RagChatService.DeleteConversation(int(payload["user_id"]), ConversationId)
tenant_context = self._tenant_context(payload)
data = await self.RagChatService.DeleteConversation(
CurrentUserId=int(payload["user_id"]),
**tenant_context,
ConversationId=ConversationId,
)
return Result.success(data=data)
@self.router.post("/chat/messages/{MessageId}/feedback", response_model=Result[RagOperationResultVO])
@@ -541,7 +583,13 @@ class RagChatController(BaseController):
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["message_feedback"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有反馈聊天消息权限", "data": None})
data = await self.RagChatService.UpdateFeedback(int(payload["user_id"]), MessageId, Body)
tenant_context = self._tenant_context(payload)
data = await self.RagChatService.UpdateFeedback(
CurrentUserId=int(payload["user_id"]),
**tenant_context,
MessageId=MessageId,
Body=Body,
)
return Result.success(data=data)
async def _check_permission(self, user_id: int, permission_keys: list[str]) -> bool: