TanWenyan/leaudit-platform-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: tighten rag permissions and area scope

Browse Source
This commit is contained in:
wren
2026-05-11 18:01:09 +08:00
parent f788149ca7
commit 2aa5a6d1d6
5 changed files with 189 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/RAG/当前系统权限模型收口方案.md
+140
View File
@@ -0,0 +1,140 @@
# 当前系统权限模型收口方案
## 1. 当前角色与地区范围
### 1.1 角色定义
- `common`: 普通用户,仅用于查看和使用。
- `admin`: 市级管理员,只应管理本地区资源。
- `provincial_admin`: 省级管理员,可管理全省资源。
- `super_admin`: 超级管理员,可管理全部资源。
### 1.2 知识库查看范围
当前后端 `RAG` 知识库查看逻辑:
- `provincial_admin` / `super_admin`
- 可查看全部启用中的知识库。
- 其他角色
- 可查看 `自己地区 + 省级 + 空地区 + 公共知识库`
对应业务含义:
- 梅州用户只能看到梅州、`省级`、空地区和公共知识库。
- 潮州用户只能看到潮州、`省级`、空地区和公共知识库。
- 省级管理员可看到全部地区知识库。
## 2. 当前真实生效矩阵
| 角色 | 查看知识库 | 创建知识库 | 编辑知识库 | 删除知识库 | 上传/重处理文档 | 编辑分段 | 聊天 | 消息反馈 |
| --- | --- | --- | --- | --- | --- | --- | --- | --- |
| `common` | 仅限可见范围 | 否 | 否 | 否 | 否 | 否 | 取决于 `rag:chat:use` | 取决于 `rag:message:feedback` |
| `admin` | 本地区 + 省级 + 空地区 + 公共 | 是,但仅本地区 | 是,但仅本地区 | 是,但仅本地区且非默认库 | 是,但仅本地区 | 是,但仅本地区 | 取决于权限键 | 取决于权限键 |
| `provincial_admin` | 全部 | 是 | 是 | 是,但默认库不可直接删 | 是 | 是 | 取决于权限键 | 取决于权限键 |
| `super_admin` | 全部 | 是 | 是 | 是,但默认库不可直接删 | 是 | 是 | 取决于权限键 | 取决于权限键 |
## 3. 现状问题
### 3.1 前后端权限键不统一
历史上前端混用了 `dify:*``rag:*`,后端主要检查 `rag:*`,导致:
- 前端按钮可见性与后端接口放行口径不一致。
- 管理页可能“看得到但提交失败”,或者“前端隐藏了但后端其实能改”。
### 3.2 前端存在硬编码放行
旧逻辑存在两类兜底:
- `admin / provincial_admin / super_admin` 角色直接视为全部有权限。
- 所有 `:read` 权限默认放行。
这会绕过数据库中的精细化 `GRANT / DENY` 配置。
### 3.3 `admin` 只在前端限制地区,后端未强校验
旧逻辑里市级管理员在界面上只能点自己地区,但后端没有统一限制,存在跨地区管理风险。
## 4. 本次收口目标
### 4.1 知识库统一使用 RAG 权限键
知识库管理统一采用以下权限键:
- `rag:dataset:read`: 查看知识库与文档
- `rag:dataset:manage`: 查看知识库配置管理页
- `rag:dataset:create`: 创建知识库
- `rag:dataset:update`: 更新知识库、设置、文档、分段
- `rag:dataset:delete`: 删除知识库、文档、分段
### 4.2 前端权限判断原则
前端只允许以下来源决定权限:
- 当前路由的 `permissionMap`
- 登录态携带的 `globalPermissions`
明确移除:
- 角色直接等于全权限
- `:read` 默认放行
### 4.3 后端地区校验原则
后端 service 层强制执行:
- `admin` 只能管理自己地区知识库
- `provincial_admin` / `super_admin` 可跨地区管理
- `common` 不能执行知识库管理操作
## 5. 前后端分工
### 5.1 前端负责
- 按真实权限控制菜单、页签、按钮显隐
- 对无权限操作给出提示
- 不再使用角色硬编码做兜底
### 5.2 后端负责
- 接口最终鉴权
- 地区范围最终鉴权
- 默认知识库不可直接删除等业务规则校验
## 6. 迁移建议
### 6.1 角色授权建议
建议角色权限配置如下:
- `common`
- `rag:dataset:read`
- `rag:app:read`
- `rag:chat:use`
- `rag:conversation:read`
- `rag:message:feedback`
- `admin`
-`common` 基础上增加:
- `rag:dataset:manage`
- `rag:dataset:create`
- `rag:dataset:update`
- `rag:dataset:delete`
- `provincial_admin`
-`admin`,但地区范围为全省
- `super_admin`
-`provincial_admin`
### 6.2 数据配置建议
除代码收口外,还需要同步确认:
- 角色是否已经实际分配 `rag:dataset:manage/create/update/delete`
- `/chat-with-llm` 路由是否已配置给需要访问知识库管理的人群
-`dify:*` 权限是否仍在数据库中使用,若有则需制定清理计划
## 7. 文档落点
本方案文档固定存放于:
- `docs/RAG/当前系统权限模型收口方案.md`
fastapi_modules/fastapi_leaudit/controllers/ragChatController.py
+15 -11
View File
@@ -53,6 +53,10 @@ class RagChatController(BaseController):
"message_feedback": "rag:message:feedback",
"app_read": "rag:app:read",
"dataset_read": "rag:dataset:read",
"dataset_manage": "rag:dataset:manage",
"dataset_create": "rag:dataset:create",
"dataset_update": "rag:dataset:update",
"dataset_delete": "rag:dataset:delete",
}
def __init__(self):
@@ -102,7 +106,7 @@ class RagChatController(BaseController):
pageSize: int = Query(20, ge=1, le=200),
payload: dict[str, Any] = Depends(verify_access_token),
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_manage"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有管理知识库权限", "data": None})
data = await self.RagDatasetService.GetAdminDatasets(
CurrentUserId=int(payload["user_id"]),
@@ -117,7 +121,7 @@ class RagChatController(BaseController):
@self.router.post("/datasets/admin", response_model=Result[RagDatasetDetailVO])
async def CreateAdminDataset(Body: dict[str, Any], payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_create"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有创建知识库权限", "data": None})
data = await self.RagDatasetService.CreateAdminDataset(
CurrentUserId=int(payload["user_id"]),
@@ -129,7 +133,7 @@ class RagChatController(BaseController):
@self.router.put("/datasets/admin/{DatasetId}", response_model=Result[RagDatasetDetailVO | None])
async def UpdateAdminDataset(DatasetId: int, Body: dict[str, Any], payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_update"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有更新知识库权限", "data": None})
data = await self.RagDatasetService.UpdateAdminDataset(
CurrentUserId=int(payload["user_id"]),
@@ -142,7 +146,7 @@ class RagChatController(BaseController):
@self.router.delete("/datasets/admin/{DatasetId}", response_model=Result[RagOperationResultVO])
async def DeleteAdminDataset(DatasetId: int, payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_delete"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有删除知识库权限", "data": None})
data = await self.RagDatasetService.DeleteAdminDataset(
CurrentUserId=int(payload["user_id"]),
@@ -166,7 +170,7 @@ class RagChatController(BaseController):
@self.router.patch("/datasets/{DatasetId}", response_model=Result[RagDatasetDetailVO | None])
async def UpdateDataset(DatasetId: int, Body: RagDatasetUpdateDTO, payload: dict[str, Any] = Depends(verify_access_token)):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_update"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有修改知识库权限", "data": None})
data = await self.RagDatasetService.UpdateDataset(
CurrentUserId=int(payload["user_id"]),
@@ -222,7 +226,7 @@ class RagChatController(BaseController):
data: str | None = Form(None),
payload: dict[str, Any] = Depends(verify_access_token),
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_update"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有上传知识库文档权限", "data": None})
process_config = json.loads(data) if data else None
file_bytes = await file.read()
@@ -246,7 +250,7 @@ class RagChatController(BaseController):
data: str | None = Form(None),
payload: dict[str, Any] = Depends(verify_access_token),
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_update"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有重处理知识库文档权限", "data": None})
process_config = json.loads(data) if data else None
file_bytes = await file.read()
@@ -287,7 +291,7 @@ class RagChatController(BaseController):
Body: dict[str, Any],
payload: dict[str, Any] = Depends(verify_access_token),
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_update"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有修改知识库文档状态权限", "data": None})
enabled = Action == "enable"
if Action not in {"enable", "disable"}:
@@ -332,7 +336,7 @@ class RagChatController(BaseController):
DocumentId: int,
payload: dict[str, Any] = Depends(verify_access_token),
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_delete"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有删除知识库文档权限", "data": None})
result = await self.RagDatasetService.DeleteDatasetDocument(
CurrentUserId=int(payload["user_id"]),
@@ -388,7 +392,7 @@ class RagChatController(BaseController):
Body: dict[str, Any],
payload: dict[str, Any] = Depends(verify_access_token),
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_update"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有修改知识库分段权限", "data": None})
result = await self.RagDatasetService.UpdateDatasetDocumentSegment(
CurrentUserId=int(payload["user_id"]),
@@ -408,7 +412,7 @@ class RagChatController(BaseController):
SegmentId: str,
payload: dict[str, Any] = Depends(verify_access_token),
):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_read"]]):
if not await self._check_permission(int(payload["user_id"]), [self._PERMISSIONS["dataset_delete"]]):
return JSONResponse(status_code=403, content={"code": 403, "msg": "当前用户没有删除知识库分段权限", "data": None})
result = await self.RagDatasetService.DeleteDatasetDocumentSegment(
CurrentUserId=int(payload["user_id"]),
fastapi_modules/fastapi_leaudit/services/impl/ragDatasetServiceImpl.py
+29 -1
View File
@@ -65,6 +65,7 @@ class RagDatasetServiceImpl(IRagDatasetService):
) -> RagDatasetPageVO:
if UserRole not in ("provincial_admin", "admin", "super_admin"):
raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, "当前用户没有管理知识库权限")
managed_area = self._resolve_managed_area(UserRole=UserRole, UserArea=UserArea)
filters = ["d.deleted_at IS NULL"]
params: dict = {
@@ -72,7 +73,12 @@ class RagDatasetServiceImpl(IRagDatasetService):
"limit": PageSize,
}
areas = [item.strip() for item in str(Area or "").split(",") if item.strip()]
if len(areas) == 1:
if managed_area:
if areas and any(item != managed_area for item in areas):
raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, "当前用户只能查看本地区知识库配置")
filters.append("d.area = :managed_area")
params["managed_area"] = managed_area
elif len(areas) == 1:
filters.append("d.area = :area")
params["area"] = areas[0]
elif len(areas) > 1:
@@ -127,6 +133,7 @@ class RagDatasetServiceImpl(IRagDatasetService):
description = str(Body.get("dataset_description") or Body.get("description") or "").strip()
if not area or not name:
raise LeauditException(StatusCodeEnum.HTTP_400_BAD_REQUEST, "地区和知识库名称不能为空")
self._assert_manage_area_scope(UserRole=UserRole, UserArea=UserArea, DatasetArea=area)
collection_name = self._slugify_collection_name(area, name)
retrieval_model = {}
@@ -208,8 +215,10 @@ class RagDatasetServiceImpl(IRagDatasetService):
existing = await self._get_dataset_row(DatasetId)
if not existing:
return None
self._assert_manage_area_scope(UserRole=UserRole, UserArea=UserArea, DatasetArea=str(existing.get("area") or ""))
area = str(Body.get("area") or existing.get("area") or "").strip()
self._assert_manage_area_scope(UserRole=UserRole, UserArea=UserArea, DatasetArea=area)
async with GetAsyncSession() as session:
target_is_default = bool(Body.get("is_default", existing.get("is_default")))
@@ -268,6 +277,7 @@ class RagDatasetServiceImpl(IRagDatasetService):
existing = await self._get_dataset_row(DatasetId)
if not existing:
raise LeauditException(StatusCodeEnum.HTTP_404_NOT_FOUND, "知识库不存在")
self._assert_manage_area_scope(UserRole=UserRole, UserArea=UserArea, DatasetArea=str(existing.get("area") or ""))
if bool(existing.get("is_default")):
raise LeauditException(StatusCodeEnum.HTTP_400_BAD_REQUEST, "默认知识库不允许删除,请先切换默认知识库")
async with GetAsyncSession() as session:
@@ -691,6 +701,24 @@ class RagDatasetServiceImpl(IRagDatasetService):
return f"legal_kb_{normalized}"[:96]
return f"legal_kb_{uuid.uuid4().hex[:12]}"
def _resolve_managed_area(self, UserRole: str | None, UserArea: str | None) -> str | None:
if UserRole == "admin":
area = str(UserArea or "").strip()
if not area:
raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, "当前市级管理员未配置地区,无法管理知识库")
return area
return None
def _assert_manage_area_scope(self, UserRole: str | None, UserArea: str | None, DatasetArea: str) -> None:
if UserRole in ("provincial_admin", "super_admin"):
return
if UserRole != "admin":
raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, "当前用户没有管理知识库权限")
managed_area = self._resolve_managed_area(UserRole=UserRole, UserArea=UserArea)
if DatasetArea != managed_area:
raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, "当前用户只能管理本地区知识库")
async def UploadDatasetDocument(
self,
CurrentUserId: int,
fastapi_modules/fastapi_leaudit/services/impl/rbacAdminServiceImpl.py
+4
View File
@@ -252,6 +252,10 @@ class RbacAdminServiceImpl(IRbacAdminService):
{"permission_key": "rag:conversation:delete", "display_name": "删除 RAG 会话", "module": "rag", "resource": "conversation", "action": "delete", "api_method": "DELETE", "api_path": "/api/v3/rag/chat/conversations/{ConversationId}", "route_path": "/chat-with-llm"},
{"permission_key": "rag:message:feedback", "display_name": "反馈 RAG 消息", "module": "rag", "resource": "message", "action": "feedback", "api_method": "POST", "api_path": "/api/v3/rag/chat/messages/{MessageId}/feedback", "route_path": "/chat-with-llm"},
{"permission_key": "rag:dataset:read", "display_name": "查看 RAG 知识库", "module": "rag", "resource": "dataset", "action": "read", "api_method": "GET", "api_path": "/api/v3/rag/datasets/my", "route_path": "/chat-with-llm"},
{"permission_key": "rag:dataset:manage", "display_name": "查看知识库配置管理", "module": "rag", "resource": "dataset", "action": "manage", "api_method": "GET", "api_path": "/api/v3/rag/datasets/admin", "route_path": "/chat-with-llm"},
{"permission_key": "rag:dataset:create", "display_name": "创建知识库", "module": "rag", "resource": "dataset", "action": "create", "api_method": "POST", "api_path": "/api/v3/rag/datasets/admin", "route_path": "/chat-with-llm"},
{"permission_key": "rag:dataset:update", "display_name": "更新知识库与文档", "module": "rag", "resource": "dataset", "action": "update", "api_method": "PATCH", "api_path": "/api/v3/rag/datasets/{DatasetId}", "route_path": "/chat-with-llm"},
{"permission_key": "rag:dataset:delete", "display_name": "删除知识库与文档", "module": "rag", "resource": "dataset", "action": "delete", "api_method": "DELETE", "api_path": "/api/v3/rag/datasets/admin/{DatasetId}", "route_path": "/chat-with-llm"},
]
async def ListRoles(self, CurrentUserId: int, Page: int, PageSize: int, RoleKey: str | None, RoleName: str | None, IncludeSystem: bool) -> RoleListVO:
fastapi_modules/fastapi_leaudit/services/impl/rbacServiceImpl.py
+1
View File
@@ -571,6 +571,7 @@ class RbacServiceImpl(IRbacService):
}
_PERMISSION_PREFIXES_BY_PATH: dict[str, list[str]] = {
"/chat-with-llm": ["rag:"],
"/files": ["documents:"],
"/files/upload": ["documents:upload:"],
"/documents": ["documents:"],