fix: tighten rag permissions and area scope

2026-05-11 18:01:09 +08:00
parent f788149ca7
commit 2aa5a6d1d6
5 changed files with 189 additions and 12 deletions
@@ -65,6 +65,7 @@ class RagDatasetServiceImpl(IRagDatasetService):
    ) -> RagDatasetPageVO:
        if UserRole not in ("provincial_admin", "admin", "super_admin"):
            raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, "当前用户没有管理知识库权限")
+        managed_area = self._resolve_managed_area(UserRole=UserRole, UserArea=UserArea)

        filters = ["d.deleted_at IS NULL"]
        params: dict = {
@@ -72,7 +73,12 @@ class RagDatasetServiceImpl(IRagDatasetService):
            "limit": PageSize,
        }
        areas = [item.strip() for item in str(Area or "").split(",") if item.strip()]
-        if len(areas) == 1:
+        if managed_area:
+            if areas and any(item != managed_area for item in areas):
+                raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, "当前用户只能查看本地区知识库配置")
+            filters.append("d.area = :managed_area")
+            params["managed_area"] = managed_area
+        elif len(areas) == 1:
            filters.append("d.area = :area")
            params["area"] = areas[0]
        elif len(areas) > 1:
@@ -127,6 +133,7 @@ class RagDatasetServiceImpl(IRagDatasetService):
        description = str(Body.get("dataset_description") or Body.get("description") or "").strip()
        if not area or not name:
            raise LeauditException(StatusCodeEnum.HTTP_400_BAD_REQUEST, "地区和知识库名称不能为空")
+        self._assert_manage_area_scope(UserRole=UserRole, UserArea=UserArea, DatasetArea=area)

        collection_name = self._slugify_collection_name(area, name)
        retrieval_model = {}
@@ -208,8 +215,10 @@ class RagDatasetServiceImpl(IRagDatasetService):
        existing = await self._get_dataset_row(DatasetId)
        if not existing:
            return None
+        self._assert_manage_area_scope(UserRole=UserRole, UserArea=UserArea, DatasetArea=str(existing.get("area") or ""))

        area = str(Body.get("area") or existing.get("area") or "").strip()
+        self._assert_manage_area_scope(UserRole=UserRole, UserArea=UserArea, DatasetArea=area)

        async with GetAsyncSession() as session:
            target_is_default = bool(Body.get("is_default", existing.get("is_default")))
@@ -268,6 +277,7 @@ class RagDatasetServiceImpl(IRagDatasetService):
        existing = await self._get_dataset_row(DatasetId)
        if not existing:
            raise LeauditException(StatusCodeEnum.HTTP_404_NOT_FOUND, "知识库不存在")
+        self._assert_manage_area_scope(UserRole=UserRole, UserArea=UserArea, DatasetArea=str(existing.get("area") or ""))
        if bool(existing.get("is_default")):
            raise LeauditException(StatusCodeEnum.HTTP_400_BAD_REQUEST, "默认知识库不允许删除，请先切换默认知识库")
        async with GetAsyncSession() as session:
@@ -691,6 +701,24 @@ class RagDatasetServiceImpl(IRagDatasetService):
            return f"legal_kb_{normalized}"[:96]
        return f"legal_kb_{uuid.uuid4().hex[:12]}"

+    def _resolve_managed_area(self, UserRole: str | None, UserArea: str | None) -> str | None:
+        if UserRole == "admin":
+            area = str(UserArea or "").strip()
+            if not area:
+                raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, "当前市级管理员未配置地区，无法管理知识库")
+            return area
+        return None
+
+    def _assert_manage_area_scope(self, UserRole: str | None, UserArea: str | None, DatasetArea: str) -> None:
+        if UserRole in ("provincial_admin", "super_admin"):
+            return
+        if UserRole != "admin":
+            raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, "当前用户没有管理知识库权限")
+
+        managed_area = self._resolve_managed_area(UserRole=UserRole, UserArea=UserArea)
+        if DatasetArea != managed_area:
+            raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, "当前用户只能管理本地区知识库")
+
    async def UploadDatasetDocument(
        self,
        CurrentUserId: int,