feat(auth): 为数据管理和RAG服务增加资源访问控制

- 在DatasetApplicationService中注入ResourceAccessService并添加所有权验证 - 在KnowledgeSetApplicationService中注入ResourceAccessService并添加所有权验证 - 修改DatasetRepository接口和实现类，增加按创建者过滤的方法 - 修改KnowledgeSetRepository接口和实现类，增加按创建者过滤的方法 - 在RAG索引器服务中添加知识库访问权限检查和作用域过滤 - 更新实体元对象处理器以使用请求用户上下文获取当前用户 - 在前端设置页面添加用户权限管理功能和角色权限控制 - 为Python标注服务增加用户上下文和数据集访问权限验证
2026-02-06 14:58:46 +08:00
parent 056cee11cc
commit 6a4c4ae3d7
28 changed files with 1063 additions and 158 deletions
--- a/runtime/datamate-python/app/module/annotation/interface/auto.py
+++ b/runtime/datamate-python/app/module/annotation/interface/auto.py
@@ -17,12 +17,17 @@ from sqlalchemy.ext.asyncio import AsyncSession

 from app.db.session import get_db
 from app.module.shared.schema import StandardResponse
-from app.module.dataset import DatasetManagementService
-from app.core.logging import get_logger
-
-from ..schema.auto import (
-    CreateAutoAnnotationTaskRequest,
-    AutoAnnotationTaskResponse,
+from app.module.dataset import DatasetManagementService
+from app.core.logging import get_logger
+
+from ..security import (
+    RequestUserContext,
+    assert_dataset_access,
+    get_request_user_context,
+)
+from ..schema.auto import (
+    CreateAutoAnnotationTaskRequest,
+    AutoAnnotationTaskResponse,
 )
 from ..service.auto import AutoAnnotationTaskService

@@ -37,15 +42,16 @@ service = AutoAnnotationTaskService()


@router.get("", response_model=StandardResponse[List[AutoAnnotationTaskResponse]])
-async def list_auto_annotation_tasks(
-    db: AsyncSession = Depends(get_db),
-):
+async def list_auto_annotation_tasks(
+    db: AsyncSession = Depends(get_db),
+    user_context: RequestUserContext = Depends(get_request_user_context),
+):
    """获取自动标注任务列表。

    前端当前不传分页参数，这里直接返回所有未删除任务。
    """

-    tasks = await service.list_tasks(db)
+    tasks = await service.list_tasks(db, user_context)
    return StandardResponse(
        code=200,
        message="success",
@@ -54,28 +60,30 @@ async def list_auto_annotation_tasks(


@router.post("", response_model=StandardResponse[AutoAnnotationTaskResponse])
-async def create_auto_annotation_task(
-    request: CreateAutoAnnotationTaskRequest,
-    db: AsyncSession = Depends(get_db),
-):
+async def create_auto_annotation_task(
+    request: CreateAutoAnnotationTaskRequest,
+    db: AsyncSession = Depends(get_db),
+    user_context: RequestUserContext = Depends(get_request_user_context),
+):
    """创建自动标注任务。

    当前仅创建任务记录并置为 pending，实际执行由后续调度/worker 完成。
    """

-    logger.info(
-        "Creating auto annotation task: name=%s, dataset_id=%s, config=%s, file_ids=%s",
-        request.name,
+    logger.info(
+        "Creating auto annotation task: name=%s, dataset_id=%s, config=%s, file_ids=%s",
+        request.name,
        request.dataset_id,
        request.config.model_dump(by_alias=True),
        request.file_ids,
    )

-    # 尝试获取数据集名称和文件数量用于冗余字段，失败时不阻塞任务创建
-    dataset_name = None
-    total_images = 0
-    try:
-        dm_client = DatasetManagementService(db)
+    # 尝试获取数据集名称和文件数量用于冗余字段，失败时不阻塞任务创建
+    dataset_name = None
+    total_images = 0
+    await assert_dataset_access(db, request.dataset_id, user_context)
+    try:
+        dm_client = DatasetManagementService(db)
        # Service.get_dataset 返回 DatasetResponse，包含 name 和 fileCount
        dataset = await dm_client.get_dataset(request.dataset_id)
        if dataset is not None:
@@ -103,16 +111,17 @@ async def create_auto_annotation_task(


@router.get("/{task_id}/status", response_model=StandardResponse[AutoAnnotationTaskResponse])
-async def get_auto_annotation_task_status(
-    task_id: str = Path(..., description="任务ID"),
-    db: AsyncSession = Depends(get_db),
-):
+async def get_auto_annotation_task_status(
+    task_id: str = Path(..., description="任务ID"),
+    db: AsyncSession = Depends(get_db),
+    user_context: RequestUserContext = Depends(get_request_user_context),
+):
    """获取单个自动标注任务状态。

    前端当前主要通过列表轮询，这里提供按 ID 查询的补充接口。
    """

-    task = await service.get_task(db, task_id)
+    task = await service.get_task(db, task_id, user_context)
    if not task:
        raise HTTPException(status_code=404, detail="Task not found")

@@ -124,13 +133,14 @@ async def get_auto_annotation_task_status(


@router.delete("/{task_id}", response_model=StandardResponse[bool])
-async def delete_auto_annotation_task(
-    task_id: str = Path(..., description="任务ID"),
-    db: AsyncSession = Depends(get_db),
-):
+async def delete_auto_annotation_task(
+    task_id: str = Path(..., description="任务ID"),
+    db: AsyncSession = Depends(get_db),
+    user_context: RequestUserContext = Depends(get_request_user_context),
+):
    """删除（软删除）自动标注任务，仅标记 deleted_at。"""

-    ok = await service.soft_delete_task(db, task_id)
+    ok = await service.soft_delete_task(db, task_id, user_context)
    if not ok:
        raise HTTPException(status_code=404, detail="Task not found")

@@ -142,10 +152,11 @@ async def delete_auto_annotation_task(


@router.get("/{task_id}/download")
-async def download_auto_annotation_result(
-    task_id: str = Path(..., description="任务ID"),
-    db: AsyncSession = Depends(get_db),
-):
+async def download_auto_annotation_result(
+    task_id: str = Path(..., description="任务ID"),
+    db: AsyncSession = Depends(get_db),
+    user_context: RequestUserContext = Depends(get_request_user_context),
+):
    """下载指定自动标注任务的结果 ZIP。"""

    import io
@@ -154,7 +165,7 @@ async def download_auto_annotation_result(
    import tempfile

    # 复用服务层获取任务信息
-    task = await service.get_task(db, task_id)
+    task = await service.get_task(db, task_id, user_context)
    if not task:
        raise HTTPException(status_code=404, detail="Task not found")