feat(auth): 为数据管理和RAG服务增加资源访问控制

- 在DatasetApplicationService中注入ResourceAccessService并添加所有权验证 - 在KnowledgeSetApplicationService中注入ResourceAccessService并添加所有权验证 - 修改DatasetRepository接口和实现类，增加按创建者过滤的方法 - 修改KnowledgeSetRepository接口和实现类，增加按创建者过滤的方法 - 在RAG索引器服务中添加知识库访问权限检查和作用域过滤 - 更新实体元对象处理器以使用请求用户上下文获取当前用户 - 在前端设置页面添加用户权限管理功能和角色权限控制 - 为Python标注服务增加用户上下文和数据集访问权限验证
2026-02-06 14:58:46 +08:00
parent 056cee11cc
commit 6a4c4ae3d7
28 changed files with 1063 additions and 158 deletions
--- a/runtime/datamate-python/app/module/annotation/interface/task.py
+++ b/runtime/datamate-python/app/module/annotation/interface/task.py
@@ -10,6 +10,11 @@ from app.module.dataset import DatasetManagementService
 from app.core.logging import get_logger
 from app.core.config import settings

+from ..security import (
+    RequestUserContext,
+    assert_dataset_access,
+    get_request_user_context,
+)
 from ..service.mapping import DatasetMappingService
 from ..schema import (
    SyncDatasetRequest,
@@ -32,7 +37,8 @@ logger = get_logger(__name__)
@router.post("/sync", response_model=StandardResponse[SyncDatasetResponse])
 async def sync_dataset_content(
    request: SyncDatasetRequest,
-    db: AsyncSession = Depends(get_db)
+    db: AsyncSession = Depends(get_db),
+    user_context: RequestUserContext = Depends(get_request_user_context),
 ):
    """
    Sync Dataset Content (Files and Annotations)
@@ -51,6 +57,7 @@ async def sync_dataset_content(
                status_code=404,
                detail=f"Mapping not found: {request.id}"
            )
+        await assert_dataset_access(db, mapping.dataset_id, user_context)

        dm_client = DatasetManagementService(db)
        dataset_info = await dm_client.get_dataset(mapping.dataset_id)
@@ -82,7 +89,8 @@ async def sync_dataset_content(
@router.post("/annotation/sync", response_model=StandardResponse[SyncAnnotationsResponse])
 async def sync_annotations(
    request: SyncAnnotationsRequest,
-    db: AsyncSession = Depends(get_db)
+    db: AsyncSession = Depends(get_db),
+    user_context: RequestUserContext = Depends(get_request_user_context),
 ):
    """
    Sync Annotations Only (Bidirectional Support)
@@ -102,6 +110,7 @@ async def sync_annotations(
                status_code=404,
                detail=f"Mapping not found: {request.id}"
            )
+        await assert_dataset_access(db, mapping.dataset_id, user_context)

        result = SyncAnnotationsResponse(
            id=mapping.id,
@@ -156,7 +165,8 @@ async def check_label_studio_connection():
 async def update_file_tags(
    request: UpdateFileTagsRequest,
    file_id: str = Path(..., description="文件ID"),
-    db: AsyncSession = Depends(get_db)
+    db: AsyncSession = Depends(get_db),
+    user_context: RequestUserContext = Depends(get_request_user_context),
 ):
    """
    Update File Tags (Partial Update with Auto Format Conversion)
@@ -189,6 +199,7 @@ async def update_file_tags(
        raise HTTPException(status_code=404, detail=f"File not found: {file_id}")
    
    dataset_id = str(file_record.dataset_id)  # type: ignore - Convert Column to str
+    await assert_dataset_access(db, dataset_id, user_context)
    
    # 查找数据集关联的模板ID
    from ..service.mapping import DatasetMappingService