feat(auth): 为数据管理和RAG服务增加资源访问控制

- 在DatasetApplicationService中注入ResourceAccessService并添加所有权验证 - 在KnowledgeSetApplicationService中注入ResourceAccessService并添加所有权验证 - 修改DatasetRepository接口和实现类，增加按创建者过滤的方法 - 修改KnowledgeSetRepository接口和实现类，增加按创建者过滤的方法 - 在RAG索引器服务中添加知识库访问权限检查和作用域过滤 - 更新实体元对象处理器以使用请求用户上下文获取当前用户 - 在前端设置页面添加用户权限管理功能和角色权限控制 - 为Python标注服务增加用户上下文和数据集访问权限验证
2026-02-06 14:58:46 +08:00
parent 056cee11cc
commit 6a4c4ae3d7
28 changed files with 1063 additions and 158 deletions
--- a/runtime/datamate-python/app/module/annotation/service/auto.py
+++ b/runtime/datamate-python/app/module/annotation/service/auto.py
@@ -5,11 +5,12 @@ from typing import List, Optional
 from datetime import datetime
 from uuid import uuid4

-from sqlalchemy import select
-from sqlalchemy.ext.asyncio import AsyncSession
-
-from app.db.models.annotation_management import AutoAnnotationTask
-from app.db.models.dataset_management import Dataset, DatasetFiles
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from app.db.models.annotation_management import AutoAnnotationTask
+from app.db.models.dataset_management import Dataset, DatasetFiles
+from app.module.annotation.security import RequestUserContext

 from ..schema.auto import (
    CreateAutoAnnotationTaskRequest,
@@ -17,7 +18,7 @@ from ..schema.auto import (
 )


-class AutoAnnotationTaskService:
+class AutoAnnotationTaskService:
    """自动标注任务服务（仅管理任务元数据，真正执行由 runtime 负责）"""

    async def create_task(
@@ -63,15 +64,27 @@ class AutoAnnotationTaskService:
            resp.source_datasets = [dataset_name] if dataset_name else [request.dataset_id]
        return resp

-    async def list_tasks(self, db: AsyncSession) -> List[AutoAnnotationTaskResponse]:
-        """获取未软删除的自动标注任务列表，按创建时间倒序。"""
-
-        result = await db.execute(
-            select(AutoAnnotationTask)
-            .where(AutoAnnotationTask.deleted_at.is_(None))
-            .order_by(AutoAnnotationTask.created_at.desc())
-        )
-        tasks: List[AutoAnnotationTask] = list(result.scalars().all())
+    def _apply_dataset_scope(self, query, user_context: RequestUserContext):
+        if user_context.is_admin:
+            return query
+        return query.join(
+            Dataset,
+            AutoAnnotationTask.dataset_id == Dataset.id,
+        ).where(Dataset.created_by == user_context.user_id)
+
+    async def list_tasks(
+        self,
+        db: AsyncSession,
+        user_context: RequestUserContext,
+    ) -> List[AutoAnnotationTaskResponse]:
+        """获取未软删除的自动标注任务列表，按创建时间倒序。"""
+
+        query = select(AutoAnnotationTask).where(AutoAnnotationTask.deleted_at.is_(None))
+        query = self._apply_dataset_scope(query, user_context)
+        result = await db.execute(
+            query.order_by(AutoAnnotationTask.created_at.desc())
+        )
+        tasks: List[AutoAnnotationTask] = list(result.scalars().all())

        responses: List[AutoAnnotationTaskResponse] = []
        for task in tasks:
@@ -87,16 +100,21 @@ class AutoAnnotationTaskService:

        return responses

-    async def get_task(self, db: AsyncSession, task_id: str) -> Optional[AutoAnnotationTaskResponse]:
-        result = await db.execute(
-            select(AutoAnnotationTask).where(
-                AutoAnnotationTask.id == task_id,
-                AutoAnnotationTask.deleted_at.is_(None),
-            )
-        )
-        task = result.scalar_one_or_none()
-        if not task:
-            return None
+    async def get_task(
+        self,
+        db: AsyncSession,
+        task_id: str,
+        user_context: RequestUserContext,
+    ) -> Optional[AutoAnnotationTaskResponse]:
+        query = select(AutoAnnotationTask).where(
+            AutoAnnotationTask.id == task_id,
+            AutoAnnotationTask.deleted_at.is_(None),
+        )
+        query = self._apply_dataset_scope(query, user_context)
+        result = await db.execute(query)
+        task = result.scalar_one_or_none()
+        if not task:
+            return None

        resp = AutoAnnotationTaskResponse.model_validate(task)
        try:
@@ -138,16 +156,21 @@ class AutoAnnotationTaskService:
            return [task.dataset_id]
        return []

-    async def soft_delete_task(self, db: AsyncSession, task_id: str) -> bool:
-        result = await db.execute(
-            select(AutoAnnotationTask).where(
-                AutoAnnotationTask.id == task_id,
-                AutoAnnotationTask.deleted_at.is_(None),
-            )
-        )
-        task = result.scalar_one_or_none()
-        if not task:
-            return False
+    async def soft_delete_task(
+        self,
+        db: AsyncSession,
+        task_id: str,
+        user_context: RequestUserContext,
+    ) -> bool:
+        query = select(AutoAnnotationTask).where(
+            AutoAnnotationTask.id == task_id,
+            AutoAnnotationTask.deleted_at.is_(None),
+        )
+        query = self._apply_dataset_scope(query, user_context)
+        result = await db.execute(query)
+        task = result.scalar_one_or_none()
+        if not task:
+            return False

        task.deleted_at = datetime.now()
        await db.commit()