ngskcloud
/
gcgj-dify-1.7.0
17
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: support email as admin login

Browse Source
pull/21891/head
ytqh 1 year ago
parent 6f3bd7c6a5
commit 3a82e83dad
5 changed files with 284 additions and 106 deletions
Show Stats Download Patch File Download Diff File

5
api/configs/school/__init__.py
Unescape Escape View File

@ -59,6 +59,11 @@ class SchoolConfig(BaseSettings):
default=None, default=None,
) )
DEBUG_ADMIN_EMAIL: Optional[str] = Field(
description="Debug admin email for DEMO school-level features.",
default=None,
)
DEBUG_CODE_FOR_LOGIN: Optional[str] = Field( DEBUG_CODE_FOR_LOGIN: Optional[str] = Field(
description="Default code for login", description="Default code for login",
default=None, default=None,

139
api/controllers/admin/auth/login.py
Unescape Escape View File

@ -1,12 +1,11 @@
from typing import cast from typing import cast
import flask_login # type: ignore import flask_login # type: ignore
from flask import request
from flask_restful import Resource, reqparse # type: ignore
from configs import dify_config from configs import dify_config
from controllers.admin import api from controllers.admin import api
from controllers.service_api_with_auth.error import AccountInFreezeError from controllers.service_api_with_auth.error import AccountInFreezeError
from flask import request
from flask_restful import Resource, reqparse # type: ignore
from libs.helper import extract_remote_ip from libs.helper import extract_remote_ip
from models.account import Account from models.account import Account
from services.account_service import AccountService from services.account_service import AccountService
@ -15,12 +14,12 @@ from services.errors.account import AccountRegisterError
class SendVerificationCodeApi(Resource): class SendVerificationCodeApi(Resource):
def post(self): def post(self):
"""Send verification code to admin's phone number. """Send verification code to admin's phone number or email.
--- ---
tags: tags:
- admin/api/auth - admin/api/auth
summary: Send Verification Code summary: Send Verification Code
description: Sends a verification code to the provided admin phone number for authentication description: Sends a verification code to the provided admin phone number or email for authentication
parameters: parameters:
- in: body - in: body
name: body name: body
@ -28,12 +27,12 @@ class SendVerificationCodeApi(Resource):
schema: schema:
type: object type: object
required: required:
- phone - login_id
properties: properties:
phone: login_id:
type: string type: string
description: Admin's phone number description: Admin's phone number or email address
example: "13800138000" example: "admin@test.edu"
responses: responses:
200: 200:
description: Code sent successfully description: Code sent successfully
@ -45,42 +44,60 @@ class SendVerificationCodeApi(Resource):
data: data:
type: string type: string
400: 400:
description: Invalid phone number format description: Invalid input format or missing required fields
404: 404:
description: Phone number not registered as admin description: Phone number or email not registered as admin
""" """
parser = reqparse.RequestParser() parser = reqparse.RequestParser()
parser.add_argument("phone", type=str, required=True, location="json") parser.add_argument("login_id", type=str, required=True, location="json")
args = parser.parse_args() args = parser.parse_args()
phone = args["phone"] login_id = args.get("login_id")
# Determine if login_id is an email or phone number
is_email = "@" in login_id
ip_address = extract_remote_ip(request) ip_address = extract_remote_ip(request)
if AccountService.is_phone_send_ip_limit(ip_address) and phone != dify_config.DEBUG_ADMIN_PHONE:
return {"result": "fail", "data": "Too many requests from this IP address"}, 429 if AccountService.is_login_attempt_ip_limit(ip_address) and login_id not in {
dify_config.DEBUG_ADMIN_EMAIL,
dify_config.DEBUG_ADMIN_PHONE,
}:
return {
"result": "fail",
"data": "Too many requests from this IP address",
}, 429
try: try:
# find account by phone number & chech role is end_admin # Use the unified method to check admin account
account = AccountService.get_admin_through_phone(phone) account = AccountService.get_admin_through_login_id(login_id)
except AccountRegisterError: except AccountRegisterError:
raise AccountInFreezeError() raise AccountInFreezeError()
if account is None: if account is None:
return {"result": "fail", "data": "Phone number not registered as admin"}, 404 error_type = "Email" if is_email else "Phone number"
return {
"result": "fail",
"data": f"{error_type} not registered as admin",
}, 404
token = AccountService.send_phone_code_login(phone=phone) # Send verification code
if is_email:
token = AccountService.send_email_code_login_email(email=login_id)
else:
token = AccountService.send_phone_code_login(phone=login_id)
return {"result": "success", "data": token} return {"result": "success", "data": token}
class LoginApi(Resource): class LoginApi(Resource):
def post(self): def post(self):
"""Admin login with phone number and verification code. """Admin login with phone number/email and verification code.
--- ---
tags: tags:
- admin/api/auth - admin/api/auth
summary: Admin Login summary: Admin Login
description: Authenticates an admin using phone number and verification code description: Authenticates an admin using phone number/email and verification code
parameters: parameters:
- in: body - in: body
name: body name: body
@ -88,14 +105,14 @@ class LoginApi(Resource):
schema: schema:
type: object type: object
required: required:
- phone - login_id
- code - code
- token - token
properties: properties:
phone: login_id:
type: string type: string
description: Admin's phone number description: Admin's phone number or email address
example: "13800138000" example: "admin@test.edu"
code: code:
type: string type: string
description: Verification code description: Verification code
@ -123,6 +140,8 @@ class LoginApi(Resource):
type: string type: string
phone: phone:
type: string type: string
email:
type: string
name: name:
type: string type: string
role: role:
@ -131,39 +150,69 @@ class LoginApi(Resource):
400: 400:
description: Invalid or expired verification code description: Invalid or expired verification code
404: 404:
description: Phone number not registered description: Phone number or email not registered
""" """
parser = reqparse.RequestParser() parser = reqparse.RequestParser()
parser.add_argument("phone", type=str, required=True, location="json") parser.add_argument("login_id", type=str, required=True, location="json")
parser.add_argument("code", type=str, required=True, location="json") parser.add_argument("code", type=str, required=True, location="json")
parser.add_argument("token", type=str, required=True, location="json") parser.add_argument("token", type=str, required=True, location="json")
args = parser.parse_args() args = parser.parse_args()
# Verify the token and code login_id = args.get("login_id")
token_data = AccountService.get_phone_code_login_data(args["token"])
if token_data is None: # Determine if login_id is an email or phone number
return {"result": "fail", "data": "Invalid or expired token"}, 400 is_email = "@" in login_id
# Handle verification based on identified type
if is_email:
# Email-based verification
token_data = AccountService.get_email_code_login_data(args["token"])
if token_data is None:
return {"result": "fail", "data": "Invalid or expired token"}, 400
if token_data.get("email") != login_id:
return {"result": "fail", "data": "Email does not match"}, 400
if token_data["phone"] != args["phone"]: if token_data["code"] != args["code"]:
return {"result": "fail", "data": "Phone number does not match"}, 400 return {"result": "fail", "data": "Invalid verification code"}, 400
if token_data["code"] != args["code"]: # Revoke the token after successful verification
return {"result": "fail", "data": "Invalid verification code"}, 400 AccountService.revoke_email_code_login_token(args["token"])
else:
# Phone-based verification
token_data = AccountService.get_phone_code_login_data(args["token"])
if token_data is None:
return {"result": "fail", "data": "Invalid or expired token"}, 400
# Revoke the token after successful verification if token_data["phone"] != login_id:
AccountService.revoke_phone_code_login_token(args["token"]) return {"result": "fail", "data": "Phone number does not match"}, 400
if token_data["code"] != args["code"]:
return {"result": "fail", "data": "Invalid verification code"}, 400
# Revoke the token after successful verification
AccountService.revoke_phone_code_login_token(args["token"])
try: try:
account = AccountService.get_admin_through_phone(args["phone"]) # Use the unified method to get admin account
account = AccountService.get_admin_through_login_id(login_id)
except AccountRegisterError: except AccountRegisterError:
raise AccountInFreezeError() raise AccountInFreezeError()
if account is None: if account is None:
return {"result": "fail", "data": "Phone number not registered as admin"}, 404 error_type = "Email" if is_email else "Phone number"
return {
"result": "fail",
"data": f"{error_type} not registered as admin",
}, 404
# Reset login error rate limit
AccountService.reset_login_error_rate_limit(login_id)
# Generate token for the authenticated admin # Generate token for the authenticated admin
token_pair = AccountService.login(account, ip_address=extract_remote_ip(request)) token_pair = AccountService.login(
AccountService.reset_login_error_rate_limit(args["phone"]) account, ip_address=extract_remote_ip(request)
)
response_data = token_pair.model_dump() response_data = token_pair.model_dump()
@ -250,7 +299,7 @@ class RefreshTokenApi(Resource):
# Register the resources # Register the resources
api.add_resource(SendVerificationCodeApi, '/auth/send-code') api.add_resource(SendVerificationCodeApi, "/auth/send-code")
api.add_resource(LoginApi, '/auth/login') api.add_resource(LoginApi, "/auth/login")
api.add_resource(LogoutApi, '/auth/logout') api.add_resource(LogoutApi, "/auth/logout")
api.add_resource(RefreshTokenApi, '/auth/refresh-token') api.add_resource(RefreshTokenApi, "/auth/refresh-token")

236
api/services/account_service.py
Unescape Escape View File

@ -70,7 +70,9 @@ REFRESH_TOKEN_EXPIRY = timedelta(days=dify_config.REFRESH_TOKEN_EXPIRE_DAYS)
class AccountService: class AccountService:
reset_password_rate_limiter = RateLimiter(prefix="reset_password_rate_limit", max_attempts=1, time_window=60 * 1) reset_password_rate_limiter = RateLimiter(
prefix="reset_password_rate_limit", max_attempts=1, time_window=60 * 1
)
email_code_login_rate_limiter = RateLimiter( email_code_login_rate_limiter = RateLimiter(
prefix="email_code_login_rate_limit", max_attempts=1, time_window=60 * 1 prefix="email_code_login_rate_limit", max_attempts=1, time_window=60 * 1
) )
@ -120,12 +122,16 @@ class AccountService:
if account.status == AccountStatus.BANNED.value: if account.status == AccountStatus.BANNED.value:
raise Unauthorized("Account is banned.") raise Unauthorized("Account is banned.")
current_tenant = TenantAccountJoin.query.filter_by(account_id=account.id, current=True).first() current_tenant = TenantAccountJoin.query.filter_by(
account_id=account.id, current=True
).first()
if current_tenant: if current_tenant:
account.current_tenant_id = current_tenant.tenant_id account.current_tenant_id = current_tenant.tenant_id
else: else:
available_ta = ( available_ta = (
TenantAccountJoin.query.filter_by(account_id=account.id).order_by(TenantAccountJoin.id.asc()).first() TenantAccountJoin.query.filter_by(account_id=account.id)
.order_by(TenantAccountJoin.id.asc())
.first()
) )
if not available_ta: if not available_ta:
return None return None
@ -134,7 +140,9 @@ class AccountService:
available_ta.current = True available_ta.current = True
db.session.commit() db.session.commit()
if datetime.now(UTC).replace(tzinfo=None) - account.last_active_at > timedelta(minutes=10): if datetime.now(UTC).replace(tzinfo=None) - account.last_active_at > timedelta(
minutes=10
):
account.last_active_at = datetime.now(UTC).replace(tzinfo=None) account.last_active_at = datetime.now(UTC).replace(tzinfo=None)
db.session.commit() db.session.commit()
@ -142,7 +150,9 @@ class AccountService:
@staticmethod @staticmethod
def get_account_jwt_token(account: Account) -> str: def get_account_jwt_token(account: Account) -> str:
exp_dt = datetime.now(UTC) + timedelta(minutes=dify_config.ACCESS_TOKEN_EXPIRE_MINUTES) exp_dt = datetime.now(UTC) + timedelta(
minutes=dify_config.ACCESS_TOKEN_EXPIRE_MINUTES
)
exp = int(exp_dt.timestamp()) exp = int(exp_dt.timestamp())
payload = { payload = {
"user_id": account.id, "user_id": account.id,
@ -155,7 +165,9 @@ class AccountService:
return token return token
@staticmethod @staticmethod
def authenticate(email: str, password: str, invite_token: Optional[str] = None) -> Account: def authenticate(
email: str, password: str, invite_token: Optional[str] = None
) -> Account:
"""authenticate account with email and password""" """authenticate account with email and password"""
account = db.session.query(Account).filter_by(email=email).first() account = db.session.query(Account).filter_by(email=email).first()
@ -174,7 +186,9 @@ class AccountService:
account.password = base64_password_hashed account.password = base64_password_hashed
account.password_salt = base64_salt account.password_salt = base64_salt
if account.password is None or not compare_password(password, account.password, account.password_salt): if account.password is None or not compare_password(
password, account.password, account.password_salt
):
raise AccountPasswordError("Invalid email or password.") raise AccountPasswordError("Invalid email or password.")
if account.status == AccountStatus.PENDING.value: if account.status == AccountStatus.PENDING.value:
@ -188,7 +202,9 @@ class AccountService:
@staticmethod @staticmethod
def update_account_password(account, password, new_password): def update_account_password(account, password, new_password):
"""update account password""" """update account password"""
if account.password and not compare_password(password, account.password, account.password_salt): if account.password and not compare_password(
password, account.password, account.password_salt
):
raise CurrentPasswordIncorrectError("Current password is incorrect.") raise CurrentPasswordIncorrectError("Current password is incorrect.")
# may be raised # may be raised
@ -305,7 +321,9 @@ class AccountService:
def send_account_deletion_verification_email(cls, account: Account, code: str): def send_account_deletion_verification_email(cls, account: Account, code: str):
email = account.email email = account.email
if cls.email_code_account_deletion_rate_limiter.is_rate_limited(email): if cls.email_code_account_deletion_rate_limiter.is_rate_limited(email):
from controllers.console.auth.error import EmailCodeAccountDeletionRateLimitExceededError from controllers.console.auth.error import (
EmailCodeAccountDeletionRateLimitExceededError,
)
raise EmailCodeAccountDeletionRateLimitExceededError() raise EmailCodeAccountDeletionRateLimitExceededError()
@ -334,9 +352,11 @@ class AccountService:
"""Link account integrate""" """Link account integrate"""
try: try:
# Query whether there is an existing binding record for the same provider # Query whether there is an existing binding record for the same provider
account_integrate: Optional[AccountIntegrate] = AccountIntegrate.query.filter_by( account_integrate: Optional[AccountIntegrate] = (
account_id=account.id, provider=provider AccountIntegrate.query.filter_by(
).first() account_id=account.id, provider=provider
).first()
)
if account_integrate: if account_integrate:
# If it exists, update the record # If it exists, update the record
@ -356,7 +376,9 @@ class AccountService:
db.session.commit() db.session.commit()
logging.info(f"Account {account.id} linked {provider} account {open_id}.") logging.info(f"Account {account.id} linked {provider} account {open_id}.")
except Exception as e: except Exception as e:
logging.exception(f"Failed to link {provider} account {open_id} to Account {account.id}") logging.exception(
f"Failed to link {provider} account {open_id} to Account {account.id}"
)
raise LinkAccountIntegrateError("Failed to link account.") from e raise LinkAccountIntegrateError("Failed to link account.") from e
@staticmethod @staticmethod
@ -403,14 +425,20 @@ class AccountService:
@staticmethod @staticmethod
def logout(*, account: Account) -> None: def logout(*, account: Account) -> None:
refresh_token = redis_client.get(AccountService._get_account_refresh_token_key(account.id)) refresh_token = redis_client.get(
AccountService._get_account_refresh_token_key(account.id)
)
if refresh_token: if refresh_token:
AccountService._delete_refresh_token(refresh_token.decode("utf-8"), account.id) AccountService._delete_refresh_token(
refresh_token.decode("utf-8"), account.id
)
@staticmethod @staticmethod
def refresh_token(refresh_token: str) -> TokenPair: def refresh_token(refresh_token: str) -> TokenPair:
# Verify the refresh token # Verify the refresh token
account_id = redis_client.get(AccountService._get_refresh_token_key(refresh_token)) account_id = redis_client.get(
AccountService._get_refresh_token_key(refresh_token)
)
if not account_id: if not account_id:
raise ValueError("Invalid refresh token") raise ValueError("Invalid refresh token")
@ -443,7 +471,9 @@ class AccountService:
raise ValueError("Email must be provided.") raise ValueError("Email must be provided.")
if cls.reset_password_rate_limiter.is_rate_limited(account_email): if cls.reset_password_rate_limiter.is_rate_limited(account_email):
from controllers.console.auth.error import PasswordResetRateLimitExceededError from controllers.console.auth.error import (
PasswordResetRateLimitExceededError,
)
raise PasswordResetRateLimitExceededError() raise PasswordResetRateLimitExceededError()
@ -469,7 +499,10 @@ class AccountService:
code = "".join([str(random.randint(0, 9)) for _ in range(6)]) code = "".join([str(random.randint(0, 9)) for _ in range(6)])
additional_data["code"] = code additional_data["code"] = code
token = TokenManager.generate_token( token = TokenManager.generate_token(
account=account, email=email, token_type="reset_password", additional_data=additional_data account=account,
email=email,
token_type="reset_password",
additional_data=additional_data,
) )
return code, token return code, token
@ -492,10 +525,14 @@ class AccountService:
if email is None: if email is None:
raise ValueError("Email must be provided.") raise ValueError("Email must be provided.")
if dify_config.DEBUG_ORG_EMAIL_DOMAIN and email.endswith(dify_config.DEBUG_ORG_EMAIL_DOMAIN): if dify_config.DEBUG_ORG_EMAIL_DOMAIN and email.endswith(
dify_config.DEBUG_ORG_EMAIL_DOMAIN
):
code = dify_config.DEBUG_CODE_FOR_LOGIN code = dify_config.DEBUG_CODE_FOR_LOGIN
elif cls.email_code_login_rate_limiter.is_rate_limited(email): elif cls.email_code_login_rate_limiter.is_rate_limited(email):
from controllers.console.auth.error import EmailCodeLoginRateLimitExceededError from controllers.console.auth.error import (
EmailCodeLoginRateLimitExceededError,
)
raise EmailCodeLoginRateLimitExceededError() raise EmailCodeLoginRateLimitExceededError()
else: else:
@ -622,7 +659,9 @@ class AccountService:
redis_client.setex(freeze_key, 60 * 60, 1) redis_client.setex(freeze_key, 60 * 60, 1)
return True return True
else: else:
redis_client.setex(hour_limit_key, 60 * 10, hour_limit_count + 1) # first time limit 10 minutes redis_client.setex(
hour_limit_key, 60 * 10, hour_limit_count + 1
) # first time limit 10 minutes
# add hour limit count # add hour limit count
redis_client.incr(hour_limit_key) redis_client.incr(hour_limit_key)
@ -647,11 +686,7 @@ class AccountService:
Raises Unauthorized if account is banned. Raises Unauthorized if account is banned.
""" """
# Query directly with phone number first # Query directly with phone number first
admin_account = ( admin_account = db.session.query(Account).filter(Account.phone == phone).first()
db.session.query(Account)
.filter(Account.phone == phone)
.first()
)
if not admin_account: if not admin_account:
return None return None
@ -662,7 +697,9 @@ class AccountService:
organization_id = admin_account.current_organization_id organization_id = admin_account.current_organization_id
if not organization_id: if not organization_id:
logging.warning(f"Account {admin_account.id} is not a member of any organization.") logging.warning(
f"Account {admin_account.id} is not a member of any organization."
)
return None return None
# If organization_id is provided, check if account is an admin member of that organization # If organization_id is provided, check if account is an admin member of that organization
@ -673,26 +710,28 @@ class AccountService:
.filter( .filter(
OrganizationMember.organization_id == organization_id, OrganizationMember.organization_id == organization_id,
OrganizationMember.account_id == admin_account.id, OrganizationMember.account_id == admin_account.id,
OrganizationMember.role == OrganizationRole.ADMIN OrganizationMember.role == OrganizationRole.ADMIN,
) )
.first() .first()
) )
if not org_member: if not org_member:
logging.warning(f"Account {admin_account.id} is not a member of any organization.") logging.warning(
f"Account {admin_account.id} is not a member of any organization."
)
return None return None
return admin_account return admin_account
@classmethod @classmethod
def is_phone_send_ip_limit(cls, ip_address: str) -> bool: def is_login_attempt_ip_limit(cls, ip_address: str) -> bool:
""" """
Check if IP has reached the limit for sending phone verification codes. Check if IP has reached the limit for sending phone verification codes.
Similar to is_email_send_ip_limit but for phone verification. Similar to is_email_send_ip_limit but for phone verification.
""" """
minute_key = f"phone_send_ip_limit_minute:{ip_address}" minute_key = f"login_attempt_ip_limit_minute:{ip_address}"
freeze_key = f"phone_send_ip_limit_freeze:{ip_address}" freeze_key = f"login_attempt_ip_limit_freeze:{ip_address}"
hour_limit_key = f"phone_send_ip_limit_hour:{ip_address}" hour_limit_key = f"login_attempt_ip_limit_hour:{ip_address}"
# check ip is frozen # check ip is frozen
if redis_client.get(freeze_key): if redis_client.get(freeze_key):
@ -705,7 +744,9 @@ class AccountService:
current_minute_count = int(current_minute_count) current_minute_count = int(current_minute_count)
# check current hour count # check current hour count
if current_minute_count > dify_config.EMAIL_SEND_IP_LIMIT_PER_MINUTE: # Use same limit as email if (
current_minute_count > dify_config.EMAIL_SEND_IP_LIMIT_PER_MINUTE
): # Use same limit as email
hour_limit_count = redis_client.get(hour_limit_key) hour_limit_count = redis_client.get(hour_limit_key)
if hour_limit_count is None: if hour_limit_count is None:
hour_limit_count = 0 hour_limit_count = 0
@ -715,7 +756,9 @@ class AccountService:
redis_client.setex(freeze_key, 60 * 60, 1) redis_client.setex(freeze_key, 60 * 60, 1)
return True return True
else: else:
redis_client.setex(hour_limit_key, 60 * 10, hour_limit_count + 1) # first time limit 10 minutes redis_client.setex(
hour_limit_key, 60 * 10, hour_limit_count + 1
) # first time limit 10 minutes
# add hour limit count # add hour limit count
redis_client.incr(hour_limit_key) redis_client.incr(hour_limit_key)
@ -769,6 +812,34 @@ class AccountService:
"""Revoke phone code login token""" """Revoke phone code login token"""
TokenManager.revoke_token(token, "phone_code_login") TokenManager.revoke_token(token, "phone_code_login")
@classmethod
def get_admin_through_login_id(cls, login_id: str):
"""
Get admin account through login ID (either email or phone number).
Args:
login_id: The email or phone number to search for
Returns None if no admin account with this ID exists.
Raises Unauthorized if account is banned.
"""
account = (
db.session.query(Account)
.filter((Account.email == login_id) | (Account.phone == login_id))
.first()
)
if not account:
return None
if account.status == AccountStatus.BANNED.value:
raise Unauthorized("Account is banned.")
if not account.is_org_admin():
return None
return account
class TenantService: class TenantService:
@ -806,38 +877,53 @@ class TenantService:
): ):
"""Check if user have a workspace or not""" """Check if user have a workspace or not"""
available_ta = ( available_ta = (
TenantAccountJoin.query.filter_by(account_id=account.id).order_by(TenantAccountJoin.id.asc()).first() TenantAccountJoin.query.filter_by(account_id=account.id)
.order_by(TenantAccountJoin.id.asc())
.first()
) )
if available_ta: if available_ta:
return return
"""Create owner tenant if not exist""" """Create owner tenant if not exist"""
if not FeatureService.get_system_features().is_allow_create_workspace and not is_setup: if (
not FeatureService.get_system_features().is_allow_create_workspace
and not is_setup
):
raise WorkSpaceNotAllowedCreateError() raise WorkSpaceNotAllowedCreateError()
if name: if name:
tenant = TenantService.create_tenant(name=name, is_setup=is_setup) tenant = TenantService.create_tenant(name=name, is_setup=is_setup)
else: else:
tenant = TenantService.create_tenant(name=f"{account.name}'s Workspace", is_setup=is_setup) tenant = TenantService.create_tenant(
name=f"{account.name}'s Workspace", is_setup=is_setup
)
TenantService.create_tenant_member(tenant, account, role="owner") TenantService.create_tenant_member(tenant, account, role="owner")
account.current_tenant = tenant account.current_tenant = tenant
db.session.commit() db.session.commit()
tenant_was_created.send(tenant) tenant_was_created.send(tenant)
@staticmethod @staticmethod
def create_tenant_member(tenant: Tenant, account: Account, role: str = "normal") -> TenantAccountJoin: def create_tenant_member(
tenant: Tenant, account: Account, role: str = "normal"
) -> TenantAccountJoin:
"""Create tenant member""" """Create tenant member"""
if role == TenantAccountRole.OWNER.value: if role == TenantAccountRole.OWNER.value:
if TenantService.has_roles(tenant, [TenantAccountRole.OWNER]): if TenantService.has_roles(tenant, [TenantAccountRole.OWNER]):
logging.error(f"Tenant {tenant.id} has already an owner.") logging.error(f"Tenant {tenant.id} has already an owner.")
raise Exception("Tenant already has an owner.") raise Exception("Tenant already has an owner.")
ta = db.session.query(TenantAccountJoin).filter_by(tenant_id=tenant.id, account_id=account.id).first() ta = (
db.session.query(TenantAccountJoin)
.filter_by(tenant_id=tenant.id, account_id=account.id)
.first()
)
if ta: if ta:
ta.role = role ta.role = role
else: else:
ta = TenantAccountJoin(tenant_id=tenant.id, account_id=account.id, role=role) ta = TenantAccountJoin(
tenant_id=tenant.id, account_id=account.id, role=role
)
db.session.add(ta) db.session.add(ta)
db.session.commit() db.session.commit()
@ -863,7 +949,9 @@ class TenantService:
if not tenant: if not tenant:
raise TenantNotFoundError("Tenant not found.") raise TenantNotFoundError("Tenant not found.")
ta = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, account_id=account.id).first() ta = TenantAccountJoin.query.filter_by(
tenant_id=tenant.id, account_id=account.id
).first()
if ta: if ta:
tenant.role = ta.role tenant.role = ta.role
else: else:
@ -890,7 +978,9 @@ class TenantService:
) )
if not tenant_account_join: if not tenant_account_join:
raise AccountNotLinkTenantError("Tenant not found or account is not a member of the tenant.") raise AccountNotLinkTenantError(
"Tenant not found or account is not a member of the tenant."
)
else: else:
TenantAccountJoin.query.filter( TenantAccountJoin.query.filter(
TenantAccountJoin.account_id == account.id, TenantAccountJoin.account_id == account.id,
@ -975,7 +1065,9 @@ class TenantService:
return cast(int, db.session.query(func.count(Tenant.id)).scalar()) return cast(int, db.session.query(func.count(Tenant.id)).scalar())
@staticmethod @staticmethod
def check_member_permission(tenant: Tenant, operator: Account, member: Account | None, action: str) -> None: def check_member_permission(
tenant: Tenant, operator: Account, member: Account | None, action: str
) -> None:
"""Check member permission""" """Check member permission"""
perms = { perms = {
"add": [TenantAccountRole.OWNER, TenantAccountRole.ADMIN], "add": [TenantAccountRole.OWNER, TenantAccountRole.ADMIN],
@ -989,20 +1081,26 @@ class TenantService:
if operator.id == member.id: if operator.id == member.id:
raise CannotOperateSelfError("Cannot operate self.") raise CannotOperateSelfError("Cannot operate self.")
ta_operator = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, account_id=operator.id).first() ta_operator = TenantAccountJoin.query.filter_by(
tenant_id=tenant.id, account_id=operator.id
).first()
if not ta_operator or ta_operator.role not in perms[action]: if not ta_operator or ta_operator.role not in perms[action]:
raise NoPermissionError(f"No permission to {action} member.") raise NoPermissionError(f"No permission to {action} member.")
@staticmethod @staticmethod
def remove_member_from_tenant(tenant: Tenant, account: Account, operator: Account) -> None: def remove_member_from_tenant(
tenant: Tenant, account: Account, operator: Account
) -> None:
"""Remove member from tenant""" """Remove member from tenant"""
if operator.id == account.id: if operator.id == account.id:
raise CannotOperateSelfError("Cannot operate self.") raise CannotOperateSelfError("Cannot operate self.")
TenantService.check_member_permission(tenant, operator, account, "remove") TenantService.check_member_permission(tenant, operator, account, "remove")
ta = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, account_id=account.id).first() ta = TenantAccountJoin.query.filter_by(
tenant_id=tenant.id, account_id=account.id
).first()
if not ta: if not ta:
raise MemberNotInTenantError("Member not in tenant.") raise MemberNotInTenantError("Member not in tenant.")
@ -1010,18 +1108,26 @@ class TenantService:
db.session.commit() db.session.commit()
@staticmethod @staticmethod
def update_member_role(tenant: Tenant, member: Account, new_role: str, operator: Account) -> None: def update_member_role(
tenant: Tenant, member: Account, new_role: str, operator: Account
) -> None:
"""Update member role""" """Update member role"""
TenantService.check_member_permission(tenant, operator, member, "update") TenantService.check_member_permission(tenant, operator, member, "update")
target_member_join = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, account_id=member.id).first() target_member_join = TenantAccountJoin.query.filter_by(
tenant_id=tenant.id, account_id=member.id
).first()
if target_member_join.role == new_role: if target_member_join.role == new_role:
raise RoleAlreadyAssignedError("The provided role is already assigned to the member.") raise RoleAlreadyAssignedError(
"The provided role is already assigned to the member."
)
if new_role == "owner": if new_role == "owner":
# Find the current owner and change their role to 'admin' # Find the current owner and change their role to 'admin'
current_owner_join = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, role="owner").first() current_owner_join = TenantAccountJoin.query.filter_by(
tenant_id=tenant.id, role="owner"
).first()
current_owner_join.role = "admin" current_owner_join.role = "admin"
# Update the role of the target member # Update the role of the target member
@ -1031,7 +1137,9 @@ class TenantService:
@staticmethod @staticmethod
def dissolve_tenant(tenant: Tenant, operator: Account) -> None: def dissolve_tenant(tenant: Tenant, operator: Account) -> None:
"""Dissolve tenant""" """Dissolve tenant"""
if not TenantService.check_member_permission(tenant, operator, operator, "remove"): if not TenantService.check_member_permission(
tenant, operator, operator, "remove"
):
raise NoPermissionError("No permission to dissolve tenant.") raise NoPermissionError("No permission to dissolve tenant.")
db.session.query(TenantAccountJoin).filter_by(tenant_id=tenant.id).delete() db.session.query(TenantAccountJoin).filter_by(tenant_id=tenant.id).delete()
db.session.delete(tenant) db.session.delete(tenant)
@ -1116,7 +1224,10 @@ class RegisterService:
if open_id is not None and provider is not None: if open_id is not None and provider is not None:
AccountService.link_account_integrate(provider, open_id, account) AccountService.link_account_integrate(provider, open_id, account)
if FeatureService.get_system_features().is_allow_create_workspace and create_workspace_required: if (
FeatureService.get_system_features().is_allow_create_workspace
and create_workspace_required
):
tenant = TenantService.create_tenant(f"{account.name}'s Workspace") tenant = TenantService.create_tenant(f"{account.name}'s Workspace")
TenantService.create_tenant_member(tenant, account, role="owner") TenantService.create_tenant_member(tenant, account, role="owner")
account.current_tenant = tenant account.current_tenant = tenant
@ -1140,7 +1251,12 @@ class RegisterService:
@classmethod @classmethod
def invite_new_member( def invite_new_member(
cls, tenant: Tenant, email: str, language: str, role: str = "normal", inviter: Account | None = None cls,
tenant: Tenant,
email: str,
language: str,
role: str = "normal",
inviter: Account | None = None,
) -> str: ) -> str:
if not inviter: if not inviter:
raise ValueError("Inviter is required") raise ValueError("Inviter is required")
@ -1165,7 +1281,9 @@ class RegisterService:
TenantService.switch_tenant(account, tenant.id) TenantService.switch_tenant(account, tenant.id)
else: else:
TenantService.check_member_permission(tenant, inviter, account, "add") TenantService.check_member_permission(tenant, inviter, account, "add")
ta = TenantAccountJoin.query.filter_by(tenant_id=tenant.id, account_id=account.id).first() ta = TenantAccountJoin.query.filter_by(
tenant_id=tenant.id, account_id=account.id
).first()
if not ta: if not ta:
TenantService.create_tenant_member(tenant, account, role) TenantService.create_tenant_member(tenant, account, role)
@ -1212,7 +1330,9 @@ class RegisterService:
def revoke_token(cls, workspace_id: str, email: str, token: str): def revoke_token(cls, workspace_id: str, email: str, token: str):
if workspace_id and email: if workspace_id and email:
email_hash = sha256(email.encode()).hexdigest() email_hash = sha256(email.encode()).hexdigest()
cache_key = "member_invite_token:{}, {}:{}".format(workspace_id, email_hash, token) cache_key = "member_invite_token:{}, {}:{}".format(
workspace_id, email_hash, token
)
redis_client.delete(cache_key) redis_client.delete(cache_key)
else: else:
redis_client.delete(cls._get_invitation_token_key(token)) redis_client.delete(cls._get_invitation_token_key(token))
@ -1227,7 +1347,9 @@ class RegisterService:
tenant = ( tenant = (
db.session.query(Tenant) db.session.query(Tenant)
.filter(Tenant.id == invitation_data["workspace_id"], Tenant.status == "normal") .filter(
Tenant.id == invitation_data["workspace_id"], Tenant.status == "normal"
)
.first() .first()
) )

1
docker/.env.example
Unescape Escape View File

@ -1079,6 +1079,7 @@ IMAGE_GENERATION_APP_ID=
DEBUG_ORG_EMAIL_DOMAIN=test.edu DEBUG_ORG_EMAIL_DOMAIN=test.edu
DEBUG_CODE_FOR_LOGIN= DEBUG_CODE_FOR_LOGIN=
DEBUG_ADMIN_PHONE= DEBUG_ADMIN_PHONE=
DEBUG_ADMIN_EMAIL=
PLUGIN_PYTHON_ENV_INIT_TIMEOUT=120 PLUGIN_PYTHON_ENV_INIT_TIMEOUT=120
PLUGIN_MAX_EXECUTION_TIMEOUT=600 PLUGIN_MAX_EXECUTION_TIMEOUT=600

1
docker/docker-compose.yaml
Unescape Escape View File

@ -476,6 +476,7 @@ x-shared-env: &shared-api-worker-env
DEBUG_ORG_EMAIL_DOMAIN: ${DEBUG_ORG_EMAIL_DOMAIN:-test.edu} DEBUG_ORG_EMAIL_DOMAIN: ${DEBUG_ORG_EMAIL_DOMAIN:-test.edu}
DEBUG_CODE_FOR_LOGIN: ${DEBUG_CODE_FOR_LOGIN:-} DEBUG_CODE_FOR_LOGIN: ${DEBUG_CODE_FOR_LOGIN:-}
DEBUG_ADMIN_PHONE: ${DEBUG_ADMIN_PHONE:-} DEBUG_ADMIN_PHONE: ${DEBUG_ADMIN_PHONE:-}
DEBUG_ADMIN_EMAIL: ${DEBUG_ADMIN_EMAIL:-}
PLUGIN_PYTHON_ENV_INIT_TIMEOUT: ${PLUGIN_PYTHON_ENV_INIT_TIMEOUT:-120} PLUGIN_PYTHON_ENV_INIT_TIMEOUT: ${PLUGIN_PYTHON_ENV_INIT_TIMEOUT:-120}
PLUGIN_MAX_EXECUTION_TIMEOUT: ${PLUGIN_MAX_EXECUTION_TIMEOUT:-600} PLUGIN_MAX_EXECUTION_TIMEOUT: ${PLUGIN_MAX_EXECUTION_TIMEOUT:-600}
PIP_MIRROR_URL: ${PIP_MIRROR_URL:-} PIP_MIRROR_URL: ${PIP_MIRROR_URL:-}

Write Preview
Loading…
Cancel
Save