Update authorization for team (#3262)

### What problem does this PR solve?

Update authorization for team.
#3253 #3233
### Type of change

- [x] Refactoring

---------

Co-authored-by: liuhua <[email protected]>

api/apps/sdk/chat.py

@@ -34,10 +34,11 @@ def create(tenant_id):
     if not ids:
         return get_error_data_result(message="`dataset_ids` is required")
     for kb_id in ids:
-        kbs = KnowledgebaseService.query(id=kb_id,tenant_id=tenant_id)
+        kbs = KnowledgebaseService.accessible(kb_id=kb_id,user_id=tenant_id)
         if not kbs:
             return get_error_data_result(f"You don't own the dataset {kb_id}")
-        kb=kbs[0]
+        kbs = KnowledgebaseService.query(id=kb_id)
+        kb = kbs[0]
         if kb.chunk_num == 0:
             return get_error_data_result(f"The dataset {kb_id} doesn't own parsed file")
     kbs = KnowledgebaseService.get_by_ids(ids)
@@ -160,9 +161,10 @@ def update(tenant_id,chat_id):
             return get_error_data_result("`datasets` can't be empty")
         if ids:
             for kb_id in ids:
-                kbs = KnowledgebaseService.query(id=kb_id, tenant_id=tenant_id)
+                kbs = KnowledgebaseService.accessible(kb_id=chat_id, user_id=tenant_id)
                 if not kbs:
                     return get_error_data_result(f"You don't own the dataset {kb_id}")
+                kbs = KnowledgebaseService.query(id=kb_id)
                 kb = kbs[0]
                 if kb.chunk_num == 0:
                     return get_error_data_result(f"The dataset {kb_id} doesn't own parsed file")
@@ -260,7 +262,7 @@ def delete(tenant_id):
 def list_chat(tenant_id):
     id = request.args.get("id")
     name = request.args.get("name")
-    chat = DialogService.query(id=id,name=name,status=StatusEnum.VALID.value)
+    chat = DialogService.query(id=id,name=name,status=StatusEnum.VALID.value,tenant_id=tenant_id)
     if not chat:
         return get_error_data_result(message="The chat doesn't exist")
     page_number = int(request.args.get("page", 1))

api/apps/sdk/dataset.py

@@ -490,6 +490,9 @@ def list(tenant_id):
     kbs = KnowledgebaseService.query(id=id, name=name, status=1)
     if not kbs:
         return get_error_data_result(message="The dataset doesn't exist")
+    for kb in kbs:
+        if not KnowledgebaseService.accessible(kb_id=kb.id,user_id=tenant_id):
+            return get_error_data_result(message=f"You don't own the dataset {kb.id}")
     page_number = int(request.args.get("page", 1))
     items_per_page = int(request.args.get("page_size", 30))
     orderby = request.args.get("orderby", "create_time")

api/apps/sdk/doc.py

@@ -450,7 +450,7 @@ def list_docs(dataset_id, tenant_id):
                     type: string
                     description: Processing status.
     """
-    if not KnowledgebaseService.query(id=dataset_id, tenant_id=tenant_id):
+    if not KnowledgebaseService.accessible(kb_id=dataset_id, user_id=tenant_id):
         return get_error_data_result(message=f"You don't own the dataset {dataset_id}. ")
     id = request.args.get("id")
     name = request.args.get("name")
@@ -537,7 +537,7 @@ def delete(tenant_id, dataset_id):
         schema:
           type: object
     """
-    if not KnowledgebaseService.query(id=dataset_id, tenant_id=tenant_id):
+    if not KnowledgebaseService.accessible(kb_id=dataset_id, user_id=tenant_id):
         return get_error_data_result(message=f"You don't own the dataset {dataset_id}. ")
     req = request.json
     if not req:
@@ -629,7 +629,7 @@ def parse(tenant_id, dataset_id):
         schema:
           type: object
     """
-    if not KnowledgebaseService.query(id=dataset_id, tenant_id=tenant_id):
+    if not KnowledgebaseService.accessible(kb_id=dataset_id, user_id=tenant_id):
         return get_error_data_result(message=f"You don't own the dataset {dataset_id}.")
     req = request.json
     if not req.get("document_ids"):
@@ -698,7 +698,7 @@ def stop_parsing(tenant_id, dataset_id):
         schema:
           type: object
     """
-    if not KnowledgebaseService.query(id=dataset_id, tenant_id=tenant_id):
+    if not KnowledgebaseService.accessible(kb_id=dataset_id, user_id=tenant_id):
         return get_error_data_result(message=f"You don't own the dataset {dataset_id}.")
     req = request.json
     if not req.get("document_ids"):
@@ -792,7 +792,7 @@ def list_chunks(tenant_id, dataset_id, document_id):
               type: object
               description: Document details.
     """
-    if not KnowledgebaseService.query(id=dataset_id, tenant_id=tenant_id):
+    if not KnowledgebaseService.accessible(kb_id=dataset_id, user_id=tenant_id):
         return get_error_data_result(message=f"You don't own the dataset {dataset_id}.")
     doc = DocumentService.query(id=document_id, kb_id=dataset_id)
     if not doc:
@@ -964,7 +964,7 @@ def add_chunk(tenant_id, dataset_id, document_id):
                     type: string
                   description: Important keywords.
     """
-    if not KnowledgebaseService.query(id=dataset_id, tenant_id=tenant_id):
+    if not KnowledgebaseService.accessible(kb_id=dataset_id, user_id=tenant_id):
         return get_error_data_result(message=f"You don't own the dataset {dataset_id}.")
     doc = DocumentService.query(id=document_id, kb_id=dataset_id)
     if not doc:
@@ -1077,7 +1077,7 @@ def rm_chunk(tenant_id, dataset_id, document_id):
         schema:
           type: object
     """
-    if not KnowledgebaseService.query(id=dataset_id, tenant_id=tenant_id):
+    if not KnowledgebaseService.accessible(kb_id=dataset_id, user_id=tenant_id):
         return get_error_data_result(message=f"You don't own the dataset {dataset_id}.")
     doc = DocumentService.query(id=document_id, kb_id=dataset_id)
     if not doc:
@@ -1172,7 +1172,7 @@ def update_chunk(tenant_id, dataset_id, document_id, chunk_id):
         res = ELASTICSEARCH.get(chunk_id, search.index_name(tenant_id))
     except Exception:
         return get_error_data_result(f"Can't find this chunk {chunk_id}")
-    if not KnowledgebaseService.query(id=dataset_id, tenant_id=tenant_id):
+    if not KnowledgebaseService.accessible(kb_id=dataset_id, user_id=tenant_id):
         return get_error_data_result(message=f"You don't own the dataset {dataset_id}.")
     doc = DocumentService.query(id=document_id, kb_id=dataset_id)
     if not doc:
@@ -1312,7 +1312,7 @@ def retrieval_test(tenant_id):
         return get_error_data_result("`dataset_ids` should be a list")
     kbs = KnowledgebaseService.get_by_ids(kb_ids)
     for id in kb_ids:
-        if not KnowledgebaseService.query(id=id, tenant_id=tenant_id):
+        if not KnowledgebaseService.accessible(kb_id=id, user_id=tenant_id):
             return get_error_data_result(f"You don't own the dataset {id}.")
     embd_nms = list(set([kb.embd_id for kb in kbs]))
     if len(embd_nms) != 1:

api/utils/api_utils.py

@@ -280,7 +280,10 @@ def construct_error_response(e):
 def token_required(func):
     @wraps(func)
     def decorated_function(*args, **kwargs):
-        token = flask_request.headers.get('Authorization').split()[1]
+        authorization_list=flask_request.headers.get('Authorization').split()
+        if len(authorization_list) < 2:
+            return get_json_result(data=False,message="Please check your authorization format.")
+        token = authorization_list[1]
         objs = APIToken.query(token=token)
         if not objs:
             return get_json_result(

docs/references/http_api_reference.md

@@ -734,7 +734,7 @@ Deletes documents by ID.
 curl --request DELETE \
      --url http://{address}/api/v1/datasets/{dataset_id}/documents \
      --header 'Content-Type: application/json' \
-     --header 'Authorization: <YOUR_API_KEY>' \
+     --header 'Authorization: Bearer <YOUR_API_KEY>' \
      --data '
      {
           "ids": ["id_1","id_2"]
@@ -1148,7 +1148,7 @@ Updates content or configurations for a specified chunk.
 curl --request PUT \
      --url http://{address}/api/v1/datasets/{dataset_id}/documents/{document_id}/chunks/{chunk_id} \
      --header 'Content-Type: application/json' \
-     --header 'Authorization: <YOUR_API_KEY>' \
+     --header 'Authorization: Bearer <YOUR_API_KEY>' \
      --data '
      {   
           "content": "ragflow123",  
@@ -1226,7 +1226,7 @@ Retrieves chunks from specified datasets.
 curl --request POST \
      --url http://{address}/api/v1/retrieval \
      --header 'Content-Type: application/json' \
-     --header 'Authorization: <YOUR_API_KEY>' \
+     --header 'Authorization: Bearer <YOUR_API_KEY>' \
      --data '
      {
           "question": "What is advantage of ragflow?",
@@ -1934,7 +1934,7 @@ Deletes sessions by ID.
 curl --request DELETE \
      --url http://{address}/api/v1/chats/{chat_id}/sessions \
      --header 'Content-Type: application/json' \
-     --header 'Authorization: Bear <YOUR_API_KEY>' \
+     --header 'Authorization: Bearer <YOUR_API_KEY>' \
      --data '
      {
           "ids": ["test_1", "test_2"]