fix: Tool record permission

Author: zhanweizhang7

apps/common/constants/permission_constants.py

@@ -603,11 +603,16 @@ class PermissionConstants(Enum):
         parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL],
         resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE]
     )
+    TOOL_EXECUTE_RECORD = Permission(
+        group=Group.TOOL, operate=Operate.RECORD, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
+        parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL],
+        resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE]
+    )
     # source point trigger
     TOOL_TRIGGER_READ = Permission(
         group=Group.TOOL, operate=Operate.TRIGGER_READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
         parent_group=[WorkspaceGroup.TOOL, UserGroup.TOOL],
-        resource_permission_group_list=[ResourcePermissionConst.TOOL_VIEW]
+        resource_permission_group_list=[ResourcePermissionConst.TOOL_MANGE]
     )
     TOOL_TRIGGER_CREATE = Permission(
         group=Group.TOOL, operate=Operate.TRIGGER_CREATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
@@ -1035,7 +1040,7 @@ class PermissionConstants(Enum):
     APPLICATION_TRIGGER_READ = Permission(
         group=Group.APPLICATION, operate=Operate.TRIGGER_READ, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
         parent_group=[WorkspaceGroup.APPLICATION, UserGroup.APPLICATION],
-        resource_permission_group_list=[ResourcePermissionConst.APPLICATION_VIEW]
+        resource_permission_group_list=[ResourcePermissionConst.APPLICATION_MANGE]
     )
     APPLICATION_TRIGGER_CREATE = Permission(
         group=Group.APPLICATION, operate=Operate.TRIGGER_CREATE, role_list=[RoleConstants.ADMIN, RoleConstants.USER],
@@ -1349,6 +1354,10 @@ class PermissionConstants(Enum):
         group=Group.SYSTEM_TOOL, operate=Operate.RELATE_VIEW, role_list=[RoleConstants.ADMIN],
         parent_group=[SystemGroup.SHARED_TOOL], is_ee=settings.edition == "EE"
     )
+    SHARED_TOOL_EXECUTE_RECORD = Permission(
+        group=Group.SYSTEM_TOOL, operate=Operate.RECORD, role_list=[RoleConstants.ADMIN],
+        parent_group=[SystemGroup.SHARED_TOOL], is_ee=settings.edition == "EE"
+    )
     SHARED_KNOWLEDGE_READ = Permission(
         group=Group.SYSTEM_KNOWLEDGE, operate=Operate.READ, role_list=[RoleConstants.ADMIN],
         parent_group=[SystemGroup.SHARED_KNOWLEDGE], is_ee=settings.edition == "EE"
@@ -1781,6 +1790,10 @@ class PermissionConstants(Enum):
         group=Group.SYSTEM_RES_TOOL, operate=Operate.RELATE_VIEW, role_list=[RoleConstants.ADMIN],
         parent_group=[SystemGroup.RESOURCE_TOOL], is_ee=settings.edition == "EE"
     )
+    RESOURCE_TOOL_EXECUTE_RECORD = Permission(
+        group=Group.SYSTEM_RES_TOOL, operate=Operate.RECORD, role_list=[RoleConstants.ADMIN],
+        parent_group=[SystemGroup.RESOURCE_TOOL], is_ee=settings.edition == "EE"
+    )
     RESOURCE_TOOL_TRIGGER_READ = Permission(
         group=Group.SYSTEM_RES_TOOL, operate=Operate.TRIGGER_READ, role_list=[RoleConstants.ADMIN],
         parent_group=[SystemGroup.RESOURCE_TOOL], is_ee=settings.edition == "EE"

apps/tools/views/tool.py

@@ -527,8 +527,8 @@ class PageToolRecord(APIView):
             tags=[_("Tool")]  # type: ignore
         )
         @has_permissions(
-            PermissionConstants.TOOL_READ.get_workspace_tool_permission(),
-            PermissionConstants.TOOL_READ.get_workspace_permission_workspace_manage_role(),
+            PermissionConstants.TOOL_EXECUTE_RECORD.get_workspace_tool_permission(),
+            PermissionConstants.TOOL_EXECUTE_RECORD.get_workspace_permission_workspace_manage_role(),
             RoleConstants.WORKSPACE_MANAGE.get_workspace_role(),
             ViewPermission([RoleConstants.USER.get_workspace_role()],
                            [PermissionConstants.TOOL.get_workspace_tool_permission()],
@@ -556,8 +556,8 @@ class ToolRecord(APIView):
             tags=[_("Tool")]  # type: ignore
         )
         @has_permissions(
-            PermissionConstants.TOOL_READ.get_workspace_tool_permission(),
-            PermissionConstants.TOOL_READ.get_workspace_permission_workspace_manage_role(),
+            PermissionConstants.TOOL_EXECUTE_RECORD.get_workspace_tool_permission(),
+            PermissionConstants.TOOL_EXECUTE_RECORD.get_workspace_permission_workspace_manage_role(),
             RoleConstants.WORKSPACE_MANAGE.get_workspace_role(),
             ViewPermission([RoleConstants.USER.get_workspace_role()],
                            [PermissionConstants.TOOL.get_workspace_tool_permission()],

ui/src/permission/tool/system-manage.ts

@@ -114,7 +114,14 @@ const systemManage = {
       ],
       'OR'
     ),
-  
+  record: () =>
+    hasPermission(
+      [
+        RoleConst.ADMIN,
+        PermissionConst.RESOURCE_TOOL_EXECUTE_RECORD
+      ],
+      'OR'
+    ),
   folderRead: () => false,
   folderManage: () => false,
   folderCreate: () => false,

ui/src/permission/tool/system-share.ts

@@ -37,6 +37,10 @@ const share = {
       ],
       'OR',
     ),
+  trigger_read: ()=> false,
+  trigger_create: ()=> false,
+  trigger_edit: ()=> false,
+  trigger_delete: ()=> false,
   switch: () =>
     hasPermission(
       [
@@ -87,7 +91,14 @@ const share = {
       ],
       'OR',
     ),
-
+  record: () =>
+    hasPermission(
+      [
+        RoleConst.ADMIN,
+        PermissionConst.SHARED_TOOL_EXECUTE_RECORD,
+      ],
+      'OR',
+    ),
   folderRead: () => false,
   folderManage: () => false,
   folderCreate: () => false,

ui/src/permission/tool/workspace.ts

@@ -102,6 +102,16 @@ const workspace = {
       ],
       'OR',
     ),
+    record: (source_id:string) =>
+    hasPermission(
+      [
+        new ComplexPermission([RoleConst.USER],[PermissionConst.TOOL.getToolWorkspaceResourcePermission(source_id)],[],'AND'),
+        RoleConst.WORKSPACE_MANAGE.getWorkspaceRole,
+        PermissionConst.TOOL_EXECUTE_RECORD.getToolWorkspaceResourcePermission(source_id),
+        PermissionConst.TOOL_EXECUTE_RECORD.getWorkspacePermissionWorkspaceManageRole
+      ],
+      'OR',
+    ),
   trigger_read: (source_id:string) => 
         hasPermission(
             [

ui/src/utils/permission/data.ts

@@ -205,6 +205,7 @@ const PermissionConst = {
   SHARED_TOOL_IMPORT: new Permission('SYSTEM_TOOL:READ+IMPORT'),
   SHARED_TOOL_EXPORT: new Permission('SYSTEM_TOOL:READ+EXPORT'),
   SHARED_TOOL_RELATE_RESOURCE_VIEW: new Permission('SYSTEM_TOOL:READ+RELATE_VIEW'),
+  SHARED_TOOL_EXECUTE_RECORD: new Permission('SYSTEM_TOOL:READ+RECORD'),
 
   SHARED_MODEL_READ: new Permission('SYSTEM_MODEL:READ'),
   SHARED_MODEL_CREATE: new Permission('SYSTEM_MODEL:READ+CREATE'),
@@ -263,6 +264,7 @@ const PermissionConst = {
   TOOL_IMPORT: new Permission('TOOL:READ+IMPORT'),
   TOOL_EXPORT: new Permission('TOOL:READ+EXPORT'),
   TOOL_RELATE_RESOURCE_VIEW: new Permission('TOOL:READ+RELATE_VIEW'),
+  TOOL_EXECUTE_RECORD: new Permission('TOOL:READ+RECORD'),
   TOOL_TRIGGER_READ: new Permission('TOOL:READ+TRIGGER_READ'),
   TOOL_TRIGGER_CREATE: new Permission('TOOL:READ+TRIGGER_CREATE'),
   TOOL_TRIGGER_EDIT: new Permission('TOOL:READ+TRIGGER_EDIT'),
@@ -274,6 +276,7 @@ const PermissionConst = {
   RESOURCE_TOOL_DELETE: new Permission('SYSTEM_RESOURCE_TOOL:READ+DELETE'),
   RESOURCE_TOOL_IMPORT: new Permission('SYSTEM_RESOURCE_TOOL:READ+IMPORT'),
   RESOURCE_TOOL_EXPORT: new Permission('SYSTEM_RESOURCE_TOOL:READ+EXPORT'),
+  RESOURCE_TOOL_EXECUTE_RECORD: new Permission('SYSTEM_RESOURCE_TOOL:READ+RECORD'),
   RESOURCE_TOOL_TRIGGER_READ: new Permission('SYSTEM_RESOURCE_TOOL:READ+TRIGGER_READ'),
   RESOURCE_TOOL_TRIGGER_CREATE: new Permission('SYSTEM_RESOURCE_TOOL:READ+TRIGGER_CREATE'),
   RESOURCE_TOOL_TRIGGER_EDIT: new Permission('SYSTEM_RESOURCE_TOOL:READ+TRIGGER_EDIT'),

ui/src/views/tool/component/ToolListContainer.vue

@@ -295,7 +295,11 @@
 
                           <el-dropdown-item
                             @click.stop="openTriggerDrawer(item)"
-                            v-if="apiType === 'workspace' && item.tool_type === 'CUSTOM'"
+                            v-if="
+                              ['workspace', 'systemManage'].includes(apiType) &&
+                              item.tool_type === 'CUSTOM' &&
+                              permissionPrecise.trigger_read(item.id)
+                            "
                           >
                             <AppIcon iconName="app-trigger" class="color-secondary"></AppIcon>
                             {{ $t('views.trigger.title') }}
@@ -314,7 +318,7 @@
                           <el-dropdown-item
                             text
                             @click.stop="openToolRecordDrawer(item)"
-                            v-if="item.tool_type === 'CUSTOM'"
+                            v-if="item.tool_type === 'CUSTOM' && permissionPrecise.record(item.id)"
                           >
                             <AppIcon
                               iconName="app-schedule-report"
@@ -397,7 +401,7 @@
     ref="resourceTriggerDrawerRef"
     :source="SourceTypeEnum.TOOL"
   ></ResourceTriggerDrawer>
-  <ToolRecordDrawer ref="toolRecordDrawerRef"/>
+  <ToolRecordDrawer ref="toolRecordDrawerRef" />
 </template>
 
 <script lang="ts" setup>
@@ -429,7 +433,7 @@ import ToolStoreDescDrawer from '@/views/tool/component/ToolStoreDescDrawer.vue'
 
 import bus from '@/bus'
 import ResourceMappingDrawer from '@/components/resource_mapping/index.vue'
-import ToolRecordDrawer from "@/views/tool/execution-record/TriggerRecordDrawer.vue";
+import ToolRecordDrawer from '@/views/tool/execution-record/TriggerRecordDrawer.vue'
 
 const route = useRoute()
 
@@ -467,6 +471,8 @@ const MoreFieldPermission = (id: any) => {
     permissionPrecise.value.delete(id) ||
     permissionPrecise.value.auth(id) ||
     permissionPrecise.value.relate_map(id) ||
+    permissionPrecise.value.trigger_read(id) ||
+    permissionPrecise.value.record(id) ||
     isSystemShare.value
   )
 }