fix: fix owner/user fields and auth for resources

hsluoyz · hsluoyz · commit 4555db8e0ba9 · 2026-05-29T01:23:49.000+08:00
diff --git a/controllers/message_answer.go b/controllers/message_answer.go
@@ -309,7 +309,7 @@ func generateMessageAnswer(id string, responseWriter http.ResponseWriter, host s
 	if questionMessage != nil {
 		webSearchEnabled = questionMessage.WebSearchEnabled
 	}
-	mcpToolSet = object.MergeMcpTools(mcpToolSet, store, webSearchEnabled, lang)
+	mcpToolSet = object.MergeMcpTools(mcpToolSet, store, webSearchEnabled, message.User, lang)
 
 	var knowledge []*model.RawMessage
 	var vectorScores []object.VectorScore
diff --git a/controllers/resource.go b/controllers/resource.go
@@ -41,27 +41,39 @@ func (c *ApiController) GetGlobalResources() {
 	sortField := c.Input().Get("sortField")
 	sortOrder := c.Input().Get("sortOrder")
 
+	userName, ok := c.RequireSignedIn()
+	if !ok {
+		return
+	}
+
+	filterUser := ""
+	if !c.IsAdmin() {
+		filterUser = userName
+	}
+
 	if limit == "" || page == "" {
-		resources, err := object.GetGlobalResources(owner)
+		var resources []*object.Resource
+		var err error
+		if filterUser == "" {
+			resources, err = object.GetGlobalResources(owner)
+		} else {
+			resources, err = object.GetResources(owner, filterUser)
+		}
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 		c.ResponseOk(resources)
 	} else {
-		if !c.RequireAdmin() {
-			return
-		}
-
 		limitInt := util.ParseInt(limit)
-		count, err := object.GetResourceCount(owner, field, value)
+		count, err := object.GetResourceCount(owner, filterUser, field, value)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
 		}
 
 		paginator := pagination.SetPaginator(c.Ctx, limitInt, count)
-		resources, err := object.GetPaginationResources(owner, paginator.Offset(), limitInt, field, value, sortField, sortOrder)
+		resources, err := object.GetPaginationResources(owner, filterUser, paginator.Offset(), limitInt, field, value, sortField, sortOrder)
 		if err != nil {
 			c.ResponseError(err.Error())
 			return
@@ -81,12 +93,22 @@ func (c *ApiController) GetGlobalResources() {
 func (c *ApiController) GetResource() {
 	id := c.Input().Get("id")
 
+	userName, ok := c.RequireSignedIn()
+	if !ok {
+		return
+	}
+
 	resource, err := object.GetResource(id)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 
+	if resource != nil && !c.IsAdmin() && resource.User != userName {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
 	c.ResponseOk(resource)
 }
 
@@ -149,13 +171,23 @@ func (c *ApiController) AddResource() {
 // @Success 200 {object} controllers.Response The Response object
 // @router /delete-resource [post]
 func (c *ApiController) DeleteResource() {
+	userName, ok := c.RequireSignedIn()
+	if !ok {
+		return
+	}
+
 	var resource object.Resource
 	err := json.NewDecoder(c.Ctx.Request.Body).Decode(&resource)
 	if err != nil {
 		c.ResponseError(err.Error())
 		return
 	}
 
+	if !c.IsAdmin() && resource.User != userName {
+		c.ResponseError(c.T("auth:Unauthorized operation"))
+		return
+	}
+
 	err = object.DeleteResourceFile(&resource, c.GetAcceptLanguage())
 	if err != nil {
 		c.ResponseError(err.Error())
diff --git a/object/merge_agent_tools.go b/object/merge_agent_tools.go
@@ -20,7 +20,7 @@ import (
 	"github.com/the-open-agent/openagent/util"
 )
 
-func buildMergedBuiltinRegistry(store *Store, lang string) *tool.ToolRegistry {
+func buildMergedBuiltinRegistry(store *Store, user, lang string) *tool.ToolRegistry {
 	reg := tool.NewToolRegistry()
 
 	if store == nil {
@@ -56,7 +56,7 @@ func buildMergedBuiltinRegistry(store *Store, lang string) *tool.ToolRegistry {
 		}
 		for _, bt := range tp.BuiltinTools() {
 			wrapped := wrapSnapshotBuiltin(store.Owner, bt)
-			wrapped = wrapGeneratedResourceBuiltin(wrapped)
+			wrapped = wrapGeneratedResourceBuiltin(wrapped, store.Owner, user)
 			reg.RegisterTool(wrapped)
 		}
 	}
@@ -66,15 +66,15 @@ func buildMergedBuiltinRegistry(store *Store, lang string) *tool.ToolRegistry {
 
 // MergeMcpTools merges builtin tools (from the store's tool list) and the
 // web-search flag into an existing McpToolSet, creating one if needed.
-func MergeMcpTools(mcpToolSet *mcp.ToolSet, store *Store, webSearchEnabled bool, lang string) *mcp.ToolSet {
+func MergeMcpTools(mcpToolSet *mcp.ToolSet, store *Store, webSearchEnabled bool, user, lang string) *mcp.ToolSet {
 	if webSearchEnabled {
 		if mcpToolSet == nil {
 			mcpToolSet = &mcp.ToolSet{}
 		}
 		mcpToolSet.WebSearchEnabled = true
 	}
 
-	reg := buildMergedBuiltinRegistry(store, lang)
+	reg := buildMergedBuiltinRegistry(store, user, lang)
 	allTools := reg.GetToolsAsProtocolTools()
 	if len(allTools) == 0 {
 		return mcpToolSet
diff --git a/object/message_tool.go b/object/message_tool.go
@@ -45,7 +45,7 @@ func buildToolSetForBuiltinTool(toolName string, lang string) (*mcp.ToolSet, err
 	reg := tool.NewToolRegistry()
 	for _, t := range tp.BuiltinTools() {
 		wrapped := wrapSnapshotBuiltin("admin", t)
-		wrapped = wrapGeneratedResourceBuiltin(wrapped)
+		wrapped = wrapGeneratedResourceBuiltin(wrapped, "admin", "")
 		reg.RegisterTool(wrapped)
 	}
 
diff --git a/object/resource.go b/object/resource.go
@@ -148,14 +148,20 @@ func DeleteResource(resource *Resource) (bool, error) {
 	return affected != 0, nil
 }
 
-func GetResourceCount(owner, field, value string) (int64, error) {
+func GetResourceCount(owner, user, field, value string) (int64, error) {
 	session := GetDbSession(owner, -1, -1, field, value, "", "")
+	if user != "" {
+		session = session.And("user = ?", user)
+	}
 	return session.Count(&Resource{})
 }
 
-func GetPaginationResources(owner string, offset, limit int, field, value, sortField, sortOrder string) ([]*Resource, error) {
+func GetPaginationResources(owner, user string, offset, limit int, field, value, sortField, sortOrder string) ([]*Resource, error) {
 	resources := []*Resource{}
 	session := GetDbSession(owner, offset, limit, field, value, sortField, sortOrder)
+	if user != "" {
+		session = session.And("user = ?", user)
+	}
 	err := session.Find(&resources)
 	if err != nil {
 		return resources, err
diff --git a/object/resource_archive_tool.go b/object/resource_archive_tool.go
@@ -29,18 +29,22 @@ import (
 
 type generatedResourceArchiveBuiltinTool struct {
 	inner tool.BuiltinTool
+	owner string
+	user  string
 }
 
-var archiveGeneratedResourceFile = archiveGeneratedResourceFileToStorage
+var archiveGeneratedResourceFile = func(owner, user, path string) (*Resource, error) {
+	return archiveGeneratedResourceFileToStorage(owner, user, path)
+}
 
-func wrapGeneratedResourceBuiltin(builtin tool.BuiltinTool) tool.BuiltinTool {
+func wrapGeneratedResourceBuiltin(builtin tool.BuiltinTool, owner, user string) tool.BuiltinTool {
 	if builtin == nil {
 		return nil
 	}
 	if !isGeneratedResourceTool(builtin.GetName()) {
 		return builtin
 	}
-	return &generatedResourceArchiveBuiltinTool{inner: builtin}
+	return &generatedResourceArchiveBuiltinTool{inner: builtin, owner: owner, user: user}
 }
 
 func isGeneratedResourceTool(toolName string) bool {
@@ -75,7 +79,7 @@ func (t *generatedResourceArchiveBuiltinTool) Execute(ctx context.Context, argum
 		return result, innerErr
 	}
 
-	resource, err := archiveGeneratedResourceFile(path)
+	resource, err := archiveGeneratedResourceFile(t.owner, t.user, path)
 	if err != nil {
 		appendGeneratedResourceArchiveText(result, fmt.Sprintf("Resource archive warning: file was created but could not be saved to Resources: %s", err.Error()))
 		return result, innerErr
@@ -107,7 +111,7 @@ func resourceArchiveStringArg(arguments map[string]interface{}, key string) stri
 	return strings.TrimSpace(value)
 }
 
-func archiveGeneratedResourceFileToStorage(path string) (*Resource, error) {
+func archiveGeneratedResourceFileToStorage(owner, user, path string) (*Resource, error) {
 	info, err := os.Stat(path)
 	if err != nil {
 		return nil, err
@@ -139,7 +143,7 @@ func archiveGeneratedResourceFileToStorage(path string) (*Resource, error) {
 		return nil, err
 	}
 
-	resource := NewResourceFromUpload("admin", "", "generated", fileName, fileType, ext, fileUrl, storageName, len(fileBytes), "", "")
+	resource := NewResourceFromUpload(owner, user, "generated", fileName, fileType, ext, fileUrl, storageName, len(fileBytes), "", "")
 	if _, err = AddResource(resource); err != nil {
 		return nil, err
 	}

Original file line number	Diff line number	Diff line change
`@@ -309,7 +309,7 @@ func generateMessageAnswer(id string, responseWriter http.ResponseWriter, host s`
`309`	`309`	`if questionMessage != nil {`
`310`	`310`	`webSearchEnabled = questionMessage.WebSearchEnabled`
`311`	`311`	`}`
`312`		`- mcpToolSet = object.MergeMcpTools(mcpToolSet, store, webSearchEnabled, lang)`
	`312`	`+ mcpToolSet = object.MergeMcpTools(mcpToolSet, store, webSearchEnabled, message.User, lang)`
`313`	`313`
`314`	`314`	`var knowledge []*model.RawMessage`
`315`	`315`	`var vectorScores []object.VectorScore`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ import (`
`20`	`20`	`"github.com/the-open-agent/openagent/util"`
`21`	`21`	`)`
`22`	`22`
`23`		`-func buildMergedBuiltinRegistry(store Store, lang string) tool.ToolRegistry {`
	`23`	`+func buildMergedBuiltinRegistry(store Store, user, lang string) tool.ToolRegistry {`
`24`	`24`	`reg := tool.NewToolRegistry()`
`25`	`25`
`26`	`26`	`if store == nil {`
`@@ -56,7 +56,7 @@ func buildMergedBuiltinRegistry(store Store, lang string) tool.ToolRegistry {`
`56`	`56`	`}`
`57`	`57`	`for _, bt := range tp.BuiltinTools() {`
`58`	`58`	`wrapped := wrapSnapshotBuiltin(store.Owner, bt)`
`59`		`- wrapped = wrapGeneratedResourceBuiltin(wrapped)`
	`59`	`+ wrapped = wrapGeneratedResourceBuiltin(wrapped, store.Owner, user)`
`60`	`60`	`reg.RegisterTool(wrapped)`
`61`	`61`	`}`
`62`	`62`	`}`
`@@ -66,15 +66,15 @@ func buildMergedBuiltinRegistry(store Store, lang string) tool.ToolRegistry {`
`66`	`66`
`67`	`67`	`// MergeMcpTools merges builtin tools (from the store's tool list) and the`
`68`	`68`	`// web-search flag into an existing McpToolSet, creating one if needed.`
`69`		`-func MergeMcpTools(mcpToolSet mcp.ToolSet, store Store, webSearchEnabled bool, lang string) *mcp.ToolSet {`
	`69`	`+func MergeMcpTools(mcpToolSet mcp.ToolSet, store Store, webSearchEnabled bool, user, lang string) *mcp.ToolSet {`
`70`	`70`	`if webSearchEnabled {`
`71`	`71`	`if mcpToolSet == nil {`
`72`	`72`	`mcpToolSet = &mcp.ToolSet{}`
`73`	`73`	`}`
`74`	`74`	`mcpToolSet.WebSearchEnabled = true`
`75`	`75`	`}`
`76`	`76`
`77`		`- reg := buildMergedBuiltinRegistry(store, lang)`
	`77`	`+ reg := buildMergedBuiltinRegistry(store, user, lang)`
`78`	`78`	`allTools := reg.GetToolsAsProtocolTools()`
`79`	`79`	`if len(allTools) == 0 {`
`80`	`80`	`return mcpToolSet`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ func buildToolSetForBuiltinTool(toolName string, lang string) (*mcp.ToolSet, err`
`45`	`45`	`reg := tool.NewToolRegistry()`
`46`	`46`	`for _, t := range tp.BuiltinTools() {`
`47`	`47`	`wrapped := wrapSnapshotBuiltin("admin", t)`
`48`		`- wrapped = wrapGeneratedResourceBuiltin(wrapped)`
	`48`	`+ wrapped = wrapGeneratedResourceBuiltin(wrapped, "admin", "")`
`49`	`49`	`reg.RegisterTool(wrapped)`
`50`	`50`	`}`
`51`	`51`
Original file line number	Diff line number	Diff line change
`@@ -29,18 +29,22 @@ import (`
`29`	`29`
`30`	`30`	`type generatedResourceArchiveBuiltinTool struct {`
`31`	`31`	`inner tool.BuiltinTool`
	`32`	`+ owner string`
	`33`	`+ user string`
`32`	`34`	`}`
`33`	`35`
`34`		`-var archiveGeneratedResourceFile = archiveGeneratedResourceFileToStorage`
	`36`	`+var archiveGeneratedResourceFile = func(owner, user, path string) (*Resource, error) {`
	`37`	`+ return archiveGeneratedResourceFileToStorage(owner, user, path)`
	`38`	`+}`
`35`	`39`
`36`		`-func wrapGeneratedResourceBuiltin(builtin tool.BuiltinTool) tool.BuiltinTool {`
	`40`	`+func wrapGeneratedResourceBuiltin(builtin tool.BuiltinTool, owner, user string) tool.BuiltinTool {`
`37`	`41`	`if builtin == nil {`
`38`	`42`	`return nil`
`39`	`43`	`}`
`40`	`44`	`if !isGeneratedResourceTool(builtin.GetName()) {`
`41`	`45`	`return builtin`
`42`	`46`	`}`
`43`		`- return &generatedResourceArchiveBuiltinTool{inner: builtin}`
	`47`	`+ return &generatedResourceArchiveBuiltinTool{inner: builtin, owner: owner, user: user}`
`44`	`48`	`}`
`45`	`49`
`46`	`50`	`func isGeneratedResourceTool(toolName string) bool {`
`@@ -75,7 +79,7 @@ func (t *generatedResourceArchiveBuiltinTool) Execute(ctx context.Context, argum`
`75`	`79`	`return result, innerErr`
`76`	`80`	`}`
`77`	`81`
`78`		`- resource, err := archiveGeneratedResourceFile(path)`
	`82`	`+ resource, err := archiveGeneratedResourceFile(t.owner, t.user, path)`
`79`	`83`	`if err != nil {`
`80`	`84`	`appendGeneratedResourceArchiveText(result, fmt.Sprintf("Resource archive warning: file was created but could not be saved to Resources: %s", err.Error()))`
`81`	`85`	`return result, innerErr`
`@@ -107,7 +111,7 @@ func resourceArchiveStringArg(arguments map[string]interface{}, key string) stri`
`107`	`111`	`return strings.TrimSpace(value)`
`108`	`112`	`}`
`109`	`113`
`110`		`-func archiveGeneratedResourceFileToStorage(path string) (*Resource, error) {`
	`114`	`+func archiveGeneratedResourceFileToStorage(owner, user, path string) (*Resource, error) {`
`111`	`115`	`info, err := os.Stat(path)`
`112`	`116`	`if err != nil {`
`113`	`117`	`return nil, err`
`@@ -139,7 +143,7 @@ func archiveGeneratedResourceFileToStorage(path string) (*Resource, error) {`
`139`	`143`	`return nil, err`
`140`	`144`	`}`
`141`	`145`
`142`		`- resource := NewResourceFromUpload("admin", "", "generated", fileName, fileType, ext, fileUrl, storageName, len(fileBytes), "", "")`
	`146`	`+ resource := NewResourceFromUpload(owner, user, "generated", fileName, fileType, ext, fileUrl, storageName, len(fileBytes), "", "")`
`143`	`147`	`if _, err = AddResource(resource); err != nil {`
`144`	`148`	`return nil, err`
`145`	`149`	`}`