chore: adjust

packages/global/common/error/code/team.ts

@@ -10,7 +10,10 @@ export enum TeamErrEnum {
   appAmountNotEnough = 'appAmountNotEnough',
   pluginAmountNotEnough = 'pluginAmountNotEnough',
   websiteSyncNotEnough = 'websiteSyncNotEnough',
-  reRankNotEnough = 'reRankNotEnough'
+  reRankNotEnough = 'reRankNotEnough',
+  groupNameEmpty = 'groupNameEmpty',
+  groupNotExist = 'groupNotExist',
+  cannotDeleteDefaultGroup = 'cannotDeleteDefaultGroup'
 }
 
 const teamErr = [
@@ -46,6 +49,18 @@ const teamErr = [
   {
     statusText: TeamErrEnum.reRankNotEnough,
     message: i18nT('common:code_error.team_error.re_rank_not_enough')
+  },
+  {
+    statusText: TeamErrEnum.groupNameEmpty,
+    message: i18nT('common:code_error.team_error.group_name_empty')
+  },
+  {
+    statusText: TeamErrEnum.groupNotExist,
+    message: i18nT('common:code_error.team_error.group_not_exist')
+  },
+  {
+    statusText: TeamErrEnum.cannotDeleteDefaultGroup,
+    message: i18nT('common:code_error.team_error.cannot_delete_default_group')
   }
 ];
 

packages/global/support/permission/collaborator.d.ts

@@ -1,4 +1,4 @@
-import { RequireAtLeastOne, RequireOnlyOne } from 'common/type/utils';
+import { RequireAtLeastOne, RequireOnlyOne } from '../../common/type/utils';
 import { Permission } from './controller';
 import { PermissionValueType } from './type';
 
@@ -10,14 +10,11 @@ export type CollaboratorItemType = {
   avatar: string;
 };
 
-export type UpdateClbPermissionProps = RequireAtLeastOne<
-  {
-    members: string[];
-    groups: string[];
-    permission: PermissionValueType;
-  },
-  'members' | 'groups'
->;
+export type UpdateClbPermissionProps = {
+  members?: string[];
+  groups?: string[];
+  permission: PermissionValueType;
+};
 
 export type DeleteClbPermissionProps = RequireOnlyOne<{
   tmbId: string;

packages/global/support/permission/type.d.ts

@@ -1,4 +1,4 @@
-import { RequireOnlyOne } from 'common/type/utils';
+import { RequireOnlyOne } from '../../common/type/utils';
 import { TeamMemberWithUserSchema } from '../user/team/type';
 import {
   AuthUserTypeEnum,
@@ -25,15 +25,15 @@ export type PermissionListType<T = {}> = Record<
   }
 >;
 
-export type ResourcePermissionType<T extends SubjectType = SubjectType> = {
+export type ResourcePermissionType = {
   teamId: string;
-  tmbId: T extends 'tmb' ? string : never;
-  groupId: T extends 'group' ? string : never;
-  subjectType: T;
   resourceType: ResourceType;
   permission: PermissionValueType;
   resourceId: string;
-};
+} & RequireOnlyOne<{
+  tmbId: string;
+  groupId: string;
+}>;
 
 export type ResourcePerWithTmbWithUser = Omit<ResourcePermissionType, 'tmbId'> & {
   tmbId: TeamMemberWithUserSchema;

packages/global/support/user/team/group/api.d.ts

@@ -0,0 +1,12 @@
+export type postCreateGroupData = {
+  name: string;
+  avatar?: string;
+  memberIdList?: string[];
+};
+
+export type putUpdateGroupData = {
+  groupId: string;
+  name?: string;
+  avatar?: string;
+  memberIdList?: string[];
+};

packages/service/support/permission/app/auth.ts

@@ -86,7 +86,7 @@ export const authAppByTmbId = async ({
           resourceId: appId,
           resourceType: PerResourceTypeEnum.app
         });
-        const Per = new AppPermission({ per: rp?.permission ?? app.defaultPermission, isOwner });
+        const Per = new AppPermission({ per: rp ?? app.defaultPermission, isOwner });
         return {
           Per,
           defaultPermission: app.defaultPermission

packages/service/support/permission/controller.ts

@@ -3,71 +3,112 @@ import { ERROR_ENUM } from '@fastgpt/global/common/error/errorCode';
 import jwt from 'jsonwebtoken';
 import { NextApiResponse } from 'next';
 import type { AuthModeType, ReqHeaderAuthType } from './type.d';
-import {
-  AuthUserTypeEnum,
-  PerResourceTypeEnum,
-  SubjectTypeEnum
-} from '@fastgpt/global/support/permission/constant';
+import { AuthUserTypeEnum, PerResourceTypeEnum } from '@fastgpt/global/support/permission/constant';
 import { authOpenApiKey } from '../openapi/auth';
 import { FileTokenQuery } from '@fastgpt/global/common/file/type';
 import { MongoResourcePermission } from './schema';
 import { ClientSession } from 'mongoose';
-import { ParentIdType } from '@fastgpt/global/common/parentFolder/type';
-import { ResourcePermissionType } from '@fastgpt/global/support/permission/type';
+import {
+  PermissionValueType,
+  ResourcePermissionType
+} from '@fastgpt/global/support/permission/type';
 import { bucketNameMap } from '@fastgpt/global/common/file/constants';
 import { addMinutes } from 'date-fns';
-import { RequireOnlyOne } from '@fastgpt/global/common/type/utils';
+import { getGroupsByTmbId } from './memberGroup/controllers';
 
-export const getResourcePermission = async <T extends `${PerResourceTypeEnum}`>({
+/** get resource permission for a team member
+ * If there is no permission for the team member, it will return undefined
+ * @param resourceType: PerResourceTypeEnum
+ * @param teamId
+ * @param tmbId
+ * @param resourceId
+ * @returns PermissionValueType | undefined
+ */
+export const getResourcePermission = async ({
   resourceType,
   teamId,
   tmbId,
-  groupId,
   resourceId
 }: {
-  resourceType: T;
   teamId: string;
-} & (T extends 'team' ? { resourceId?: undefined } : { resourceId: string }) &
-  RequireOnlyOne<{
-    tmbId?: string;
-    groupId?: string;
-  }>) => {
-  const subjectType = (() => {
-    if (tmbId) {
-      return SubjectTypeEnum.tmb;
+  tmbId: string;
+} & (
+  | {
+      resourceType: 'team';
+      resourceId?: undefined;
     }
-    if (groupId) {
-      return SubjectTypeEnum.group;
+  | {
+      resourceType: Omit<PerResourceTypeEnum, 'team'>;
+      resourceId: string;
     }
-    return SubjectTypeEnum.tmb;
-  })();
+)): Promise<PermissionValueType | undefined> => {
+  const tmbPer = (
+    await MongoResourcePermission.findOne(
+      {
+        tmbId,
+        teamId,
+        resourceType,
+        resourceId
+      },
+      'permission'
+    ).lean()
+  )?.permission;
 
-  const per = await MongoResourcePermission.findOne({
-    tmbId,
-    teamId,
-    resourceType,
-    groupId,
-    resourceId,
-    subjectType
-  });
+  if (tmbPer !== undefined) {
+    // could be 0
+    return tmbPer;
+  }
 
-  if (!per) {
-    return null;
+  const groupIdList = await getGroupsByTmbId(tmbId);
+  if (!groupIdList || !groupIdList.length) {
+    return tmbPer; // could be undefined
   }
-  return per;
+
+  const groupPer = await (async () => {
+    // get the maximum permission of the group
+    if (!groupIdList || !groupIdList.length) {
+      return undefined;
+    }
+    const pers = (
+      await MongoResourcePermission.find(
+        {
+          teamId,
+          resourceType,
+          groupId: {
+            $in: groupIdList
+          },
+          resourceId
+        },
+        'permission'
+      )
+    ).map((item) => item.permission);
+
+    return getMaxGroupPer(pers);
+  })();
+
+  return groupPer ?? undefined;
 };
 
-export async function getResourceAllClbs<T extends PerResourceTypeEnum>({
+export async function getResourceAllClbs({
   resourceId,
   teamId,
   resourceType,
   session
 }: {
   teamId: string;
-  resourceType: T;
+  // resourceType: T;
   session?: ClientSession;
-  resourceId?: T extends 'team' ? undefined : string;
-}): Promise<ResourcePermissionType[]> {
+  // resourceId?: T extends 'team' ? undefined : ParentIdType;
+} & (
+  | {
+      resourceType: 'team';
+      resourceId?: undefined;
+    }
+  | {
+      resourceType: Omit<PerResourceTypeEnum, 'team'>;
+      resourceId?: string | null;
+    }
+)): Promise<ResourcePermissionType[]> {
   return MongoResourcePermission.find(
     {
       resourceId,
@@ -323,3 +364,16 @@ export const authFileToken = (token?: string) =>
       });
     });
   });
+
+export const getMaxGroupPer = (groups?: PermissionValueType[]) => {
+  if (!groups || !groups.length) {
+    return undefined;
+  }
+  return groups.reduce((prev, cur) => {
+    if (cur) {
+      return Math.max(prev, cur);
+    } else {
+      return prev;
+    }
+  });
+};

packages/service/support/permission/dataset/auth.ts

@@ -78,7 +78,7 @@ export const authDatasetByTmbId = async ({
           resourceType: PerResourceTypeEnum.dataset
         });
         const Per = new DatasetPermission({
-          per: rp?.permission ?? dataset.defaultPermission,
+          per: rp ?? dataset.defaultPermission,
           isOwner
         });
         return {

packages/service/support/permission/inheritPermission.ts

@@ -3,8 +3,9 @@ import { MongoResourcePermission } from './schema';
 import { ClientSession, Model } from 'mongoose';
 import { NullPermission, PerResourceTypeEnum } from '@fastgpt/global/support/permission/constant';
 import { PermissionValueType } from '@fastgpt/global/support/permission/type';
-import { ParentIdType } from '@fastgpt/global/common/parentFolder/type';
 import { getResourceAllClbs } from './controller';
+import { RequireOnlyOne } from '@fastgpt/global/common/type/utils';
+import { ParentIdType } from '@fastgpt/global/common/parentFolder/type';
 
 export type SyncChildrenPermissionResourceType = {
   _id: string;
@@ -14,8 +15,10 @@ export type SyncChildrenPermissionResourceType = {
 };
 export type UpdateCollaboratorItem = {
   permission: PermissionValueType;
+} & RequireOnlyOne<{
   tmbId: string;
-};
+  groupId: string;
+}>;
 
 // sync the permission to all children folders.
 export async function syncChildrenPermission({