use deco (#28153)

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
2025-11-21 15:25:53 +09:00
parent 3c30d0f41b
commit 1a2f8dfcb4
23 changed files with 205 additions and 317 deletions
--- a/api/controllers/console/app/app.py
+++ b/api/controllers/console/app/app.py
@@ -3,7 +3,7 @@ import uuid
 from flask_restx import Resource, fields, inputs, marshal, marshal_with, reqparse
 from sqlalchemy import select
 from sqlalchemy.orm import Session
-from werkzeug.exceptions import BadRequest, Forbidden, abort
+from werkzeug.exceptions import BadRequest, abort

 from controllers.console import api, console_ns
 from controllers.console.app.wraps import get_app_model
@@ -12,6 +12,7 @@ from controllers.console.wraps import (
    cloud_edition_billing_resource_check,
    edit_permission_required,
    enterprise_license_required,
+    is_admin_or_owner_required,
    setup_required,
 )
 from core.ops.ops_trace_manager import OpsTraceManager
@@ -485,15 +486,11 @@ class AppApiStatus(Resource):
    @api.response(403, "Insufficient permissions")
    @setup_required
    @login_required
+    @is_admin_or_owner_required
    @account_initialization_required
    @get_app_model
    @marshal_with(app_detail_fields)
    def post(self, app_model):
-        # The role of the current user in the ta table must be admin or owner
-        current_user, _ = current_account_with_tenant()
-        if not current_user.is_admin_or_owner:
-            raise Forbidden()
-
        parser = reqparse.RequestParser().add_argument("enable_api", type=bool, required=True, location="json")
        args = parser.parse_args()

--- a/api/controllers/console/app/model_config.py
+++ b/api/controllers/console/app/model_config.py
@@ -3,11 +3,10 @@ from typing import cast

 from flask import request
 from flask_restx import Resource, fields
-from werkzeug.exceptions import Forbidden

 from controllers.console import api, console_ns
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import account_initialization_required, setup_required
+from controllers.console.wraps import account_initialization_required, edit_permission_required, setup_required
 from core.agent.entities import AgentToolEntity
 from core.tools.tool_manager import ToolManager
 from core.tools.utils.configuration import ToolParameterConfigurationManager
@@ -48,15 +47,12 @@ class ModelConfigResource(Resource):
    @api.response(404, "App not found")
    @setup_required
    @login_required
+    @edit_permission_required
    @account_initialization_required
    @get_app_model(mode=[AppMode.AGENT_CHAT, AppMode.CHAT, AppMode.COMPLETION])
    def post(self, app_model):
        """Modify app model config"""
        current_user, current_tenant_id = current_account_with_tenant()
-
-        if not current_user.has_edit_permission:
-            raise Forbidden()
-
        # validate config
        model_configuration = AppModelConfigService.validate_configuration(
            tenant_id=current_tenant_id,
--- a/api/controllers/console/app/site.py
+++ b/api/controllers/console/app/site.py
@@ -1,10 +1,15 @@
 from flask_restx import Resource, fields, marshal_with, reqparse
-from werkzeug.exceptions import Forbidden, NotFound
+from werkzeug.exceptions import NotFound

 from constants.languages import supported_language
 from controllers.console import api, console_ns
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import account_initialization_required, setup_required
+from controllers.console.wraps import (
+    account_initialization_required,
+    edit_permission_required,
+    is_admin_or_owner_required,
+    setup_required,
+)
 from extensions.ext_database import db
 from fields.app_fields import app_site_fields
 from libs.datetime_utils import naive_utc_now
@@ -76,17 +81,13 @@ class AppSite(Resource):
    @api.response(404, "App not found")
    @setup_required
    @login_required
+    @edit_permission_required
    @account_initialization_required
    @get_app_model
    @marshal_with(app_site_fields)
    def post(self, app_model):
        args = parse_app_site_args()
        current_user, _ = current_account_with_tenant()
-
-        # The role of the current user in the ta table must be editor, admin, or owner
-        if not current_user.has_edit_permission:
-            raise Forbidden()
-
        site = db.session.query(Site).where(Site.app_id == app_model.id).first()
        if not site:
            raise NotFound
@@ -130,16 +131,12 @@ class AppSiteAccessTokenReset(Resource):
    @api.response(404, "App or site not found")
    @setup_required
    @login_required
+    @is_admin_or_owner_required
    @account_initialization_required
    @get_app_model
    @marshal_with(app_site_fields)
    def post(self, app_model):
-        # The role of the current user in the ta table must be admin or owner
        current_user, _ = current_account_with_tenant()
-
-        if not current_user.is_admin_or_owner:
-            raise Forbidden()
-
        site = db.session.query(Site).where(Site.app_id == app_model.id).first()

        if not site:
--- a/api/controllers/console/app/workflow.py
+++ b/api/controllers/console/app/workflow.py
@@ -983,8 +983,9 @@ class DraftWorkflowTriggerRunApi(Resource):
        Poll for trigger events and execute full workflow when event arrives
        """
        current_user, _ = current_account_with_tenant()
-        parser = reqparse.RequestParser()
-        parser.add_argument("node_id", type=str, required=True, location="json", nullable=False)
+        parser = reqparse.RequestParser().add_argument(
+            "node_id", type=str, required=True, location="json", nullable=False
+        )
        args = parser.parse_args()
        node_id = args["node_id"]
        workflow_service = WorkflowService()
@@ -1136,8 +1137,9 @@ class DraftWorkflowTriggerRunAllApi(Resource):
        """
        current_user, _ = current_account_with_tenant()

-        parser = reqparse.RequestParser()
-        parser.add_argument("node_ids", type=list, required=True, location="json", nullable=False)
+        parser = reqparse.RequestParser().add_argument(
+            "node_ids", type=list, required=True, location="json", nullable=False
+        )
        args = parser.parse_args()
        node_ids = args["node_ids"]
        workflow_service = WorkflowService()
--- a/api/controllers/console/app/workflow_draft_variable.py
+++ b/api/controllers/console/app/workflow_draft_variable.py
@@ -1,17 +1,18 @@
 import logging
-from typing import NoReturn
+from collections.abc import Callable
+from functools import wraps
+from typing import NoReturn, ParamSpec, TypeVar

 from flask import Response
 from flask_restx import Resource, fields, inputs, marshal, marshal_with, reqparse
 from sqlalchemy.orm import Session
-from werkzeug.exceptions import Forbidden

 from controllers.console import api, console_ns
 from controllers.console.app.error import (
    DraftWorkflowNotExist,
 )
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import account_initialization_required, setup_required
+from controllers.console.wraps import account_initialization_required, edit_permission_required, setup_required
 from controllers.web.error import InvalidArgumentError, NotFoundError
 from core.file import helpers as file_helpers
 from core.variables.segment_group import SegmentGroup
@@ -21,8 +22,8 @@ from core.workflow.constants import CONVERSATION_VARIABLE_NODE_ID, SYSTEM_VARIAB
 from extensions.ext_database import db
 from factories.file_factory import build_from_mapping, build_from_mappings
 from factories.variable_factory import build_segment_with_type
-from libs.login import current_user, login_required
-from models import Account, App, AppMode
+from libs.login import login_required
+from models import App, AppMode
 from models.workflow import WorkflowDraftVariable
 from services.workflow_draft_variable_service import WorkflowDraftVariableList, WorkflowDraftVariableService
 from services.workflow_service import WorkflowService
@@ -140,8 +141,11 @@ _WORKFLOW_DRAFT_VARIABLE_LIST_FIELDS = {
    "items": fields.List(fields.Nested(_WORKFLOW_DRAFT_VARIABLE_FIELDS), attribute=_get_items),
 }

+P = ParamSpec("P")
+R = TypeVar("R")

-def _api_prerequisite(f):
+
+def _api_prerequisite(f: Callable[P, R]):
    """Common prerequisites for all draft workflow variable APIs.

    It ensures the following conditions are satisfied:
@@ -155,11 +159,10 @@ def _api_prerequisite(f):
    @setup_required
    @login_required
    @account_initialization_required
+    @edit_permission_required
    @get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
-    def wrapper(*args, **kwargs):
-        assert isinstance(current_user, Account)
-        if not current_user.has_edit_permission:
-            raise Forbidden()
+    @wraps(f)
+    def wrapper(*args: P.args, **kwargs: P.kwargs):
        return f(*args, **kwargs)

    return wrapper
@@ -167,6 +170,7 @@ def _api_prerequisite(f):

@console_ns.route("/apps/<uuid:app_id>/workflows/draft/variables")
 class WorkflowVariableCollectionApi(Resource):
+    @api.expect(_create_pagination_parser())
    @api.doc("get_workflow_variables")
    @api.doc(description="Get draft workflow variables")
    @api.doc(params={"app_id": "Application ID"})
--- a/api/controllers/console/app/workflow_trigger.py
+++ b/api/controllers/console/app/workflow_trigger.py
@@ -3,12 +3,12 @@ import logging
 from flask_restx import Resource, marshal_with, reqparse
 from sqlalchemy import select
 from sqlalchemy.orm import Session
-from werkzeug.exceptions import Forbidden, NotFound
+from werkzeug.exceptions import NotFound

 from configs import dify_config
 from controllers.console import api
 from controllers.console.app.wraps import get_app_model
-from controllers.console.wraps import account_initialization_required, setup_required
+from controllers.console.wraps import account_initialization_required, edit_permission_required, setup_required
 from extensions.ext_database import db
 from fields.workflow_trigger_fields import trigger_fields, triggers_list_fields, webhook_trigger_fields
 from libs.login import current_user, login_required
@@ -29,8 +29,7 @@ class WebhookTriggerApi(Resource):
    @marshal_with(webhook_trigger_fields)
    def get(self, app_model: App):
        """Get webhook trigger for a node"""
-        parser = reqparse.RequestParser()
-        parser.add_argument("node_id", type=str, required=True, help="Node ID is required")
+        parser = reqparse.RequestParser().add_argument("node_id", type=str, required=True, help="Node ID is required")
        args = parser.parse_args()

        node_id = str(args["node_id"])
@@ -95,19 +94,19 @@ class AppTriggerEnableApi(Resource):
    @setup_required
    @login_required
    @account_initialization_required
+    @edit_permission_required
    @get_app_model(mode=AppMode.WORKFLOW)
    @marshal_with(trigger_fields)
    def post(self, app_model: App):
        """Update app trigger (enable/disable)"""
-        parser = reqparse.RequestParser()
-        parser.add_argument("trigger_id", type=str, required=True, nullable=False, location="json")
-        parser.add_argument("enable_trigger", type=bool, required=True, nullable=False, location="json")
+        parser = (
+            reqparse.RequestParser()
+            .add_argument("trigger_id", type=str, required=True, nullable=False, location="json")
+            .add_argument("enable_trigger", type=bool, required=True, nullable=False, location="json")
+        )
        args = parser.parse_args()

-        assert isinstance(current_user, Account)
        assert current_user.current_tenant_id is not None
-        if not current_user.has_edit_permission:
-            raise Forbidden()

        trigger_id = args["trigger_id"]