Feature: Add Team/User Management REST Endpoints and Dataset/Canvas Permission Framework #11580
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ding test cases to be compliant with PEP 8, Ruff, and MyPy standards.
…swords in create user.
…e new auth API's.
…heck-existing-REST-endponts-and-extend-with-new-requested-endpoints
…s defaults for a team.
… a team and accept/reject team joining invitation.
… a team and accept/reject team joining invitation.
…nd advanced team tests Co-authored-by: teddius <890232+teddius@users.noreply.github.com>
…eusable variables and funtions to the conftest.py file.
…dd members to a department and remove members from a department.
…onts-and-extend-with-new-requested-endpoints
Member
|
@hetavi-bluexkye Please fix following errors reported by CI: |
Author
I've resolved all the CI issues listed above in my latest commit. Please review the changes and let me know if you spot anything else that should be updated. |
Member
You can access the ci error console to see the error message. |
Author
The're this module not found error, but it exists in the uv.lock file and pyproject.toml as well.
|
hetavi-bluexkye
commented
Dec 1, 2025
test/testcases/conftest.py
Outdated
| import pytest | ||
| import requests | ||
| from configs import EMAIL, HOST_ADDRESS, PASSWORD, VERSION, ZHIPU_AI_API_KEY | ||
| from Cryptodome.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5 # type: ignore |
Author
There was a problem hiding this comment.
I've tried doing that as well, but the issue still persists. However the server and pycharm IDE detects the Cryptodome module correctly, but both the Cursor IDE and the CI environment still report the same import error.
yuzhichang
requested changes
Dec 2, 2025
pyproject.toml
Outdated
| "pyobvector==0.2.18", | ||
| "exceptiongroup>=1.3.0,<2.0.0" | ||
| "exceptiongroup>=1.3.0,<2.0.0", | ||
| "crypto>=1.4.1", |
Member
There was a problem hiding this comment.
The crypto looks unnecessary.
test/testcases/conftest.py
Outdated
| import pytest | ||
| import requests | ||
| from configs import EMAIL, HOST_ADDRESS, PASSWORD, VERSION, ZHIPU_AI_API_KEY | ||
| from Crypto.Cipher import PKCS1_v1_5 as Cipher_pkcs1_v1_5 |
Member
There was a problem hiding this comment.
You need to edit pyproject.toml to add pycryptodomex to test group.
According to https://pypi.org/project/pycryptodomex/,
All modules are installed under the Cryptodome package.
So please replace all Crypto with Cryptodome everywhere in the repo.
Author
There was a problem hiding this comment.
I updated the imports, and also fixed pyproject.toml, But still the module not found error persists, also its just compile time issue, on runtime the things are working well.
Member
There was a problem hiding this comment.
I don't see pyproject.toml and uv.lock changes in your change.
Suggest enable Allow maintainer to edit for all PRs so that we can help you fix CI issues.
Author
There was a problem hiding this comment.
We're happy to make changes you suggest, but we do not find the button to allow the edit access.
Member
There was a problem hiding this comment.
Make sure both pyproject.toml and uv.lock have been modified.
PS: Allow maintainer to edit is not suitable for you because your PR comes from a fork from your organization. If the PR comes from your personal fork, this can be selected.
As a result, you have to try to fix the CI issues by yourself~~
…onts-and-extend-with-new-requested-endpoints
Member
|
The import error is fixed, but the CI can still not work. I think you can setup the CI environment by yourself to see the error log from docker to find out the reason why it cannot connect to service. |
Author
|
@yingfeng Thanks, I’ll set up the CI environment locally using the docker-compose config from the workflow and check the service logs. This should help me debug the Elasticsearch connection issue. I’ll update once I have findings. |
yuzhichang
reviewed
Dec 2, 2025
| "reportlab>=4.4.1", | ||
| "requests>=2.32.2", | ||
| "requests-toolbelt>=1.0.0", | ||
| "pycryptodomex==3.20.0", |
Member
There was a problem hiding this comment.
Don't move. Both the default and the test group need pycryptodomex.
Author
There was a problem hiding this comment.
Okay, I'll keep at both the places.
Member
|
There are a series of errors on the |
…onts-and-extend-with-new-requested-endpoints
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New REST API Endpoints
Below is the list of all the new REST API endpoints added in the feature branch
feature/OND211-2329-Check-existing-REST-endponts-and-extend-with-new-requested-endpoints.Team Management Endpoints
All team management endpoints are under the
/tenantbase path and require authentication.1. Create Team
Endpoint:
POST /tenant/createDescription: Create a new team (tenant). Requires authentication - any registered user can create a team.
Request Body:
{ "name": "string (required, max 100 characters)", "user_id": "string (optional, defaults to current authenticated user)", "llm_id": "string (optional, defaults to system default)", "embd_id": "string (optional, defaults to system default)", "asr_id": "string (optional, defaults to system default)", "parser_ids": "string (optional, defaults to system default)", "img2txt_id": "string (optional, defaults to system default)", "rerank_id": "string (optional, defaults to system default)", "credit": "integer (optional, defaults to 512)" }Response: Returns created team information with ID, name, owner_id, and model IDs.
Status Codes:
200- Team created successfully400- Invalid request or user not found401- Unauthorized - authentication required500- Server error during team creation2. Update Team
Endpoint:
PUT /tenant/<tenant_id>Description: Update team details. Only OWNER or ADMIN can update team information.
Path Parameters:
tenant_id(string, required) - Team IDRequest Body:
{ "name": "string (optional, max 100 characters)", "llm_id": "string (optional, must be added by the user)", "embd_id": "string (optional, must be added by the user)", "asr_id": "string (optional, must be added by the user)", "img2txt_id": "string (optional, must be added by the user)", "rerank_id": "string (optional, must be added by the user)", "tts_id": "string (optional, must be added by the user)", "parser_ids": "string (optional)", "credit": "integer (optional)" }Response: Returns updated team information.
Status Codes:
200- Team updated successfully400- Invalid request401- Unauthorized403- Forbidden - not owner or admin404- Team not found3. Accept/Reject Team Invitation
Endpoint:
PUT /tenant/update-request/<tenant_id>Description: Accept or reject a team invitation. User must have INVITE role.
Path Parameters:
tenant_id(string, required) - Team IDRequest Body:
{ "accept": "boolean (required) - true to accept, false to reject", "role": "string (optional) - 'normal' or 'admin', only used when accept=true, defaults to 'normal'" }Response: Returns success status.
Status Codes:
200- Invitation processed successfully400- Invalid request401- Unauthorized404- Invitation not found4. Add Users to Team
Endpoint:
POST /tenant/<tenant_id>/users/addDescription: Add one or more users directly to a team. Only OWNER or ADMIN can add users. Users are added immediately without requiring invitation acceptance. Supports both single user and bulk operations.
Path Parameters:
tenant_id(string, required) - Team IDRequest Body:
{ "users": [ "string (email) or object with email and role", { "email": "string (required)", "role": "string (optional) - 'normal', 'admin', or 'invite', defaults to 'normal'" } ] }Response:
{ "added": [ { "id": "string", "email": "string", "nickname": "string", "avatar": "string", "role": "string" } ], "failed": [ { "email": "string", "error": "string" } ] }Status Codes:
200- Users added successfully (may include partial failures)400- Invalid request401- Unauthorized403- Forbidden - not owner or admin5. Remove User from Team
Endpoint:
POST /tenant/<tenant_id>/user/removeDescription: Remove a user from a team. Only OWNER or ADMIN can remove users. Owners cannot be removed.
Path Parameters:
tenant_id(string, required) - Team IDRequest Body:
{ "user_id": "string (required)" }Response:
{ "user_id": "string", "email": "string" }Status Codes:
200- User removed successfully400- Invalid request401- Unauthorized403- Forbidden - not owner or admin6. Promote User to Admin
Endpoint:
POST /tenant/<tenant_id>/admin/<user_id>/promoteDescription: Promote a team member to admin role. Only team owners can promote members to admin. Cannot promote the team owner (owner role is permanent).
Path Parameters:
tenant_id(string, required) - Team IDuser_id(string, required) - User ID to promote to adminResponse: Returns success status and message.
Status Codes:
200- User promoted to admin successfully400- Invalid request or user not found401- Unauthorized403- Forbidden - not team owner404- User not found in team7. Demote Admin to Normal Member
Endpoint:
POST /tenant/<tenant_id>/admin/<user_id>/demoteDescription: Demote a team admin to normal member. Only team owners can demote admins. Cannot demote the team owner (owner role is permanent). Cannot demote yourself if you're the only admin/owner.
Path Parameters:
tenant_id(string, required) - Team IDuser_id(string, required) - User ID to demote from adminResponse: Returns success status and message.
Status Codes:
200- Admin demoted to normal member successfully400- Invalid request or user not found401- Unauthorized403- Forbidden - not team owner404- User not found in team or not an admin8. Get User Permissions
Endpoint:
GET /tenant/<tenant_id>/users/<user_id>/permissionsDescription: Get CRUD permissions for a team member. Only team owners or admins can view permissions.
Path Parameters:
tenant_id(string, required) - Team IDuser_id(string, required) - User ID to get permissions forResponse:
{ "dataset": { "create": "boolean", "read": "boolean", "update": "boolean", "delete": "boolean" }, "canvas": { "create": "boolean", "read": "boolean", "update": "boolean", "delete": "boolean" } }Status Codes:
200- Permissions retrieved successfully401- Unauthorized403- Forbidden - not team owner or admin404- User not found in team9. Update User Permissions
Endpoint:
PUT /tenant/<tenant_id>/users/<user_id>/permissionsDescription: Update CRUD permissions for a team member. Only team owners or admins can update permissions. Owners and admins always have full permissions and cannot be restricted.
Path Parameters:
tenant_id(string, required) - Team IDuser_id(string, required) - User ID to update permissions forRequest Body:
{ "permissions": { "dataset": { "create": "boolean (optional)", "read": "boolean (optional)", "update": "boolean (optional)", "delete": "boolean (optional)" }, "canvas": { "create": "boolean (optional)", "read": "boolean (optional)", "update": "boolean (optional)", "delete": "boolean (optional)" } } }Response: Returns updated permissions object.
Status Codes:
200- Permissions updated successfully400- Invalid request401- Unauthorized403- Forbidden - not team owner or admin, or trying to restrict owner/admin404- User not found in teamUser Management Endpoints
All user management endpoints are under the
/userbase path.10. Create User
Endpoint:
POST /user/createDescription: Create a new user. Requires authentication.
Request Body:
{ "nickname": "string (required)", "email": "string (required, valid email format)", "password": "string (required, plain text or RSA-encrypted)", "is_superuser": "boolean (optional, default: false)" }Response: Returns created user information (id, email, nickname).
Status Codes:
200- User created successfully400- Invalid request or email already exists401- Unauthorized - authentication required500- Server error during user creation11. Update User
Endpoint:
PUT /user/updateDescription: Update an existing user. Users can only update their own account.
Request Body:
{ "user_id": "string (optional, if email is provided)", "email": "string (optional, used to identify user or as new_email if user_id provided)", "new_email": "string (optional, new email address)", "nickname": "string (optional)", "password": "string (optional, encrypted)", "is_superuser": "boolean (optional)" }Response: Returns updated user information.
Status Codes:
200- User updated successfully400- Invalid request or user not found403- Forbidden - users can only update their own account500- Server error during user update12. List Users
Endpoint:
GET /user/listDescription: List all users. Requires authentication. Supports pagination and email filtering.
Query Parameters:
page(integer, optional) - Page number for paginationpage_size(integer, optional) - Number of items per pageemail(string, optional) - Filter by email addressResponse:
{ "users": [ { "id": "string", "email": "string", "nickname": "string", "is_superuser": "boolean" } ], "total": 0 }, "message": "string" }Status Codes:
200- Users retrieved successfully401- Unauthorized - authentication required500- Server error during user listing13. Delete User
Endpoint:
DELETE /user/deleteDescription: Delete a user. Users can only delete their own account. Requires authentication.
Request Body:
{ "user_id": "string (optional, if email is provided)", "email": "string (optional, if user_id is provided)" }Response: Returns success status and message.
Status Codes:
200- User deleted successfully400- Invalid request or user not found401- Unauthorized - authentication required403- Forbidden - users can only delete their own account500- Server error during user deletionSummary
Total New Endpoints: 13
All endpoints include proper authentication, authorization checks, input validation, and comprehensive error handling. The endpoints follow RESTful conventions and include detailed API documentation in their docstrings.
Canvas Authentication & Authorization
A comprehensive canvas permission system has been added to control access to canvases (agent canvases and dataflow canvases) within teams.
Canvas Permission Model
Canvases can be shared with teams using the following fields:
permission: Can be"me"(private) or"team"(shared with team)shared_tenant_id: Optional field to specify which specific team the canvas is shared with (only used whenpermissionis"team")Canvas CRUD Permissions
Canvas permissions are managed through the same permission system as datasets. Each team member can have the following permissions for canvases:
create: Create new team canvasesread: View and run team canvasesupdate: Modify team canvasesdelete: Delete team canvasesPermission Hierarchy
Canvas Access Control
The
UserCanvasService.accessible()method checks permissions before allowing canvas operations:permission="team", the system checks:shared_tenant_idor canvas owner's team)permission="me", only the owner can access itCanvas Endpoints with Permission Checks
The following canvas endpoints now enforce permission checks:
GET /canvas/get/<canvas_id>- RequiresreadpermissionPOST /canvas/set- Requirescreatepermission for new team canvases,updatepermission for existing canvasesPOST /canvas/rm- RequiresdeletepermissionPOST /canvas/completion- Requiresreadpermission (to run the canvas)POST /canvas/reset- RequiresupdatepermissionPOST /canvas/debug- RequiresreadpermissionCanvas Sharing Workflow
Create Team Canvas:
createpermission in the target teampermission="team"and optionallyshared_tenant_idto share with a specific teamshared_tenant_idis not provided, canvas is shared with the owner's default teamAccess Team Canvas:
readto view,updateto modify, etc.)List Team Canvases:
shared_tenant_idIntegration with Team Permissions API
Canvas permissions are managed through the same endpoints as dataset permissions:
GET /tenant/<tenant_id>/users/<user_id>/permissions- Returns canvas permissions along with dataset permissionsPUT /tenant/<tenant_id>/users/<user_id>/permissions- Updates canvas permissions along with dataset permissionsExample permissions structure:
{ "dataset": { "create": false, "read": true, "update": false, "delete": false }, "canvas": { "create": true, "read": true, "update": true, "delete": false } }Notes
data,message, andcodefieldsType of change