feat: org CRUD (#3380)

* feat: add org schema

* feat: org manage UI

* feat: OrgInfoModal

* feat: org tree view

* feat: org management

* fix: init root org

* feat: org permission for app

* feat: org support for dataset

* fix: disable org role control

* styles: opt type signatures

* fix: remove unused permission

* feat: delete org collaborator

packages/service/support/permission/auth/org.ts

@@ -0,0 +1,58 @@
+import { TeamPermission } from '@fastgpt/global/support/permission/user/controller';
+import { AuthModeType, AuthResponseType } from '../type';
+import { parseHeaderCert } from '../controller';
+import { getTmbInfoByTmbId } from '../../user/team/controller';
+import { TeamErrEnum } from '@fastgpt/global/common/error/code/team';
+
+export const authOrgMember = async ({
+  orgIds,
+  req,
+  authToken = false,
+  authRoot = false,
+  authApiKey = false
+}: {
+  orgIds: string | string[];
+} & AuthModeType): Promise<AuthResponseType> => {
+  const result = await parseHeaderCert({ req, authToken, authApiKey, authRoot });
+  const { teamId, tmbId, isRoot } = result;
+  if (isRoot) {
+    return {
+      teamId,
+      tmbId,
+      userId: result.userId,
+      appId: result.appId,
+      apikey: result.apikey,
+      isRoot,
+      authType: result.authType,
+      permission: new TeamPermission({ isOwner: true })
+    };
+  }
+
+  if (!Array.isArray(orgIds)) {
+    orgIds = [orgIds];
+  }
+
+  // const promises = orgIds.map((orgId) => getOrgMemberRole({ orgId, tmbId }));
+
+  const tmb = await getTmbInfoByTmbId({ tmbId });
+  if (tmb.permission.hasManagePer) {
+    return {
+      ...result,
+      permission: tmb.permission
+    };
+  }
+
+  return Promise.reject(TeamErrEnum.unAuthTeam);
+
+  // const targetRole = OrgMemberRole[role];
+  // for (const orgRole of orgRoles) {
+  //   if (!orgRole || checkOrgRole(orgRole, targetRole)) {
+  //     return Promise.reject(TeamErrEnum.unAuthTeam);
+  //   }
+  // }
+
+  // return {
+  //   ...result,
+  //   permission: tmb.permission
+  // };
+};

packages/service/support/permission/controller.ts

@@ -21,6 +21,7 @@ import { CommonErrEnum } from '@fastgpt/global/common/error/code/common';
 import { MemberGroupSchemaType } from '@fastgpt/global/support/permission/memberGroup/type';
 import { TeamMemberSchema } from '@fastgpt/global/support/user/team/type';
 import { UserModelSchema } from '@fastgpt/global/support/user/type';
+import { OrgSchemaType } from '@fastgpt/global/support/user/team/org/type';
 
 /** get resource permission for a team member
  * If there is no permission for the team member, it will return undefined
@@ -186,6 +187,16 @@ export const getClbsAndGroupsWithInfo = async ({
       }
     })
       .populate<{ group: MemberGroupSchemaType }>('group', 'name avatar')
+      .lean(),
+    MongoResourcePermission.find({
+      teamId,
+      resourceId,
+      resourceType,
+      orgId: {
+        $exists: true
+      }
+    })
+      .populate<{ org: OrgSchemaType }>({ path: 'org', select: 'name avatar' })
       .lean()
   ]);
 
@@ -196,6 +207,7 @@ export const delResourcePermission = ({
   session,
   tmbId,
   groupId,
+  orgId,
   ...props
 }: {
   resourceType: PerResourceTypeEnum;
@@ -204,15 +216,18 @@ export const delResourcePermission = ({
   session?: ClientSession;
   tmbId?: string;
   groupId?: string;
+  orgId?: string;
 }) => {
-  // tmbId or groupId only one and not both
-  if (!!tmbId === !!groupId) {
+  // either tmbId or groupId or orgId must be provided
+  if (!tmbId && !groupId && !orgId) {
     return Promise.reject(CommonErrEnum.missingParams);
   }
+
   return MongoResourcePermission.deleteOne(
     {
       ...(tmbId ? { tmbId } : {}),
       ...(groupId ? { groupId } : {}),
+      ...(orgId ? { orgId } : {}),
       ...props
     },
     { session }
@@ -250,7 +265,7 @@ export function authJWT(token: string) {
   }>((resolve, reject) => {
     const key = process.env.TOKEN_KEY as string;
 
-    jwt.verify(token, key, function (err, decoded: any) {
+    jwt.verify(token, key, (err, decoded: any) => {
       if (err || !decoded?.userId) {
         reject(ERROR_ENUM.unAuthorization);
         return;
@@ -436,7 +451,7 @@ export const authFileToken = (token?: string) =>
     }
     const key = (process.env.FILE_TOKEN_KEY as string) ?? 'filetoken';
 
-    jwt.verify(token, key, function (err, decoded: any) {
+    jwt.verify(token, key, (err, decoded: any) => {
       if (err || !decoded.bucketName || !decoded?.teamId || !decoded?.fileId) {
         reject(ERROR_ENUM.unAuthFile);
         return;

packages/service/support/permission/inheritPermission.ts

@@ -1,11 +1,11 @@
 import { mongoSessionRun } from '../../common/mongo/sessionRun';
 import { MongoResourcePermission } from './schema';
-import { ClientSession, Model } from 'mongoose';
-import { PerResourceTypeEnum } from '@fastgpt/global/support/permission/constant';
-import { PermissionValueType } from '@fastgpt/global/support/permission/type';
+import type { ClientSession, Model } from 'mongoose';
+import type { PerResourceTypeEnum } from '@fastgpt/global/support/permission/constant';
+import type { PermissionValueType } from '@fastgpt/global/support/permission/type';
 import { getResourceClbsAndGroups } from './controller';
-import { RequireOnlyOne } from '@fastgpt/global/common/type/utils';
-import { ParentIdType } from '@fastgpt/global/common/parentFolder/type';
+import type { RequireOnlyOne } from '@fastgpt/global/common/type/utils';
+import type { ParentIdType } from '@fastgpt/global/common/parentFolder/type';
 
 export type SyncChildrenPermissionResourceType = {
   _id: string;
@@ -18,6 +18,7 @@ export type UpdateCollaboratorItem = {
 } & RequireOnlyOne<{
   tmbId: string;
   groupId: string;
+  orgId: string;
 }>;
 
 // sync the permission to all children folders.
@@ -161,7 +162,7 @@ export async function resumeInheritPermission({
   }
 }
 
-/* 
+/*
   Delete all the collaborators and then insert the new collaborators.
 */
 export async function syncCollaborators({

packages/service/support/permission/org/controllers.ts

@@ -0,0 +1,174 @@
+import { TeamErrEnum } from '@fastgpt/global/common/error/code/team';
+import type {
+  OrgMemberSchemaType,
+  OrgSchemaType
+} from '@fastgpt/global/support/user/team/org/type';
+import type { ClientSession } from 'mongoose';
+import { MongoOrgModel } from './orgSchema';
+import { MongoOrgMemberModel } from './orgMemberSchema';
+
+// if role1 > role2, return 1
+// if role1 < role2, return -1
+// else return 0
+// export const compareRole = (role1: OrgMemberRole, role2: OrgMemberRole) => {
+//   if (role1 === OrgMemberRole.owner) {
+//     if (role2 === OrgMemberRole.owner) {
+//       return 0;
+//     }
+//     return 1;
+//   }
+//   if (role2 === OrgMemberRole.owner) {
+//     return -1;
+//   }
+//   if (role1 === OrgMemberRole.admin) {
+//     if (role2 === OrgMemberRole.admin) {
+//       return 0;
+//     }
+//     return 1;
+//   }
+//   if (role2 === OrgMemberRole.admin) {
+//     return -1;
+//   }
+//   return 0;
+// };
+
+// export const checkOrgRole = (role: OrgMemberRole, targetRole: OrgMemberRole) => {
+//   return compareRole(role, targetRole) >= 0;
+// };
+
+export const getOrgsByTeamId = async (teamId: string) => {
+  const orgs = await MongoOrgModel.find({
+    teamId
+  })
+    .populate<{ members: OrgMemberSchemaType }>('members')
+    .lean();
+
+  return orgs;
+};
+
+export const getOrgsByTmbId = async ({ teamId, tmbId }: { teamId: string; tmbId: string }) =>
+  MongoOrgMemberModel.find({ teamId, tmbId }, 'orgId').lean();
+
+export const getChildrenByOrg = async ({
+  org,
+  teamId,
+  session
+}: {
+  org: OrgSchemaType;
+  teamId: string;
+  session?: ClientSession;
+}) => {
+  const children = await MongoOrgModel.find(
+    { teamId, path: { $regex: `^${org.path}/${org._id}` } },
+    undefined,
+    {
+      session
+    }
+  ).lean();
+  return children;
+};
+
+export const getOrgAndChildren = async ({
+  orgId,
+  teamId,
+  session
+}: {
+  orgId: string;
+  teamId: string;
+  session?: ClientSession;
+}) => {
+  const org = await MongoOrgModel.findOne({ _id: orgId, teamId }, undefined, { session }).lean();
+  if (!org) {
+    return Promise.reject(TeamErrEnum.orgNotExist);
+  }
+  const children = await getChildrenByOrg({ org, teamId, session });
+  return { org, children };
+};
+
+export async function createRootOrg({
+  teamId,
+  session
+}: {
+  teamId: string;
+  session?: ClientSession;
+}) {
+  // Create the root org
+  const [org] = await MongoOrgModel.create(
+    [
+      {
+        teamId,
+        name: 'ROOT',
+        path: ''
+      }
+    ],
+    { session }
+  );
+  // Find the team's owner
+  // const owner = await MongoTeamMember.findOne({ teamId, role: 'owner' }, undefined);
+  // if (!owner) {
+  //   return Promise.reject(TeamErrEnum.unAuthTeam);
+  // }
+
+  // Set the owner as the org admin
+  // await MongoOrgMemberModel.create(
+  //   [
+  //     {
+  //       orgId: org._id,
+  //       tmbId: owner._id
+
+  //     }
+  //   ],
+  //   { session }
+  // );
+}
+
+// export const getOrgMemberRole = async ({
+//   orgId,
+//   tmbId
+// }: {
+//   orgId: string;
+//   tmbId: string;
+// }): Promise<OrgMemberRole | undefined> => {
+//   let role: OrgMemberRole | undefined;
+//   const orgMember = await MongoOrgMemberModel.findOne({
+//     orgId,
+//     tmbId
+//   })
+//     .populate('orgId')
+//     .lean();
+//   if (orgMember) {
+//     role = OrgMemberRole[orgMember.role];
+//   } else {
+//     return role;
+//   }
+//   if (role === OrgMemberRole.owner) {
+//     return role;
+//   }
+//   // Check the parent orgs
+//   const org = orgMember.orgId as unknown as OrgSchemaType;
+//   if (!org) {
+//     return Promise.reject(TeamErrEnum.orgNotExist);
+//   }
+//   const parentIds = org.path.split('/').filter((id) => id);
+//   if (parentIds.length === 0) {
+//     return role;
+//   }
+//   const parentOrgMembers = await MongoOrgMemberModel.find({
+//     orgId: {
+//       $in: parentIds
+//     },
+//     tmbId
+//   }).lean();
+//   // Update the role to the highest role
+//   for (const parentOrgMember of parentOrgMembers) {
+//     const parentRole = OrgMemberRole[parentOrgMember.role];
+//     if (parentRole === OrgMemberRole.owner) {
+//       role = parentRole;
+//       break;
+//     }
+//     if (parentRole === OrgMemberRole.admin && role === OrgMemberRole.member) {
+//       role = parentRole;
+//     }
+//   }
+//   return role;
+// };

packages/service/support/permission/org/orgMemberSchema.ts

@@ -0,0 +1,58 @@
+import { OrgCollectionName } from '@fastgpt/global/support/user/team/org/constant';
+import { connectionMongo, getMongoModel } from '../../../common/mongo';
+import {
+  TeamCollectionName,
+  TeamMemberCollectionName
+} from '@fastgpt/global/support/user/team/constant';
+import { OrgMemberSchemaType } from '@fastgpt/global/support/user/team/org/type';
+const { Schema } = connectionMongo;
+
+export const OrgMemberCollectionName = 'team_org_members';
+
+export const OrgMemberSchema = new Schema({
+  teamId: {
+    type: Schema.Types.ObjectId,
+    ref: TeamCollectionName,
+    required: true
+  },
+  orgId: {
+    type: Schema.Types.ObjectId,
+    ref: OrgCollectionName,
+    required: true
+  },
+  tmbId: {
+    type: Schema.Types.ObjectId,
+    ref: TeamMemberCollectionName,
+    required: true
+  }
+  // role: {
+  //   type: String,
+  //   enum: Object.values(OrgMemberRole),
+  //   required: true,
+  //   default: OrgMemberRole.member
+  // }
+});
+
+try {
+  OrgMemberSchema.index(
+    {
+      teamId: 1,
+      orgId: 1,
+      tmbId: 1
+    },
+    {
+      unique: true
+    }
+  );
+  OrgMemberSchema.index({
+    teamId: 1,
+    tmbId: 1
+  });
+} catch (error) {
+  console.log(error);
+}
+
+export const MongoOrgMemberModel = getMongoModel<OrgMemberSchemaType>(
+  OrgMemberCollectionName,
+  OrgMemberSchema
+);

packages/service/support/permission/org/orgSchema.ts

@@ -0,0 +1,69 @@
+import { TeamCollectionName } from '@fastgpt/global/support/user/team/constant';
+import { OrgCollectionName } from '@fastgpt/global/support/user/team/org/constant';
+import type { OrgSchemaType } from '@fastgpt/global/support/user/team/org/type';
+import { connectionMongo, getMongoModel } from '../../../common/mongo';
+import { ResourcePermissionCollectionName } from '../schema';
+import { OrgMemberCollectionName } from './orgMemberSchema';
+const { Schema } = connectionMongo;
+
+function requiredStringPath(this: OrgSchemaType) {
+  return typeof this.path !== 'string';
+}
+
+export const OrgSchema = new Schema(
+  {
+    teamId: {
+      type: Schema.Types.ObjectId,
+      ref: TeamCollectionName,
+      required: true
+    },
+    path: {
+      type: String,
+      required: requiredStringPath // allow empty string, but not null
+    },
+    name: {
+      type: String,
+      required: true
+    },
+    avatar: String,
+    description: String,
+    updateTime: {
+      type: Date,
+      default: () => new Date()
+    }
+  },
+  {
+    // Auto update updateTime
+    timestamps: {
+      updatedAt: 'updateTime'
+    }
+  }
+);
+
+OrgSchema.virtual('members', {
+  ref: OrgMemberCollectionName,
+  localField: '_id',
+  foreignField: 'orgId'
+});
+OrgSchema.virtual('permission', {
+  ref: ResourcePermissionCollectionName,
+  localField: '_id',
+  foreignField: 'orgId',
+  justOne: true
+});
+
+try {
+  OrgSchema.index(
+    {
+      teamId: 1,
+      path: 1
+    },
+    {
+      unique: true
+    }
+  );
+} catch (error) {
+  console.log(error);
+}
+
+export const MongoOrgModel = getMongoModel<OrgSchemaType>(OrgCollectionName, OrgSchema);

packages/service/support/permission/schema.ts

@@ -6,6 +6,7 @@ import { connectionMongo, getMongoModel } from '../../common/mongo';
 import type { ResourcePermissionType } from '@fastgpt/global/support/permission/type';
 import { PerResourceTypeEnum } from '@fastgpt/global/support/permission/constant';
 import { MemberGroupCollectionName } from './memberGroup/memberGroupSchema';
+import { OrgCollectionName } from '@fastgpt/global/support/user/team/org/constant';
 const { Schema } = connectionMongo;
 
 export const ResourcePermissionCollectionName = 'resource_permissions';
@@ -23,6 +24,10 @@ export const ResourcePermissionSchema = new Schema({
     type: Schema.Types.ObjectId,
     ref: MemberGroupCollectionName
   },
+  orgId: {
+    type: Schema.Types.ObjectId,
+    ref: OrgCollectionName
+  },
   resourceType: {
     type: String,
     enum: Object.values(PerResourceTypeEnum),
@@ -51,6 +56,12 @@ ResourcePermissionSchema.virtual('group', {
   foreignField: '_id',
   justOne: true
 });
+ResourcePermissionSchema.virtual('org', {
+  ref: OrgCollectionName,
+  localField: 'orgId',
+  foreignField: '_id',
+  justOne: true
+});
 
 try {
   ResourcePermissionSchema.index(
@@ -70,6 +81,23 @@ try {
     }
   );
 
+  ResourcePermissionSchema.index(
+    {
+      resourceType: 1,
+      teamId: 1,
+      resourceId: 1,
+      orgId: 1
+    },
+    {
+      unique: true,
+      partialFilterExpression: {
+        orgId: {
+          $exists: true
+        }
+      }
+    }
+  );
+
   ResourcePermissionSchema.index(
     {
       resourceType: 1,

packages/service/support/user/team/controller.ts

@@ -16,6 +16,7 @@ import { MongoMemberGroupModel } from '../../permission/memberGroup/memberGroupS
 import { mongoSessionRun } from '../../../common/mongo/sessionRun';
 import { DefaultGroupName } from '@fastgpt/global/support/user/team/group/constant';
 import { getAIApi, openaiBaseUrl } from '../../../core/ai/config';
+import { createRootOrg } from '../../permission/org/controllers';
 
 async function getTeamMember(match: Record<string, any>): Promise<TeamTmbItemType> {
   const tmb = await MongoTeamMember.findOne(match).populate<{ team: TeamSchema }>('team').lean();
@@ -132,7 +133,8 @@ export async function createDefaultTeam({
       ],
       { session }
     );
-    console.log('create default team and group', userId);
+    await createRootOrg({ teamId: tmb.teamId, session });
+    console.log('create default team, group and root org', userId);
     return tmb;
   } else {
     console.log('default team exist', userId);