-
Notifications
You must be signed in to change notification settings - Fork 6.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: new editor user permission profile #4435
Conversation
Could you provide more detailed information, such as why this new role is needed? Also, please list all the permissions related to the editor and explain them. @chazzhou |
Hi @VincePotato, thanks for the question. I want to include the new "editor" role to provide more granular access control within Dify workspaces. It allows owners and admins to grant certain users the ability to create and manage apps, without giving them full control over workspace-level settings. The main rationale is to enable sharing workspaces with users who need to design agents and workflows, but shouldn't be able to modify critical settings like the underlying language models, installed tools, API keys, etc. This is helpful for collaborating with less technical users who are trusted to build apps, but not necessarily to manage the entire workspace configuration. Here's an overview of the permission hierarchy:
The key permission changes for the editor role are:
In summary, the editor role provides a balance between enabling app creation/management and restricting access to workspace configuration. It's a useful addition for more flexible and secure collaboration within Dify. Let me know if you have any other questions or suggestions! I'm happy to provide more details. |
@takatost Have we tested this pr? |
Hi everyone, I've updated the PR to maintain compatibility with the recent front-end changes. The main change is that buttons for editing tools will now be disabled for editors and viewers. Additionally, I've made an adjustment to the permissions for the following endpoint:
This change grants editors the ability to modify app site settings, which was previously restricted to admin users only. Please review the changes and let me know if you have any questions or concerns. Thanks! |
Just a note - this fixes a huge challenge we've had with Dify internally. Would love to see this released in a near future version. Ideally, in the future, Dify could go as far as to get to user/editor permissions on a per agent/bot/workflow basis. |
@nsvrana I'm glad it helped! Recent changes resolved the merge conflict with main. |
Hello there can you resolve the conflicting files. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cool :0
Hello, can you add my wechat crazyphage? |
Co-authored-by: crazywoola <[email protected]> Co-authored-by: crazywoola <[email protected]>
I am also doing this because a team can modify assistants created by others, so I want to create a role and can only view and edit the assistants I have created. The tags table already has the createduby field, which needs to be added to the apps |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Must be admin or iwner
* commit '12c815c597b121357151c798aae6580304416937': (97 commits) fix: ExtractSetting optional value missing None as default val (langgenius#5238) version to 0.6.11 (langgenius#5224) Feat/firecrawl data source (langgenius#5232) update tooltip (langgenius#5235) fix: note editor italic (langgenius#5230) fix: z-index (langgenius#5229) Update README.md (langgenius#5228) fix: allow the name and icon of the web app to be set independently of that of the bot itself (langgenius#5225) fix: initialize site with customized icon and icon_background (langgenius#5227) feat: support firecrawl frontend code (langgenius#5226) feat(Tools): Add Feishu multi-dimensional table operation function (langgenius#5213) chore: development script for syncing Poetry lockfile (langgenius#5170) fix: workspace member's last_active should be last_active_time, but not last_login_time (langgenius#4906) fix: number variable cause type error in openai moderation (langgenius#5222) feat: new editor user permission profile (langgenius#4435) Fix: http_request delete method not working (langgenius#4975) Update README, deploy dify with YAML file on Kubernetes (langgenius#5131) feat: support tencent vector db (langgenius#3568) fix: add repo check for build-push.yml (langgenius#5141) feat: Add Optional API Key, Proxy Server, and Bypass Cache Parameters to Jina Tools (langgenius#5197) ... # Conflicts: # api/core/helper/code_executor/code_executor.py # api/requirements.txt
Co-authored-by: crazywoola <[email protected]> Co-authored-by: crazywoola <[email protected]>
@takatost @crazywoola Can you help confirm with PM about my PR? #6950 In my opinion, creating new applications requires an architecture review, and deleting applications is a dangerous operation. These actions should not be performed by the editor role. I'm also looking forward to Dify adding the ability for admins to configure specific apps that the editor role can definitely edit. |
Please don’t change this role in the way you just described - for my use case either we need separate app by app permissions or editor needs to be able to create and delete. |
Description
This change introduces a new user permission profile called "editor" in the Dify workspace. The editor role can add and edit apps within the workspace, but does not have permission to manage certain workspace-level settings such as adding API keys, changing workspace models and tools, or enabling/disabling the API endpoint. However, editors can turn on/off and manage the published site for apps they have access to.
In addition, this change disallows normal users and editors to view logs, enhancing the security of the workspace.
The implementation also streamlines some places where permission checking was not using helper functions, and adds disabled states on the frontend for actions that editors do not have permission to perform.
Fixes # (issue)
Type of Change
How Has This Been Tested?
Suggested Checklist:
dev/reformat
(backend) andcd web && npx lint-staged
(frontend) to appease the lint godsoptional
I have made corresponding changes to the documentationoptional
I have added tests that prove my fix is effective or that my feature worksoptional
New and existing unit tests pass locally with my changes