-
Notifications
You must be signed in to change notification settings - Fork 4.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: new editor user permission profile #4435
base: main
Are you sure you want to change the base?
Conversation
Could you provide more detailed information, such as why this new role is needed? Also, please list all the permissions related to the editor and explain them. @chazzhou |
Hi @VincePotato, thanks for the question. I want to include the new "editor" role to provide more granular access control within Dify workspaces. It allows owners and admins to grant certain users the ability to create and manage apps, without giving them full control over workspace-level settings. The main rationale is to enable sharing workspaces with users who need to design agents and workflows, but shouldn't be able to modify critical settings like the underlying language models, installed tools, API keys, etc. This is helpful for collaborating with less technical users who are trusted to build apps, but not necessarily to manage the entire workspace configuration. Here's an overview of the permission hierarchy:
The key permission changes for the editor role are:
In summary, the editor role provides a balance between enabling app creation/management and restricting access to workspace configuration. It's a useful addition for more flexible and secure collaboration within Dify. Let me know if you have any other questions or suggestions! I'm happy to provide more details. |
@takatost Have we tested this pr? |
Hi everyone, I've updated the PR to maintain compatibility with the recent front-end changes. The main change is that buttons for editing tools will now be disabled for editors and viewers. Additionally, I've made an adjustment to the permissions for the following endpoint:
This change grants editors the ability to modify app site settings, which was previously restricted to admin users only. Please review the changes and let me know if you have any questions or concerns. Thanks! |
Just a note - this fixes a huge challenge we've had with Dify internally. Would love to see this released in a near future version. Ideally, in the future, Dify could go as far as to get to user/editor permissions on a per agent/bot/workflow basis. |
@nsvrana I'm glad it helped! Recent changes resolved the merge conflict with main. |
Description
This change introduces a new user permission profile called "editor" in the Dify workspace. The editor role can add and edit apps within the workspace, but does not have permission to manage certain workspace-level settings such as adding API keys, changing workspace models and tools, or enabling/disabling the API endpoint. However, editors can turn on/off and manage the published site for apps they have access to.
In addition, this change disallows normal users and editors to view logs, enhancing the security of the workspace.
The implementation also streamlines some places where permission checking was not using helper functions, and adds disabled states on the frontend for actions that editors do not have permission to perform.
Fixes # (issue)
Type of Change
How Has This Been Tested?
Suggested Checklist:
dev/reformat
(backend) andcd web && npx lint-staged
(frontend) to appease the lint godsoptional
I have made corresponding changes to the documentationoptional
I have added tests that prove my fix is effective or that my feature worksoptional
New and existing unit tests pass locally with my changes