Fix team member cannot edit agent

api/apps/restful_apis/agent_api.py

@@ -72,7 +72,25 @@ def _require_canvas_access_sync(func):
     @wraps(func)
     def wrapper(*args, **kwargs):
         if not UserCanvasService.accessible(kwargs.get('agent_id'), kwargs.get('tenant_id')):
-            return get_json_result(data=False, message="Only owner of canvas authorized for this operation.", code=RetCode.OPERATING_ERROR)
+            return get_json_result(data=False, message="Make sure you have permission to access the agent.", code=RetCode.OPERATING_ERROR)
+        return func(*args, **kwargs)
+    return wrapper
+
+
+def _require_canvas_access_async(func):
+    @wraps(func)
+    async def wrapper(*args, **kwargs):
+        if not UserCanvasService.accessible(kwargs.get('agent_id'), kwargs.get('tenant_id')):
+            return get_json_result(data=False, message="Make sure you have permission to access the agent.", code=RetCode.OPERATING_ERROR)
+        return await func(*args, **kwargs)
+    return wrapper
+
+
+def _require_canvas_owner_sync(func):
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        if not UserCanvasService.query(user_id=kwargs.get('tenant_id'), id=kwargs.get('agent_id')):
+            return get_json_result(data=False, message="Only the owner of the agent is authorized for this operation.", code=RetCode.OPERATING_ERROR)
         return func(*args, **kwargs)
     return wrapper
 
@@ -172,6 +190,7 @@ def list_agent_sessions(agent_id, tenant_id):
 @manager.route("/agents/<agent_id>/sessions", methods=["POST"])  # noqa: F821
 @login_required
 @add_tenant_id_to_kwargs
+@_require_canvas_access_async
 async def create_agent_session(agent_id, tenant_id):
     req = await get_request_json()
     user_id = req.get("user_id") or request.args.get("user_id", tenant_id)
@@ -422,18 +441,12 @@ async def upload_agent_file(agent_id):
 @manager.route("/agents/<agent_id>/components/<component_id>/input-form", methods=["GET"])  # noqa: F821
 @login_required
 @add_tenant_id_to_kwargs
+@_require_canvas_access_sync
 def get_agent_component_input_form(agent_id, component_id, tenant_id):
     try:
         exists, user_canvas = UserCanvasService.get_by_id(agent_id)
         if not exists:
             return get_data_error_result(message="canvas not found.")
-        if not UserCanvasService.query(user_id=tenant_id, id=agent_id):
-            return get_json_result(
-                data=False,
-                message="Only owner of canvas authorized for this operation.",
-                code=RetCode.OPERATING_ERROR,
-            )
-
         canvas = Canvas(json.dumps(user_canvas.dsl), tenant_id, canvas_id=user_canvas.id)
         return get_json_result(data=canvas.get_component_input_form(component_id))
     except Exception as exc:
@@ -444,14 +457,9 @@ def get_agent_component_input_form(agent_id, component_id, tenant_id):
 @validate_request("params")
 @login_required
 @add_tenant_id_to_kwargs
+@_require_canvas_access_async
 async def debug_agent_component(agent_id, component_id, tenant_id):
     req = await get_request_json()
-    if not UserCanvasService.accessible(agent_id, tenant_id):
-        return get_json_result(
-            data=False,
-            message="Only owner of canvas authorized for this operation.",
-            code=RetCode.OPERATING_ERROR,
-        )
     try:
         _, user_canvas = UserCanvasService.get_by_id(agent_id)
         canvas = Canvas(json.dumps(user_canvas.dsl), tenant_id, canvas_id=user_canvas.id)
@@ -569,24 +577,18 @@ def get_agent_logs(agent_id, message_id, tenant_id):
 @manager.route("/agents/<agent_id>", methods=["DELETE"])  # noqa: F821
 @login_required
 @add_tenant_id_to_kwargs
+@_require_canvas_owner_sync
 def delete_agent(agent_id, tenant_id):
-    if not UserCanvasService.query(user_id=tenant_id, id=agent_id):
-        return get_json_result(
-            data=False,
-            message="Only owner of canvas authorized for this operation.",
-            code=RetCode.OPERATING_ERROR,
-        )
-
     UserCanvasService.delete_by_id(agent_id)
     return get_json_result(data=True)
 
 
 @manager.route("/agents/<agent_id>", methods=["PUT"])  # noqa: F821
 @login_required
 @add_tenant_id_to_kwargs
+@_require_canvas_access_async
 async def update_agent(agent_id, tenant_id):
     req = {k: v for k, v in (await get_request_json()).items() if v is not None}
-    req["user_id"] = tenant_id
     req["release"] = bool(req.get("release", ""))
 
     if req.get("dsl") is not None:
@@ -602,13 +604,6 @@ async def update_agent(agent_id, tenant_id):
     if req.get("title") is not None:
         req["title"] = req["title"].strip()
 
-    if not UserCanvasService.query(user_id=tenant_id, id=agent_id):
-        return get_json_result(
-            data=False,
-            message="Only owner of canvas authorized for this operation.",
-            code=RetCode.OPERATING_ERROR,
-        )
-
     _, current_agent = UserCanvasService.get_by_id(agent_id)
     agent_title_for_version = req.get("title") or (current_agent.title if current_agent else "")
     canvas_category = (
@@ -642,14 +637,8 @@ async def update_agent(agent_id, tenant_id):
 @manager.route("/agents/<agent_id>/reset", methods=["POST"])  # noqa: F821
 @login_required
 @add_tenant_id_to_kwargs
+@_require_canvas_access_async
 async def reset_agent(agent_id, tenant_id):
-    if not UserCanvasService.accessible(agent_id, tenant_id):
-        return get_json_result(
-            data=False,
-            message="Only owner of canvas authorized for this operation.",
-            code=RetCode.OPERATING_ERROR,
-        )
-
     try:
         exists, user_canvas = UserCanvasService.get_by_id(agent_id)
         if not exists:
@@ -911,10 +900,11 @@ async def agent_chat_completion(tenant_id, agent_id=None):
         runtime_user_id = req.get("user_id") or tenant_id
         user_id = str(runtime_user_id)
         custom_header = req.get("custom_header", "")
-        if not await thread_pool_exec(UserCanvasService.accessible, agent_id, tenant_id):
+
+        if not UserCanvasService.accessible(agent_id, tenant_id):
             return get_json_result(
                 data=False,
-                message="Only owner of canvas authorized for this operation.",
+                message="Make sure you have permission to access the agent.",
                 code=RetCode.OPERATING_ERROR,
             )
 

test/testcases/test_http_api/test_session_management/test_agent_sessions.py

@@ -108,8 +108,8 @@ def test_agent_crud_validation_contract(self, HttpApiAuth, agent_id):
         update_url = f"{HOST_ADDRESS}/api/{VERSION}/agents/invalid-agent-id"
         res = requests.put(update_url, auth=HttpApiAuth, json={"title": "updated", "dsl": MINIMAL_DSL}).json()
         assert res["code"] == 103, res
-        assert "Only owner of canvas authorized" in res["message"], res
+        assert "Make sure you have permission to access the agent." in res["message"], res
 
         res = delete_agent(HttpApiAuth, "invalid-agent-id")
         assert res["code"] == 103, res
-        assert "Only owner of canvas authorized" in res["message"], res
+        assert "Only the owner of the agent is authorized for this operation." in res["message"], res