feat: user isolation — ownership checks, is_global, per-user embeddings, private reports

- Add is_global column to adb_vector_configs and mcp_servers (schema + migration)
- Add _verify_config_access() and _verify_report_access() helpers
- Apply ownership checks to ~70 endpoints (OCI explore, actions, GenAI, MCP, ADB, reports, embeddings, terraform)
- Reports are 100% private (even admin can't see others')
- Add user_id to embedding metadata + filter in _vector_search/_vector_search_multi
- Remove cross-user ADB fallback in _get_active_adb_configs
- Add auth (token query param) to report HTML and compliance report iframes
- Audit log: admin sees all, user/viewer sees only own
- Embedding task status mapped to user
- Frontend: GLOBAL badge on ADB/MCP configs, hide edit/delete for non-admin on global resources
- Export/import includes is_global field
This commit is contained in:
nogueiraguh
2026-04-01 01:05:54 -03:00
parent 1b3c02d10b
commit bc7024c95d
4 changed files with 282 additions and 85 deletions

View File

@@ -127,9 +127,15 @@ export const reportsApi = {
summary: (rid: string) =>
client.get(`/reports/${rid}/summary`) as unknown as Promise<ReportSummary>,
htmlUrl: (rid: string) => `/api/reports/${rid}/html?_t=${Date.now()}`,
htmlUrl: (rid: string) => {
const token = localStorage.getItem('t') || '';
return `/api/reports/${rid}/html?token=${encodeURIComponent(token)}&_t=${Date.now()}`;
},
complianceReportUrl: (rid: string) => `/api/reports/${rid}/compliance-report?_t=${Date.now()}`,
complianceReportUrl: (rid: string) => {
const token = localStorage.getItem('t') || '';
return `/api/reports/${rid}/compliance-report?token=${encodeURIComponent(token)}&_t=${Date.now()}`;
},
generateComplianceReport: (rid: string) =>
client.post(`/reports/${rid}/compliance-report/generate`) as unknown as Promise<{ status: string; has_rag: boolean }>,