dify icon indicating copy to clipboard operation
dify copied to clipboard
Published 2 days ago verified publisher icon langgenius

Incorrect Dataset Ownership Assignment and Visibility in API

Open benjamin-mogensen opened this issue 9 months ago • 5 comments

Self Checks

  • [x] This is only for bug report, if you would like to ask a question, please head to Discussions.
  • [x] I have searched for existing issues search for existing issues, including closed ones.
  • [x] I confirm that I am using English to submit this report (我已阅读并同意 Language Policy).
  • [x] [FOR CHINESE USERS] 请务必使用英文提交 Issue,否则会被关闭。谢谢!:)
  • [x] Please do not modify this template :) and fill in all the required fields.

Dify version

0.15.3

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

  1. Create a workflow with an HTTP node that ingests some data in to a knowledge base setting the permissions to only_me

✔️ Expected Behavior

  1. When using the POST /datasets Knowledge API endpoint with the "permission": "only_me" parameter from within workflow:

    • The user executing the workflow should be recognized as the current user.
    • The dataset should be created with visibility restricted to that individual (i.e., the one running the workflow).
    • The dataset should be visible in the Knowledge Base tab for that user.

  2. When using the GET /datasets endpoint:

    • All datasets created by the current user should be included in the response, even if the "permission" is set to "only_me".

❌ Actual Behavior

  1. When calling POST /datasets with "permission": "only_me":

    • The dataset is incorrectly assigned to the owner of the workspace, rather than the user running the workflow.
    • As a result, "only me" refers to the workspace owner, not the actual API caller.
    • The dataset is successfully created (verified), but is not visible in the Knowledge Base tab for the user who created it.

  2. When calling GET /datasets:

    • Datasets created under the "only_me" permission with the incorrect ownership are not included in the response.
    • Attempting to create a new dataset with the same name results in an error stating that a dataset with this name already exists—this is correct, indicating the dataset does exist, but the API fails to expose it to the user.

benjamin-mogensen avatar Mar 27 '25 13:03 benjamin-mogensen

@guchenhe @crazywoola please see this bug we found, thanks.

benjamin-mogensen avatar Mar 27 '25 13:03 benjamin-mogensen 

"permission": "only_me"

Currently, only the owner can create API tokens, and all tokens are bound to the owner, not to individual users. Since there's no permission setting for who can create API tokens, they are all created under the owner account.

Although we are admins and have the same permissions as the owner within the knowledge base, only the owner has the ability to generate tokens. Members do not have these permissions.

We will refine this later.

crazywoola avatar Mar 27 '25 14:03 crazywoola 

"permission": "only_me"

Currently, only the owner can create API tokens, and all tokens are bound to the owner, not to individual users. Since there's no permission setting for who can create API tokens, they are all created under the owner account.

Although we are admins and have the same permissions as the owner within the knowledge base, only the owner has the ability to generate tokens. Members do not have these permissions.

We will refine this later.

Thanks @crazywoola appreciate the quick reply and the explanation.

benjamin-mogensen avatar Mar 27 '25 17:03 benjamin-mogensen

@crazywoola @Yawen-1010 any update on this one?

benjamin-mogensen avatar Apr 22 '25 11:04 benjamin-mogensen

Hi, @benjamin-mogensen. This issue is planned to be addressed through the design of a permissions system, which is part of the enterprise edition roadmap. It will require time for both design and development. Currently, there is no temporary solution available. We will refine this later in a future release. Thank you for your patience!

Yawen-1010 avatar Apr 25 '25 08:04 Yawen-1010

Hi, @benjamin-mogensen. I'm Dosu, and I'm helping the Dify team manage their backlog and am marking this issue as stale.

Issue Summary:

  • You reported that datasets created with "permission": "only_me" via the API are assigned to the workspace owner instead of the actual creator, causing visibility problems.
  • This happens because only the workspace owner can create API tokens, which are tied to the owner account; members cannot create tokens.
  • A permissions system redesign is planned for the enterprise edition to address this issue.
  • Currently, there is no temporary fix available.
  • I have acknowledged the problem and intend to refine it in a future release.

Next Steps:

  • Please let me know if this issue is still relevant with the latest version of Dify by commenting here to keep the discussion open.
  • Otherwise, this issue will be automatically closed in 15 days.

Thank you for your understanding and contribution!

dosubot[bot] avatar Aug 27 '25 16:08 dosubot[bot]