[sync] feat: add user info popover and Bot badge in grid user cell (T2782) (#2975)

Synced from teableio/teable-ee@6486d30

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Aries X <caoxing9@gmail.com>
Co-authored-by: Boris <boris2code@outlook.com>
Co-authored-by: Gary Guangyu Li <gary@teable.ai>
Co-authored-by: Jocky-Teable <jocky@teable.ai>
Co-authored-by: Jun Lu <hammond@teable.io>
Co-authored-by: SkyHuang <sky.huang.fe@gmail.com>
Co-authored-by: Uno <uno@teable.ai>
Co-authored-by: nichenqin <nichenqin@hotmail.com>

Author: 10 people

apps/nestjs-backend/package.json

@@ -220,6 +220,7 @@
     "is-port-reachable": "3.1.0",
     "joi": "17.12.2",
     "jschardet": "3.1.3",
+    "kysely": "0.28.9",
     "keyv": "4.5.4",
     "knex": "3.1.0",
     "lodash": "4.17.21",
@@ -241,6 +242,7 @@
     "oauth2orize-pkce": "0.1.2",
     "object-sizeof": "2.6.4",
     "ollama-ai-provider-v2": "3.0.2",
+    "p-limit": "3.1.0",
     "papaparse": "5.4.1",
     "passport": "0.7.0",
     "passport-github2": "0.1.12",

apps/nestjs-backend/src/cache/redis-native.service.ts

@@ -76,6 +76,17 @@ export class RedisNativeService {
     return this.client.hget(key, field);
   }
 
+  /**
+   * Get multiple field values from a hash in a single round-trip.
+   * @param key - Redis hash key
+   * @param fields - Field names to fetch
+   * @returns Array of values in the same order as fields (null for missing fields)
+   */
+  async hmget(key: string, ...fields: string[]): Promise<(string | null)[]> {
+    if (fields.length === 0) return [];
+    return this.client.hmget(key, ...fields);
+  }
+
   /**
    * Delete one or more fields from a hash. No-op if fields list is empty.
    * @param key - Redis hash key
@@ -96,6 +107,16 @@ export class RedisNativeService {
     await this.client.expire(key, seconds);
   }
 
+  /**
+   * Get remaining TTL (in seconds) for a key.
+   * Redis semantics:
+   * - -2: key does not exist
+   * - -1: key exists but has no associated expire
+   */
+  async ttl(key: string): Promise<number> {
+    return this.client.ttl(key);
+  }
+
   /**
    * Delete a key.
    * @param key - Redis key to delete

apps/nestjs-backend/src/db-provider/formula-default-unit.spec.ts

@@ -0,0 +1,54 @@
+import { TableDomain } from '@teable/core';
+import knex from 'knex';
+import { describe, expect, it } from 'vitest';
+import type { IFieldSelectName } from '../features/record/query-builder/field-select.type';
+import type { ISelectFormulaConversionContext } from '../features/record/query-builder/sql-conversion.visitor';
+import { PostgresProvider } from './postgres.provider';
+import { SqliteProvider } from './sqlite.provider';
+
+const emptyTable = new TableDomain({
+  id: 'tblFormulaUnit',
+  name: 'Formula Unit',
+  dbTableName: 'public.tbl_formula_unit',
+  lastModifiedTime: '2026-04-08T00:00:00.000Z',
+  fields: [],
+});
+
+const toSql = (result: IFieldSelectName) => {
+  return typeof result === 'string' ? result : result.toQuery();
+};
+
+const context: ISelectFormulaConversionContext = {
+  table: emptyTable,
+  selectionMap: new Map(),
+  tableAlias: 'main',
+  timeZone: 'UTC',
+};
+
+describe('convertFormulaToSelectQuery DATETIME_DIFF defaults', () => {
+  it('defaults DATETIME_DIFF to seconds for postgres select queries', () => {
+    const provider = new PostgresProvider(knex({ client: 'pg' }));
+    const sql = toSql(
+      provider.convertFormulaToSelectQuery(
+        `DATETIME_DIFF(DATETIME_PARSE("2024-01-03T00:00:00.000Z"), DATETIME_PARSE("2024-01-01T00:00:00.000Z"))`,
+        context
+      )
+    );
+
+    expect(sql).toContain('EXTRACT(EPOCH');
+    expect(sql).not.toContain('/ 86400');
+  });
+
+  it('defaults DATETIME_DIFF to seconds for sqlite select queries', () => {
+    const provider = new SqliteProvider(knex({ client: 'sqlite3' }));
+    const sql = toSql(
+      provider.convertFormulaToSelectQuery(
+        `DATETIME_DIFF(DATETIME_PARSE("2024-01-03T00:00:00.000Z"), DATETIME_PARSE("2024-01-01T00:00:00.000Z"))`,
+        context
+      )
+    );
+
+    expect(sql).toContain('* 24.0 * 60 * 60');
+    expect(sql).not.toContain('/ 86400');
+  });
+});

apps/nestjs-backend/src/event-emitter/events/event.enum.ts

@@ -102,4 +102,16 @@ export enum Events {
 
   // record source
   TABLE_RECORD_CREATE_RELATIVE = 'table.record.create.relative',
+
+  // Invitation funnel
+  INVITATION_EMAIL_SEND = 'invitation.email.send',
+  INVITATION_LINK_CREATE = 'invitation.link.create',
+  INVITATION_ACCEPT = 'invitation.accept',
+
+  // Access token lifecycle
+  ACCESS_TOKEN_CREATE = 'access-token.create',
+  ACCESS_TOKEN_DELETE = 'access-token.delete',
+
+  // Table export
+  TABLE_EXPORT = 'table.export',
 }

apps/nestjs-backend/src/features/access-token/access-token.controller.ts

@@ -15,6 +15,8 @@ import {
   updateAccessTokenRoSchema,
   RefreshAccessTokenRo,
 } from '@teable/openapi';
+import { EmitControllerEvent } from '../../event-emitter/decorators/emit-controller-event.decorator';
+import { Events } from '../../event-emitter/events';
 import { ZodValidationPipe } from '../../zod.validation.pipe';
 import { AccessTokenService } from './access-token.service';
 
@@ -23,6 +25,7 @@ export class AccessTokenController {
   constructor(private readonly accessTokenService: AccessTokenService) {}
 
   @Post()
+  @EmitControllerEvent(Events.ACCESS_TOKEN_CREATE)
   async createAccessToken(
     @Body(new ZodValidationPipe(createAccessTokenRoSchema)) body: CreateAccessTokenRo
   ): Promise<CreateAccessTokenVo> {
@@ -38,6 +41,7 @@ export class AccessTokenController {
   }
 
   @Delete(':accessTokenId')
+  @EmitControllerEvent(Events.ACCESS_TOKEN_DELETE)
   async deleteAccessToken(@Param('accessTokenId') accessTokenId: string) {
     return await this.accessTokenService.deleteAccessToken(accessTokenId);
   }

apps/nestjs-backend/src/features/ai/ai.service.ts

@@ -63,6 +63,27 @@ export class AiService {
     return { type, model, name };
   }
 
+  /**
+   * Resolve the model key by matching a body model ID against chatModel lg/md/sm values.
+   * Model keys are in format type@modelId@name — we compare the modelId segment.
+   * Falls back to lg if no match is found.
+   */
+  public resolveModelKeyFromBody(
+    chatModel: { lg?: string; md?: string; sm?: string } | undefined,
+    bodyModel?: string
+  ): string | undefined {
+    if (bodyModel) {
+      const sizes = ['lg', 'md', 'sm'] as const;
+      for (const size of sizes) {
+        const key = chatModel?.[size];
+        if (key && this.parseModelKey(key).model === bodyModel) {
+          return key;
+        }
+      }
+    }
+    return chatModel?.lg;
+  }
+
   /**
    * Check if modelKey is an AI Gateway model
    * Format: aiGateway@<modelId>@teable
@@ -304,7 +325,6 @@ export class AiService {
           lg: lg,
           ability,
         },
-        isSpaceChatModel: Boolean(aiIntegrationConfig.chatModel?.lg),
       } as IAIConfig;
     }
 
@@ -359,20 +379,6 @@ export class AiService {
     };
   }
 
-  async getToolApiKeys(baseId: string) {
-    const { appConfig } = await this.settingService.getSetting([SettingKey.APP_CONFIG]);
-    const { spaceId } = await this.prismaService.base.findUniqueOrThrow({
-      where: { id: baseId },
-    });
-    const aiIntegration = await this.prismaService.integration.findFirst({
-      where: { resourceId: spaceId, type: IntegrationType.AI },
-    });
-    const aiIntegrationConfig = aiIntegration?.config ? JSON.parse(aiIntegration.config) : null;
-    return {
-      v0ApiKey: aiIntegrationConfig?.appConfig?.apiKey || appConfig?.apiKey,
-    };
-  }
-
   async getSimplifiedAIConfig(baseId: string) {
     try {
       const config = await this.getAIConfig(baseId);
@@ -554,6 +560,8 @@ export class AiService {
       ability: chatModel?.ability,
       isInstance,
       lgModelKey: chatModel.lg,
+      mdModelKey: chatModel.md,
+      smModelKey: chatModel.sm,
     };
   }
 
@@ -696,13 +704,14 @@ export class AiService {
    */
   private async getGatewayApiModel(modelId: string): Promise<IGatewayApiModel | undefined> {
     const models = await this.fetchGatewayModelsFromApi();
+    const normalize = (s: string) =>
+      s.split('/').pop()!.replaceAll('.', '').replaceAll('-', '').toLowerCase();
+    const stripDateSuffix = (s: string) => s.replace(/\d{8,}$/, '');
     return models.find((m) => {
-      const modelIdParts = modelId.split('/');
-      const normalizedModelId = modelIdParts[modelIdParts.length - 1]
-        .replaceAll('.', '')
-        .replaceAll('-', '');
-      const normalizedGatewayModelId = m.id.replaceAll('.', '').replaceAll('-', '').split('/')?.[1];
-      return normalizedGatewayModelId?.toLowerCase() === normalizedModelId?.toLowerCase();
+      const a = normalize(modelId);
+      const b = normalize(m.id);
+      if (a === b) return true;
+      return stripDateSuffix(a) === stripDateSuffix(b);
     });
   }
 

apps/nestjs-backend/src/features/ai/util.ts

@@ -88,6 +88,28 @@ const createOpenAICompatibleWrapper = (
   });
 };
 
+const createClaudeCodeWrapper = (
+  options: Parameters<typeof createAnthropic>[0]
+): ReturnType<typeof createAnthropic> => {
+  const baseFetch = createFixingFetch();
+  const claudeCodeDefaultUa = 'claude-cli/2.1.71 (external, cli)';
+  return createAnthropic({
+    ...options,
+    fetch: async (input, init) => {
+      const initHeaders = (init?.headers ?? {}) as Record<string, string>;
+      const ua = initHeaders['user-agent'];
+      return baseFetch(input, {
+        ...init,
+        headers: {
+          ...init?.headers,
+          // eslint-disable-next-line @typescript-eslint/naming-convention
+          'user-agent': ua?.includes('claude-cli') ? ua : claudeCodeDefaultUa,
+        },
+      });
+    },
+  });
+};
+
 export const modelProviders = {
   [LLMProviderType.OPENAI]: createOpenAI,
   [LLMProviderType.ANTHROPIC]: createAnthropic,
@@ -105,6 +127,7 @@ export const modelProviders = {
   [LLMProviderType.AMAZONBEDROCK]: createAmazonBedrock,
   [LLMProviderType.OPENROUTER]: createOpenRouter,
   [LLMProviderType.OPENAI_COMPATIBLE]: createOpenAICompatibleWrapper,
+  [LLMProviderType.CLAUDE_CODE]: createClaudeCodeWrapper,
   // AI_GATEWAY is handled separately in ai.service.ts using createGateway from 'ai'
 } as const;
 

apps/nestjs-backend/src/features/auth/auth.service.ts

@@ -39,11 +39,11 @@ export class AuthService {
     }
   }
 
-  async getTempToken() {
+  async getTempToken(expiresIn: string = '10m', userId?: string, allowSystemUser?: boolean) {
     const payload: IJwtAuthInfo = {
-      userId: this.cls.get('user.id'),
+      userId: userId ?? this.cls.get('user.id'),
+      ...(allowSystemUser ? { allowSystemUser: true } : {}),
     };
-    const expiresIn = '10m';
     return {
       accessToken: await this.jwtService.signAsync(payload, { expiresIn }),
       expiresTime: new Date(Date.now() + ms(expiresIn)).toISOString(),

apps/nestjs-backend/src/features/auth/guard/permission.guard.ts

@@ -1,7 +1,7 @@
 import type { ExecutionContext } from '@nestjs/common';
 import { ForbiddenException, Injectable, Logger, UnauthorizedException } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
-import { ANONYMOUS_USER_ID, HttpErrorCode, isAnonymous, type Action } from '@teable/core';
+import { ANONYMOUS_USER_ID, HttpErrorCode, IdPrefix, isAnonymous, type Action } from '@teable/core';
 import cookie from 'cookie';
 import { ClsService } from 'nestjs-cls';
 import { CustomHttpException } from '../../../custom.exception';
@@ -155,12 +155,15 @@ export class PermissionGuard {
       resourceId,
       permissions
     );
-    // Set user to anonymous for share context
-    this.cls.set('user', {
-      id: ANONYMOUS_USER_ID,
-      name: ANONYMOUS_USER_ID,
-      email: '',
-    });
+    // Preserve logged-in user identity for allowEdit; fall back to anonymous
+    const currentUserId = this.cls.get('user.id');
+    if (!currentUserId || isAnonymous(currentUserId)) {
+      this.cls.set('user', {
+        id: ANONYMOUS_USER_ID,
+        name: ANONYMOUS_USER_ID,
+        email: '',
+      });
+    }
     this.cls.set('permissions', ownPermissions);
     return true;
   }
@@ -297,6 +300,22 @@ export class PermissionGuard {
     if (!shareId) {
       return undefined;
     }
+    // Skip share path for endpoints without @Permissions (e.g. /user/me),
+    // otherwise baseSharePermissionCheck throws ForbiddenException.
+    const permissions = this.reflector.getAllAndOverride<Action[] | undefined>(PERMISSIONS_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+    if (!permissions?.length) {
+      return undefined;
+    }
+    // Skip share check when the target resource is outside the share scope.
+    // e.g. space-level endpoints (GET /space, POST /share/:id/base/copy with spaceId in body)
+    // should use the user's own permissions, not the share's.
+    const resourceId = this.getResourceId(context) || this.defaultResourceId(context);
+    if (!resourceId || resourceId.startsWith(IdPrefix.Space)) {
+      return undefined;
+    }
     return await this.baseSharePermissionCheck(context, shareId);
   }
 
@@ -383,9 +402,10 @@ export class PermissionGuard {
    *
    * Priority flow:
    *   1. RESOURCE-level: exclusively use resource-specific auth (base share > template)
-   *   2. Early base share check for PUBLIC or anonymous requests when header is present
+   *   2. Share link check — when share header is present, share permissions are the ceiling
+   *      for ALL users (anonymous or authenticated), so personal role never exceeds the link
    *   3. Anonymous user handling (template / USER-level)
-   *   4. Authenticated user: standard check, with fallback for PUBLIC endpoints
+   *   4. Authenticated user: standard check, with PUBLIC fallback
    */
   protected async permissionCheckWithPublicFallback(
     context: ExecutionContext,
@@ -406,10 +426,8 @@ export class PermissionGuard {
       // No valid resource auth header — fall through to normal checks
     }
 
-    // 2. Early base share check for PUBLIC or anonymous requests
-    const shouldTryBaseShareEarly =
-      baseShareHeader && (allowAnonymousType === AllowAnonymousType.PUBLIC || this.isAnonymous());
-    if (shouldTryBaseShareEarly) {
+    // 2. Share link — permissions are bounded by the link, regardless of user role
+    if (baseShareHeader) {
       const result = await this.tryBaseSharePermissionCheck(context, baseShareHeader);
       if (result !== undefined) return result;
     }
@@ -419,7 +437,7 @@ export class PermissionGuard {
       return this.resolveAnonymousPermission(context, allowAnonymousType);
     }
 
-    // 4. Authenticated user: standard check, with fallback for PUBLIC endpoints
+    // 4. Authenticated user: standard check, with PUBLIC fallback
     try {
       return await permissionCheck();
     } catch (error) {