feat: add admin permission checks for Python and Shell execution (#5214)

Author: Soulter

astrbot/core/computer/tools/python.py

@@ -26,6 +26,21 @@
 }
 
 
+def _check_admin_permission(context: ContextWrapper[AstrAgentContext]) -> str | None:
+    cfg = context.context.context.get_config(
+        umo=context.context.event.unified_msg_origin
+    )
+    provider_settings = cfg.get("provider_settings", {})
+    require_admin = provider_settings.get("computer_use_require_admin", True)
+    if require_admin and context.context.event.role != "admin":
+        return (
+            "error: Permission denied. Python execution is only allowed for admin users. "
+            "Tell user to set admins in `AstrBot WebUI -> Config -> General Config` by adding their user ID to the admins list if they need this feature."
+            f"User's ID is: {context.context.event.get_sender_id()}. User's ID can be found by using /sid command."
+        )
+    return None
+
+
 async def handle_result(result: dict, event: AstrMessageEvent) -> ToolExecResult:
     data = result.get("data", {})
     output = data.get("output", {})
@@ -66,6 +81,8 @@ class PythonTool(FunctionTool):
     async def call(
         self, context: ContextWrapper[AstrAgentContext], code: str, silent: bool = False
     ) -> ToolExecResult:
+        if permission_error := _check_admin_permission(context):
+            return permission_error
         sb = await get_booter(
             context.context.context,
             context.context.event.unified_msg_origin,
@@ -87,12 +104,8 @@ class LocalPythonTool(FunctionTool):
     async def call(
         self, context: ContextWrapper[AstrAgentContext], code: str, silent: bool = False
     ) -> ToolExecResult:
-        if context.context.event.role != "admin":
-            return (
-                "error: Permission denied. Local Python execution is only allowed for admin users. "
-                "Tell user to set admins in `AstrBot WebUI -> Config -> General Config` by adding their user ID to the admins list if they need this feature."
-                f"User's ID is: {context.context.event.get_sender_id()}. User's ID can be found by using /sid command."
-            )
+        if permission_error := _check_admin_permission(context):
+            return permission_error
         sb = get_local_booter()
         try:
             result = await sb.python.exec(code, silent=silent)

astrbot/core/computer/tools/shell.py

@@ -9,6 +9,21 @@
 from ..computer_client import get_booter, get_local_booter
 
 
+def _check_admin_permission(context: ContextWrapper[AstrAgentContext]) -> str | None:
+    cfg = context.context.context.get_config(
+        umo=context.context.event.unified_msg_origin
+    )
+    provider_settings = cfg.get("provider_settings", {})
+    require_admin = provider_settings.get("computer_use_require_admin", True)
+    if require_admin and context.context.event.role != "admin":
+        return (
+            "error: Permission denied. Shell execution is only allowed for admin users. "
+            "Tell user to set admins in `AstrBot WebUI -> Config -> General Config` by adding their user ID to the admins list if they need this feature."
+            f"User's ID is: {context.context.event.get_sender_id()}. User's ID can be found by using /sid command."
+        )
+    return None
+
+
 @dataclass
 class ExecuteShellTool(FunctionTool):
     name: str = "astrbot_execute_shell"
@@ -46,12 +61,8 @@ async def call(
         background: bool = False,
         env: dict = {},
     ) -> ToolExecResult:
-        if context.context.event.role != "admin":
-            return (
-                "error: Permission denied. Local shell execution is only allowed for admin users. "
-                "Tell user to set admins in `AstrBot WebUI -> Config -> General Config` by adding their user ID to the admins list if they need this feature."
-                f"User's ID is: {context.context.event.get_sender_id()}. User's ID can be found by using /sid command."
-            )
+        if permission_error := _check_admin_permission(context):
+            return permission_error
 
         if self.is_local:
             sb = get_local_booter()

astrbot/core/config/default.py

@@ -128,6 +128,7 @@
             "add_cron_tools": True,
         },
         "computer_use_runtime": "local",
+        "computer_use_require_admin": True,
         "sandbox": {
             "booter": "shipyard",
             "shipyard_endpoint": "",
@@ -2737,6 +2738,11 @@ class ChatProviderTemplate(TypedDict):
                         "labels": ["无", "本地", "沙箱"],
                         "hint": "选择 Computer Use 运行环境。",
                     },
+                    "provider_settings.computer_use_require_admin": {
+                        "description": "需要 AstrBot 管理员权限",
+                        "type": "bool",
+                        "hint": "开启后，需要 AstrBot 管理员权限才能调用使用电脑能力。在平台配置->管理员中可添加管理员。使用 /sid 指令查看管理员 ID。",
+                    },
                     "provider_settings.sandbox.booter": {
                         "description": "沙箱环境驱动器",
                         "type": "string",

dashboard/src/i18n/locales/en-US/features/config-metadata.json

@@ -149,6 +149,10 @@
           "description": "Computer Use Runtime",
           "hint": "sandbox means running in a sandbox environment, local means running in a local environment, none means disabling Computer Use. If skills are uploaded, choosing none will cause them to not be usable by the Agent."
         },
+        "computer_use_require_admin": {
+          "description": "Require AstrBot Admin Permission",
+          "hint": "When enabled, AstrBot admin permission is required to use computer capabilities. Admins can be added in Platform Config. Use the /sid command to view admin IDs."
+        },
         "sandbox": {
           "booter": {
             "description": "Sandbox Environment Driver"

dashboard/src/i18n/locales/zh-CN/features/config-metadata.json

@@ -152,6 +152,10 @@
           "description": "运行环境",
           "hint": "sandbox 代表在沙箱环境中运行, local 代表在本地环境中运行, none 代表不启用。如果上传了 skills，选择 none 会导致其无法被 Agent 正常使用。"
         },
+        "computer_use_require_admin": {
+          "description": "需要 AstrBot 管理员权限",
+          "hint": "开启后，需要 AstrBot 管理员权限才能调用使用电脑能力。在平台配置->管理员中可添加管理员。使用 /sid 指令查看管理员 ID。"
+        },
         "sandbox": {
           "booter": {
             "description": "沙箱环境驱动器"