arize-phoenix 12.4.0__py3-none-any.whl → 12.5.0__py3-none-any.whl

phoenix/server/api/mutations/span_annotations_mutations.py

@@ -7,7 +7,7 @@ from starlette.requests import Request
 from strawberry import UNSET, Info
 
 from phoenix.db import models
-from phoenix.server.api.auth import IsLocked, IsNotReadOnly
+from phoenix.server.api.auth import IsLocked, IsNotReadOnly, IsNotViewer
 from phoenix.server.api.context import Context
 from phoenix.server.api.exceptions import BadRequest, NotFound, Unauthorized
 from phoenix.server.api.helpers.annotations import get_user_identifier
@@ -34,7 +34,7 @@ class SpanAnnotationMutationPayload:
 
 @strawberry.type
 class SpanAnnotationMutationMixin:
-    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsLocked])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer, IsLocked])  # type: ignore
     async def create_span_annotations(
         self, info: Info[Context, None], input: list[CreateSpanAnnotationInput]
     ) -> SpanAnnotationMutationPayload:
@@ -148,7 +148,7 @@ class SpanAnnotationMutationMixin:
             query=Query(),
         )
 
-    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsLocked])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer, IsLocked])  # type: ignore
     async def create_span_note(
         self, info: Info[Context, None], annotation_input: CreateSpanNoteInput
     ) -> SpanAnnotationMutationPayload:
@@ -191,7 +191,7 @@ class SpanAnnotationMutationMixin:
             query=Query(),
         )
 
-    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsLocked])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer, IsLocked])  # type: ignore
     async def patch_span_annotations(
         self, info: Info[Context, None], input: list[PatchAnnotationInput]
     ) -> SpanAnnotationMutationPayload:
@@ -268,7 +268,7 @@ class SpanAnnotationMutationMixin:
             query=Query(),
         )
 
-    @strawberry.mutation(permission_classes=[IsNotReadOnly])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer])  # type: ignore
     async def delete_span_annotations(
         self, info: Info[Context, None], input: DeleteAnnotationsInput
     ) -> SpanAnnotationMutationPayload:

phoenix/server/api/mutations/trace_annotations_mutations.py

@@ -6,7 +6,7 @@ from starlette.requests import Request
 from strawberry import UNSET, Info
 
 from phoenix.db import models
-from phoenix.server.api.auth import IsLocked, IsNotReadOnly
+from phoenix.server.api.auth import IsLocked, IsNotReadOnly, IsNotViewer
 from phoenix.server.api.context import Context
 from phoenix.server.api.exceptions import BadRequest, NotFound, Unauthorized
 from phoenix.server.api.helpers.annotations import get_user_identifier
@@ -29,7 +29,7 @@ class TraceAnnotationMutationPayload:
 
 @strawberry.type
 class TraceAnnotationMutationMixin:
-    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsLocked])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer, IsLocked])  # type: ignore
     async def create_trace_annotations(
         self, info: Info[Context, None], input: list[CreateTraceAnnotationInput]
     ) -> TraceAnnotationMutationPayload:
@@ -120,7 +120,7 @@ class TraceAnnotationMutationMixin:
             query=Query(),
         )
 
-    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsLocked])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer, IsLocked])  # type: ignore
     async def patch_trace_annotations(
         self, info: Info[Context, None], input: list[PatchAnnotationInput]
     ) -> TraceAnnotationMutationPayload:
@@ -195,7 +195,7 @@ class TraceAnnotationMutationMixin:
             query=Query(),
         )
 
-    @strawberry.mutation(permission_classes=[IsNotReadOnly])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer])  # type: ignore
     async def delete_trace_annotations(
         self, info: Info[Context, None], input: DeleteAnnotationsInput
     ) -> TraceAnnotationMutationPayload:

phoenix/server/api/mutations/trace_mutations.py

@@ -6,7 +6,7 @@ from strawberry.relay import GlobalID
 from strawberry.types import Info
 
 from phoenix.db import models
-from phoenix.server.api.auth import IsNotReadOnly
+from phoenix.server.api.auth import IsNotReadOnly, IsNotViewer
 from phoenix.server.api.context import Context
 from phoenix.server.api.exceptions import BadRequest
 from phoenix.server.api.queries import Query
@@ -16,7 +16,7 @@ from phoenix.server.dml_event import SpanDeleteEvent
 
 @strawberry.type
 class TraceMutationMixin:
-    @strawberry.mutation(permission_classes=[IsNotReadOnly])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer])  # type: ignore
     async def delete_traces(
         self,
         info: Info[Context, None],
@@ -73,7 +73,7 @@ class TraceMutationMixin:
             info.context.event_queue.put(SpanDeleteEvent(project_ids))
         return Query()
 
-    @strawberry.mutation(permission_classes=[IsNotReadOnly])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer])  # type: ignore
     async def transfer_traces_to_project(
         self,
         info: Info[Context, None],

phoenix/server/api/mutations/user_mutations.py

@@ -27,7 +27,7 @@ from phoenix.auth import (
 )
 from phoenix.config import get_env_disable_basic_auth
 from phoenix.db import models
-from phoenix.server.api.auth import IsAdmin, IsLocked, IsNotReadOnly
+from phoenix.server.api.auth import IsAdmin, IsLocked, IsNotReadOnly, IsNotViewer
 from phoenix.server.api.context import Context
 from phoenix.server.api.exceptions import BadRequest, Conflict, NotFound, Unauthorized
 from phoenix.server.api.input_types.UserRoleInput import UserRoleInput
@@ -110,7 +110,7 @@ class UserMutationPayload:
 
 @strawberry.type
 class UserMutationMixin:
-    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsAdmin, IsLocked])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer, IsAdmin, IsLocked])  # type: ignore
     async def create_user(
         self,
         info: Info[Context, None],
@@ -157,7 +157,7 @@ class UserMutationMixin:
                 logger.error(f"Failed to send welcome email: {error}")
         return UserMutationPayload(user=to_gql_user(user))
 
-    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsAdmin])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer, IsAdmin])  # type: ignore
     async def patch_user(
         self,
         info: Info[Context, None],
@@ -174,6 +174,7 @@ class UserMutationMixin:
             if not (user := await session.scalar(_select_user_by_id(user_id))):
                 raise NotFound("User not found")
             stack.enter_context(session.no_autoflush)
+            should_log_out = False
             if input.new_role:
                 if user.email == DEFAULT_ADMIN_EMAIL:
                     raise Unauthorized("Cannot modify role for the default admin user")
@@ -183,6 +184,7 @@ class UserMutationMixin:
                 if user_role_id is None:
                     raise NotFound(f"Role {input.new_role.value} not found")
                 user.user_role_id = user_role_id
+                should_log_out = True
             if password := input.new_password:
                 if user.auth_method != "LOCAL":
                     raise Conflict("Cannot modify password for non-local user")
@@ -191,6 +193,7 @@ class UserMutationMixin:
                 user.password_salt = salt
                 user.password_hash = await info.context.hash_password(Secret(password), salt)
                 user.reset_password = True
+                should_log_out = True
             if username := input.new_username:
                 user.username = username
             assert user in session.dirty
@@ -199,7 +202,7 @@ class UserMutationMixin:
             except (PostgreSQLIntegrityError, SQLiteIntegrityError) as error:
                 raise Conflict(_user_operation_error_message(error, "modify"))
         assert user
-        if input.new_password:
+        if should_log_out:
             await info.context.log_out(user.id)
         return UserMutationPayload(user=to_gql_user(user))
 
@@ -245,7 +248,7 @@ class UserMutationMixin:
             response.delete_cookie(PHOENIX_ACCESS_TOKEN_COOKIE_NAME)
         return UserMutationPayload(user=to_gql_user(user))
 
-    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsAdmin, IsLocked])  # type: ignore
+    @strawberry.mutation(permission_classes=[IsNotReadOnly, IsNotViewer, IsAdmin, IsLocked])  # type: ignore
     async def delete_users(
         self,
         info: Info[Context, None],

phoenix/server/api/routers/auth.py

@@ -161,7 +161,7 @@ async def refresh_tokens(request: Request) -> Response:
         or (expiration_time := refresh_token_claims.expiration_time) is None
     ):
         raise HTTPException(status_code=401, detail="Invalid refresh token")
-    if expiration_time.timestamp() < datetime.now().timestamp():
+    if expiration_time.timestamp() <= datetime.now(timezone.utc).timestamp():
         raise HTTPException(status_code=401, detail="Expired refresh token")
     await token_store.revoke(refresh_token_id)
 
@@ -253,7 +253,7 @@ async def reset_password(request: Request) -> Response:
         not (token := data.get("token"))
         or not isinstance((claims := await token_store.read(token)), PasswordResetTokenClaims)
         or not claims.expiration_time
-        or claims.expiration_time < datetime.now(timezone.utc)
+        or claims.expiration_time <= datetime.now(timezone.utc)
     ):
         raise INVALID_TOKEN
     assert (user_id := claims.subject)

phoenix/server/api/routers/v1/__init__.py

@@ -1,7 +1,7 @@
 from fastapi import APIRouter, Depends, HTTPException, Request
 from fastapi.security import APIKeyHeader
 
-from phoenix.server.bearer_auth import is_authenticated
+from phoenix.server.bearer_auth import PhoenixUser, is_authenticated
 
 from .annotation_configs import router as annotation_configs_router
 from .annotations import router as annotations_router
@@ -33,6 +33,20 @@ async def prevent_access_in_read_only_mode(request: Request) -> None:
         )
 
 
+async def restrict_access_by_viewers(request: Request) -> None:
+    """
+    Prevents access to the REST API for viewers, except for GET requests
+    and specific allowed POST routes.
+    """
+    if request.method == "GET":
+        return
+    if isinstance(request.user, PhoenixUser) and request.user.is_viewer:
+        raise HTTPException(
+            status_code=403,
+            detail="Viewers cannot perform this action.",
+        )
+
+
 def create_v1_router(authentication_enabled: bool) -> APIRouter:
     """
     Instantiates the v1 REST API router.
@@ -50,6 +64,7 @@ def create_v1_router(authentication_enabled: bool) -> APIRouter:
             )
         )
         dependencies.append(Depends(is_authenticated))
+        dependencies.append(Depends(restrict_access_by_viewers))
 
     router = APIRouter(
         prefix="/v1",

phoenix/server/api/routers/v1/annotation_configs.py

@@ -349,7 +349,13 @@ async def delete_annotation_config(
     request: Request,
     config_id: str = Path(..., description="ID of the annotation configuration"),
 ) -> DeleteAnnotationConfigResponseBody:
-    config_gid = GlobalID.from_id(config_id)
+    try:
+        config_gid = GlobalID.from_id(config_id)
+    except Exception:
+        raise HTTPException(
+            status_code=422,
+            detail=f"Invalid annotation configuration ID format: {config_id}",
+        )
     if config_gid.type_name not in (
         CategoricalAnnotationConfigType.__name__,
         ContinuousAnnotationConfigType.__name__,

phoenix/server/api/routers/v1/datasets.py

@@ -209,7 +209,13 @@ class GetDatasetResponseBody(ResponseBody[DatasetWithExampleCount]):
 async def get_dataset(
     request: Request, id: str = Path(description="The ID of the dataset")
 ) -> GetDatasetResponseBody:
-    dataset_id = GlobalID.from_id(id)
+    try:
+        dataset_id = GlobalID.from_id(id)
+    except Exception as e:
+        raise HTTPException(
+            detail=f"Invalid dataset ID format: {id}",
+            status_code=422,
+        ) from e
 
     if (type_name := dataset_id.type_name) != DATASET_NODE_NAME:
         raise HTTPException(detail=f"ID {dataset_id} refers to a f{type_name}", status_code=404)
@@ -400,7 +406,12 @@ async def upload_dataset(
         description="If true, fulfill request synchronously and return JSON containing dataset_id.",
     ),
 ) -> Optional[UploadDatasetResponseBody]:
-    request_content_type = request.headers["content-type"]
+    request_content_type = request.headers.get("content-type")
+    if not request_content_type:
+        raise HTTPException(
+            detail="Missing content-type header",
+            status_code=400,
+        )
     examples: Union[Examples, Awaitable[Examples]]
     if request_content_type.startswith("application/json"):
         try:
@@ -709,8 +720,24 @@ async def get_dataset_examples(
         ),
     ),
 ) -> ListDatasetExamplesResponseBody:
-    dataset_gid = GlobalID.from_id(id)
-    version_gid = GlobalID.from_id(version_id) if version_id else None
+    try:
+        dataset_gid = GlobalID.from_id(id)
+    except Exception as e:
+        raise HTTPException(
+            detail=f"Invalid dataset ID format: {id}",
+            status_code=422,
+        ) from e
+
+    if version_id:
+        try:
+            version_gid = GlobalID.from_id(version_id)
+        except Exception as e:
+            raise HTTPException(
+                detail=f"Invalid dataset version ID format: {version_id}",
+                status_code=422,
+            ) from e
+    else:
+        version_gid = None
 
     if (dataset_type := dataset_gid.type_name) != "Dataset":
         raise HTTPException(detail=f"ID {dataset_gid} refers to a {dataset_type}", status_code=404)
@@ -992,12 +1019,25 @@ def _get_content_jsonl_openai_evals(examples: list[models.DatasetExampleRevision
 async def _get_db_examples(
     *, session: Any, id: str, version_id: Optional[str]
 ) -> tuple[str, list[models.DatasetExampleRevision]]:
-    dataset_id = from_global_id_with_expected_type(GlobalID.from_id(id), DATASET_NODE_NAME)
+    try:
+        dataset_id = from_global_id_with_expected_type(GlobalID.from_id(id), DATASET_NODE_NAME)
+    except Exception as e:
+        raise HTTPException(
+            detail=f"Invalid dataset ID format: {id}",
+            status_code=422,
+        ) from e
+
     dataset_version_id: Optional[int] = None
     if version_id:
-        dataset_version_id = from_global_id_with_expected_type(
-            GlobalID.from_id(version_id), DATASET_VERSION_NODE_NAME
-        )
+        try:
+            dataset_version_id = from_global_id_with_expected_type(
+                GlobalID.from_id(version_id), DATASET_VERSION_NODE_NAME
+            )
+        except Exception as e:
+            raise HTTPException(
+                detail=f"Invalid dataset version ID format: {version_id}",
+                status_code=422,
+            ) from e
     latest_version = (
         select(
             models.DatasetExampleRevision.dataset_example_id,

phoenix/server/api/routers/v1/experiment_runs.py

@@ -159,7 +159,13 @@ async def list_experiment_runs(
         gt=0,
     ),
 ) -> ListExperimentRunsResponseBody:
-    experiment_gid = GlobalID.from_id(experiment_id)
+    try:
+        experiment_gid = GlobalID.from_id(experiment_id)
+    except Exception as e:
+        raise HTTPException(
+            detail=f"Invalid experiment ID format: {experiment_id}",
+            status_code=422,
+        ) from e
     try:
         experiment_rowid = from_global_id_with_expected_type(experiment_gid, "Experiment")
     except ValueError:

phoenix/server/api/routers/v1/experiments.py

@@ -104,7 +104,13 @@ async def create_experiment(
     request_body: CreateExperimentRequestBody,
     dataset_id: str = Path(..., title="Dataset ID"),
 ) -> CreateExperimentResponseBody:
-    dataset_globalid = GlobalID.from_id(dataset_id)
+    try:
+        dataset_globalid = GlobalID.from_id(dataset_id)
+    except Exception as e:
+        raise HTTPException(
+            detail=f"Invalid dataset ID format: {dataset_id}",
+            status_code=422,
+        ) from e
     try:
         dataset_rowid = from_global_id_with_expected_type(dataset_globalid, "Dataset")
     except ValueError:
@@ -117,6 +123,12 @@ async def create_experiment(
     if dataset_version_globalid_str is not None:
         try:
             dataset_version_globalid = GlobalID.from_id(dataset_version_globalid_str)
+        except Exception as e:
+            raise HTTPException(
+                detail=f"Invalid dataset version ID format: {dataset_version_globalid_str}",
+                status_code=422,
+            ) from e
+        try:
             dataset_version_id = from_global_id_with_expected_type(
                 dataset_version_globalid, "DatasetVersion"
             )
@@ -232,7 +244,13 @@ class GetExperimentResponseBody(ResponseBody[Experiment]):
     response_description="Experiment retrieved successfully",
 )
 async def get_experiment(request: Request, experiment_id: str) -> GetExperimentResponseBody:
-    experiment_globalid = GlobalID.from_id(experiment_id)
+    try:
+        experiment_globalid = GlobalID.from_id(experiment_id)
+    except Exception as e:
+        raise HTTPException(
+            detail=f"Invalid experiment ID format: {experiment_id}",
+            status_code=422,
+        ) from e
     try:
         experiment_rowid = from_global_id_with_expected_type(experiment_globalid, "Experiment")
     except ValueError:
@@ -282,7 +300,13 @@ async def list_experiments(
     request: Request,
     dataset_id: str = Path(..., title="Dataset ID"),
 ) -> ListExperimentsResponseBody:
-    dataset_gid = GlobalID.from_id(dataset_id)
+    try:
+        dataset_gid = GlobalID.from_id(dataset_id)
+    except Exception as e:
+        raise HTTPException(
+            detail=f"Invalid dataset ID format: {dataset_id}",
+            status_code=422,
+        ) from e
     try:
         dataset_rowid = from_global_id_with_expected_type(dataset_gid, "Dataset")
     except ValueError:
@@ -397,7 +421,13 @@ async def get_experiment_json(
     request: Request,
     experiment_id: str = Path(..., title="Experiment ID"),
 ) -> Response:
-    experiment_globalid = GlobalID.from_id(experiment_id)
+    try:
+        experiment_globalid = GlobalID.from_id(experiment_id)
+    except Exception as e:
+        raise HTTPException(
+            detail=f"Invalid experiment ID format: {experiment_id}",
+            status_code=422,
+        ) from e
     try:
         experiment_rowid = from_global_id_with_expected_type(experiment_globalid, "Experiment")
     except ValueError:
@@ -464,7 +494,13 @@ async def get_experiment_csv(
     request: Request,
     experiment_id: str = Path(..., title="Experiment ID"),
 ) -> Response:
-    experiment_globalid = GlobalID.from_id(experiment_id)
+    try:
+        experiment_globalid = GlobalID.from_id(experiment_id)
+    except Exception as e:
+        raise HTTPException(
+            detail=f"Invalid experiment ID format: {experiment_id}",
+            status_code=422,
+        ) from e
     try:
         experiment_rowid = from_global_id_with_expected_type(experiment_globalid, "Experiment")
     except ValueError:

phoenix/server/api/routers/v1/projects.py

@@ -9,7 +9,6 @@ from strawberry.relay import GlobalID
 from phoenix.config import DEFAULT_PROJECT_NAME
 from phoenix.db import models
 from phoenix.db.helpers import exclude_experiment_projects
-from phoenix.db.models import UserRoleName
 from phoenix.server.api.routers.v1.models import V1RoutesBaseModel
 from phoenix.server.api.routers.v1.utils import (
     PaginatedResponseBody,
@@ -18,7 +17,7 @@ from phoenix.server.api.routers.v1.utils import (
     add_errors_to_responses,
 )
 from phoenix.server.api.types.Project import Project as ProjectNodeType
-from phoenix.server.authorization import is_not_locked
+from phoenix.server.authorization import is_not_locked, require_admin
 
 router = APIRouter(tags=["projects"])
 
@@ -210,7 +209,7 @@ async def create_project(
 
 @router.put(
     "/projects/{project_identifier}",
-    dependencies=[Depends(is_not_locked)],
+    dependencies=[Depends(require_admin), Depends(is_not_locked)],
     operation_id="updateProject",
     summary="Update a project by ID or name",  # noqa: E501
     description="Update an existing project with new configuration. Project names cannot be changed. The project identifier is either project ID or project name. Note: When using a project name as the identifier, it cannot contain slash (/), question mark (?), or pound sign (#) characters.",  # noqa: E501
@@ -245,20 +244,6 @@ async def update_project(
     Raises:
         HTTPException: If the project identifier format is invalid or the project is not found.
     """  # noqa: E501
-    if request.app.state.authentication_enabled:
-        async with request.app.state.db() as session:
-            # Check if the user is an admin
-            stmt = (
-                select(models.UserRole.name)
-                .join(models.User)
-                .where(models.User.id == int(request.user.identity))
-            )
-            role_name: UserRoleName = await session.scalar(stmt)
-        if role_name != "ADMIN" and role_name != "SYSTEM":
-            raise HTTPException(
-                status_code=403,
-                detail="Only admins can update projects",
-            )
     async with request.app.state.db() as session:
         project = await _get_project_by_identifier(session, project_identifier)
 
@@ -272,6 +257,7 @@ async def update_project(
 
 @router.delete(
     "/projects/{project_identifier}",
+    dependencies=[Depends(require_admin)],
     operation_id="deleteProject",
     summary="Delete a project by ID or name",  # noqa: E501
     description="Delete an existing project and all its associated data. The project identifier is either project ID or project name. The default project cannot be deleted. Note: When using a project name as the identifier, it cannot contain slash (/), question mark (?), or pound sign (#) characters.",  # noqa: E501
@@ -305,20 +291,6 @@ async def delete_project(
     Raises:
         HTTPException: If the project identifier format is invalid, the project is not found, or it's the default project.
     """  # noqa: E501
-    if request.app.state.authentication_enabled:
-        async with request.app.state.db() as session:
-            # Check if the user is an admin
-            stmt = (
-                select(models.UserRole.name)
-                .join(models.User)
-                .where(models.User.id == int(request.user.identity))
-            )
-            role_name: UserRoleName = await session.scalar(stmt)
-        if role_name != "ADMIN" and role_name != "SYSTEM":
-            raise HTTPException(
-                status_code=403,
-                detail="Only admins can delete projects",
-            )
     async with request.app.state.db() as session:
         project = await _get_project_by_identifier(session, project_identifier)
 

phoenix/server/api/routers/v1/users.py

@@ -208,13 +208,6 @@ async def create_user(
             detail="Cannot create users with SYSTEM role",
         )
 
-    # TODO: Implement VIEWER role
-    if role == "VIEWER":
-        raise HTTPException(
-            status_code=400,
-            detail="VIEWER role not yet implemented",
-        )
-
     user: models.User
     if isinstance(user_data, LocalUserData):
         password = (user_data.password or secrets.token_hex()).strip()

phoenix/server/api/subscriptions.py

@@ -27,7 +27,7 @@ from phoenix.config import PLAYGROUND_PROJECT_NAME
 from phoenix.datetime_utils import local_now, normalize_datetime
 from phoenix.db import models
 from phoenix.db.helpers import insert_experiment_with_examples_snapshot
-from phoenix.server.api.auth import IsLocked, IsNotReadOnly
+from phoenix.server.api.auth import IsLocked, IsNotReadOnly, IsNotViewer
 from phoenix.server.api.context import Context
 from phoenix.server.api.exceptions import BadRequest, CustomGraphQLError, NotFound
 from phoenix.server.api.helpers.playground_clients import (
@@ -94,7 +94,7 @@ ChatStream: TypeAlias = AsyncGenerator[ChatCompletionSubscriptionPayload, None]
 
 @strawberry.type
 class Subscription:
-    @strawberry.subscription(permission_classes=[IsNotReadOnly, IsLocked])  # type: ignore
+    @strawberry.subscription(permission_classes=[IsNotReadOnly, IsNotViewer, IsLocked])  # type: ignore
     async def chat_completion(
         self, info: Info[Context, None], input: ChatCompletionInput
     ) -> AsyncIterator[ChatCompletionSubscriptionPayload]:
@@ -193,7 +193,7 @@ class Subscription:
         info.context.event_queue.put(SpanInsertEvent(ids=(playground_project_id,)))
         yield ChatCompletionSubscriptionResult(span=Span(span_rowid=db_span.id, db_span=db_span))
 
-    @strawberry.subscription(permission_classes=[IsNotReadOnly, IsLocked])  # type: ignore
+    @strawberry.subscription(permission_classes=[IsNotReadOnly, IsNotViewer, IsLocked])  # type: ignore
     async def chat_completion_over_dataset(
         self, info: Info[Context, None], input: ChatCompletionOverDatasetInput
     ) -> AsyncIterator[ChatCompletionSubscriptionPayload]: