Fix: validate memory tenant model IDs on update and enforce tenant scope in memory pipeline (#14923)

### Related issues

Closes #14922

### What problem does this PR solve?

`POST /memories` already resolves `tenant_llm_id` and `tenant_embd_id`
through `ensure_tenant_model_id_for_params`, but `PUT
/memories/<memory_id>` accepted client-supplied `tenant_llm_id` /
`tenant_embd_id` without checking that those `tenant_llm` rows belong to
the memory owner’s tenant. A caller could persist another tenant’s row
IDs and later trigger extraction or embedding that loaded foreign model
credentials via `get_model_config_by_id(tenant_model_id)` with no tenant
allow-list.

This change aligns the update path with create: updates that change
models must go through `llm_id` / `embd_id` and
`ensure_tenant_model_id_for_params` scoped to the **memory’s**
`tenant_id` (not only the current user, so team-access cases stay
correct). Direct `tenant_*` fields in the body without `llm_id` /
`embd_id` are rejected. As defense in depth, `memory_message_service`
passes `allowed_tenant_ids` / `requester_tenant_id` into
`get_model_config_by_id` for LLM and embedding resolution so mismatched
IDs cannot be used even if bad data existed. A regression test rejects
payloads that set only `tenant_llm_id` / `tenant_embd_id`.

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)

---------

Co-authored-by: jony376 <jony376@gmail.com>
This commit is contained in:
jony376
2026-05-19 05:11:46 +03:00
committed by GitHub
parent b69a6a5d80
commit 198f3c4b9a
3 changed files with 54 additions and 13 deletions

View File

@@ -106,6 +106,14 @@ class TestMemoryUpdate:
assert res["code"] == 0, res
assert res["data"]["llm_id"] == llm_id, res
@pytest.mark.p2
def test_reject_direct_tenant_model_ids(self, WebApiAuth, add_memory_func):
memory_ids = add_memory_func
payload = {"tenant_llm_id": 999999, "tenant_embd_id": 999998}
res = update_memory(WebApiAuth, memory_ids[0], payload)
assert res["code"] == 101, res
assert "Do not set tenant_llm_id or tenant_embd_id directly" in res["message"], res
@pytest.mark.p2
@pytest.mark.parametrize(
"permission",