mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-07-06 19:38:36 +08:00
fix(agent): enforce tenant ownership on agentbots completions/inputs (#15457)
### What problem does this PR solve? Fixes #15456. The SDK agent-bot routes `POST /api/v1/agentbots/<agent_id>/completions` and `GET /api/v1/agentbots/<agent_id>/inputs` (`api/apps/restful_apis/bot_api.py`) authenticate the caller with a beta API token — which only yields the caller's `tenant_id` — but then load and run the agent named in the URL **without verifying the agent belongs to the caller's tenant**. `UserCanvasService.get_agent_dsl_with_release` even accepts a `tenant_id` it never uses, and `begin_inputs` calls `get_by_id` directly. Any holder of a single valid beta token could therefore run another tenant's agent (leaking its DSL/prompts/tool config) or read another tenant's agent metadata and begin input form, just by substituting a victim `agent_id`. This PR adds the project's existing ownership gate, `UserCanvasService.accessible(agent_id, tenant_id)`, to both endpoints right after token authentication — mirroring the checks already enforced on the equivalent first-party routes in `api/apps/restful_apis/agent_api.py` (lines 75/578/775) and on the sibling `chatbot_completions` / `create_agent_session` / `delete_agent_session` handlers in the same file. On failure it returns the same `Can't find agent by ID: <id>` message already used by `begin_inputs`, so it does not reveal whether an `agent_id` exists in another tenant. Added a regression test (`test/unit_test/api/apps/restful_apis/test_agentbots_access_control.py`, following the existing stubbed-loader pattern from `test_get_agent_session.py`) asserting that an inaccessible `agent_id` is rejected before the agent is loaded (`begin_inputs`) or executed (`completions`), and that an accessible agent still proceeds. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) - [ ] New Feature (non-breaking change which adds functionality) - [ ] Documentation Update - [ ] Refactoring - [ ] Performance Improvement - [ ] Other (please describe): --------- Co-authored-by: Zhichang Yu <yuzhichang@gmail.com>
This commit is contained in:
@@ -161,6 +161,14 @@ async def chatbots_inputs(dialog_id, tenant_id=None):
|
||||
async def agent_bot_completions(agent_id, tenant_id=None):
|
||||
req = await get_request_json()
|
||||
|
||||
if not await thread_pool_exec(UserCanvasService.accessible, agent_id, tenant_id):
|
||||
logger.warning(
|
||||
"agent_bot_completions access denied tenant_id=%s agent_id=%s",
|
||||
tenant_id,
|
||||
agent_id,
|
||||
)
|
||||
return get_error_data_result(message=f"Can't find agent by ID: {agent_id}")
|
||||
|
||||
if req.get("stream", True):
|
||||
async def stream():
|
||||
try:
|
||||
@@ -241,6 +249,14 @@ async def agent_bot_completions(agent_id, tenant_id=None):
|
||||
@login_required(auth_types=AUTH_BETA)
|
||||
@add_tenant_id_to_kwargs
|
||||
async def begin_inputs(agent_id, tenant_id=None):
|
||||
if not await thread_pool_exec(UserCanvasService.accessible, agent_id, tenant_id):
|
||||
logger.warning(
|
||||
"begin_inputs access denied tenant_id=%s agent_id=%s",
|
||||
tenant_id,
|
||||
agent_id,
|
||||
)
|
||||
return get_error_data_result(f"Can't find agent by ID: {agent_id}")
|
||||
|
||||
e, cvs = await thread_pool_exec(UserCanvasService.get_by_id, agent_id)
|
||||
if not e:
|
||||
return get_error_data_result(f"Can't find agent by ID: {agent_id}")
|
||||
|
||||
Reference in New Issue
Block a user