Fix IDOR: Add permission checks to file ancestry endpoints (#14725)

Close #14292 ## Issue File ancestry endpoints return folder metadata without validating tenant permissions, allowing any authenticated user to query arbitrary `file_id` values across tenant boundaries. ## Affected Endpoints - `GET /v1/file/parent_folder?file_id={file_id}` - `GET /v1/file/all_parent_folder?file_id={file_id}` - `GET /api/v1/files/{id}/ancestors` ## Root Cause These endpoints **skip the permission check** that other file operations (Delete, Download, Move) perform. ## Expected Permission Check All file operations should follow this 3-step validation: - Check file.tenant_id - Check if user_id belongs to this tenant (via user_tenant join table) - Check KB permission type (team permission) **Code reference:** This is implemented in `checkFileTeamPermission()` and used by Delete/Download/Move, but **missing** from GetParentFolder/GetAllParentFolders. ## Reproduction ```bash # User B (tenant: BBB) accessing User A's file (tenant: AAA) curl -H "Authorization: Bearer USER_B_TOKEN" \ "http://localhost:9384/v1/file/parent_folder?file_id=AAA_FILE_123" # Result: Returns User A's folder metadata ❌ # Expected: "No authorization." ✅ Fix Pass userID from handler to service and call checkFileTeamPermission() — same as Download/Delete/Move handlers. --------- Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-29 23:41:12 +08:00 · 2026-05-09 16:03:23 +08:00
parent 6465753968
commit c11650bb4c
5 changed files with 54 additions and 24 deletions
--- a/test/testcases/test_web_api/test_file_app/test_file_routes_unit.py
+++ b/test/testcases/test_web_api/test_file_app/test_file_routes_unit.py
@@ -133,8 +133,8 @@ def _load_file_api_module(monkeypatch):
        True,
        SimpleNamespace(parent_id="bucket1", location="path1", name="doc.txt", type="doc"),
    )
-    file_api_service_mod.get_parent_folder = lambda _file_id: (True, {"parent_folder": {"id": "parent1"}})
-    file_api_service_mod.get_all_parent_folders = lambda _file_id: (True, {"parent_folders": [{"id": "root"}]})
+    file_api_service_mod.get_parent_folder = lambda _file_id, user_id=None: (True, {"parent_folder": {"id": "parent1"}})
+    file_api_service_mod.get_all_parent_folders = lambda _file_id, user_id=None: (True, {"parent_folders": [{"id": "root"}]})
    monkeypatch.setitem(sys.modules, "api.apps.services.file_api_service", file_api_service_mod)
    services_pkg.file_api_service = file_api_service_mod