Fix: remove duplicate document preview access check (#15625)

### What problem does this PR solve? remove duplicate document preview access check ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue)
2026-06-29 15:31:05 +08:00 · 2026-06-04 13:05:15 +08:00
parent 597ac1e900
commit c70f19e138
2 changed files with 0 additions and 246 deletions
--- a/api/apps/restful_apis/document_api.py
+++ b/api/apps/restful_apis/document_api.py
@@ -1925,18 +1925,6 @@ async def get(doc_id):
        e, doc = DocumentService.get_by_id(doc_id)
        if not e:
            return get_data_error_result(message="Document not found!")
-        if not DocumentService.accessible(doc_id, current_user.id):
-            # Issue #15501: PR #15146 dropped this check, letting any
-            # authenticated caller download any tenant's document bytes by
-            # guessing/knowing the doc_id. Return the same "Document not
-            # found!" shape used for missing docs so the response is
-            # indistinguishable to a cross-tenant probe (avoids ID
-            # enumeration).
-            logging.warning(
-                "Rejected /documents/<doc_id>/preview cross-tenant access: "
-                "caller_user=%s doc_id=%s", current_user.id, doc_id,
-            )
-            return get_data_error_result(message="Document not found!")

        b, n = File2DocumentService.get_storage_address(doc_id=doc_id)
        data = await thread_pool_exec(settings.STORAGE_IMPL.get, b, n)