mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-06-29 23:41:12 +08:00
fix(api): restore accessible check on document preview (#15505)
Restore `DocumentService.accessible` on `GET
/api/v1/documents/{doc_id}/preview` so cross-tenant users cannot stream
documents by UUID.
Fixes #15501
### What problem does this PR solve?
PR #15146 (`71a52d579`) moved the agent attachment download route and
accidentally removed the `DocumentService.accessible(doc_id,
current_user.id)` guard from the REST preview handler. The endpoint
still requires login, but any authenticated user who knows another
tenant's `doc_id` can download the raw file bytes.
This restores the same authorization check that existed before #15146,
returning a generic `"Document not found!"` when access is denied (no
cross-tenant ID enumeration). SDK download routes tracked in #15125 are
unchanged.
### Type of change
- [x] Bug Fix (non-breaking change which fixes an issue)
This commit is contained in:
@@ -1919,6 +1919,8 @@ async def get(doc_id):
|
||||
enumeration.
|
||||
"""
|
||||
try:
|
||||
if not DocumentService.accessible(doc_id, current_user.id):
|
||||
return get_data_error_result(message="Document not found!")
|
||||
|
||||
e, doc = DocumentService.get_by_id(doc_id)
|
||||
if not e:
|
||||
|
||||
Reference in New Issue
Block a user