From d26d7994679b1492591e47576f4db3bc9bb94e13 Mon Sep 17 00:00:00 2001
From: kpdev <156195510+kiannidev@users.noreply.github.com>
Date: Wed, 3 Jun 2026 18:59:07 -0700
Subject: [PATCH] fix(api): restore accessible check on document preview
 (#15505)

Restore `DocumentService.accessible` on `GET
/api/v1/documents/{doc_id}/preview` so cross-tenant users cannot stream
documents by UUID.

Fixes #15501

### What problem does this PR solve?

PR #15146 (`71a52d579`) moved the agent attachment download route and
accidentally removed the `DocumentService.accessible(doc_id,
current_user.id)` guard from the REST preview handler. The endpoint
still requires login, but any authenticated user who knows another
tenant's `doc_id` can download the raw file bytes.

This restores the same authorization check that existed before #15146,
returning a generic `"Document not found!"` when access is denied (no
cross-tenant ID enumeration). SDK download routes tracked in #15125 are
unchanged.

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
---
 api/apps/restful_apis/document_api.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/api/apps/restful_apis/document_api.py b/api/apps/restful_apis/document_api.py
index eeb0e8bf94..dc30dba0db 100644
--- a/api/apps/restful_apis/document_api.py
+++ b/api/apps/restful_apis/document_api.py
@@ -1919,6 +1919,8 @@ async def get(doc_id):
     enumeration.
     """
     try:
+        if not DocumentService.accessible(doc_id, current_user.id):
+            return get_data_error_result(message="Document not found!")
 
         e, doc = DocumentService.get_by_id(doc_id)
         if not e: