zlei6/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2026-06-29 15:31:05 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
43a9d53c72a446a59e746cb311e8f28a7e7faeca
ragflow/api
History
philluiz2323 43a9d53c72 fix(agent): enforce tenant ownership on agentbots completions/inputs (#15457) 
### What problem does this PR solve?

Fixes #15456.

The SDK agent-bot routes `POST /api/v1/agentbots/<agent_id>/completions`
and `GET /api/v1/agentbots/<agent_id>/inputs`
(`api/apps/restful_apis/bot_api.py`) authenticate the caller with a beta
API token — which only yields the caller's `tenant_id` — but then load
and run the agent named in the URL **without verifying the agent belongs
to the caller's tenant**. `UserCanvasService.get_agent_dsl_with_release`
even accepts a `tenant_id` it never uses, and `begin_inputs` calls
`get_by_id` directly. Any holder of a single valid beta token could
therefore run another tenant's agent (leaking its DSL/prompts/tool
config) or read another tenant's agent metadata and begin input form,
just by substituting a victim `agent_id`.

This PR adds the project's existing ownership gate,
`UserCanvasService.accessible(agent_id, tenant_id)`, to both endpoints
right after token authentication — mirroring the checks already enforced
on the equivalent first-party routes in
`api/apps/restful_apis/agent_api.py` (lines 75/578/775) and on the
sibling `chatbot_completions` / `create_agent_session` /
`delete_agent_session` handlers in the same file. On failure it returns
the same `Can't find agent by ID: <id>` message already used by
`begin_inputs`, so it does not reveal whether an `agent_id` exists in
another tenant.

Added a regression test
(`test/unit_test/api/apps/restful_apis/test_agentbots_access_control.py`,
following the existing stubbed-loader pattern from
`test_get_agent_session.py`) asserting that an inaccessible `agent_id`
is rejected before the agent is loaded (`begin_inputs`) or executed
(`completions`), and that an accessible agent still proceeds.

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
- [ ] New Feature (non-breaking change which adds functionality)
- [ ] Documentation Update
- [ ] Refactoring
- [ ] Performance Improvement
- [ ] Other (please describe):

---------

Co-authored-by: Zhichang Yu <yuzhichang@gmail.com>
2026-06-29 09:45:16 +08:00
..
apps
fix(agent): enforce tenant ownership on agentbots completions/inputs (#15457)
2026-06-29 09:45:16 +08:00
channels
fix(security): address 93 CodeQL code-scanning alerts across 61 files (#16407)
2026-06-29 09:45:16 +08:00
common
Feat:admin api (#10642)
2025-10-18 16:09:48 +08:00
db
fix(codeql): close remaining 44 CodeQL alerts post-merge (#16408)
2026-06-29 09:45:16 +08:00
utils
feat(go-agent): Ported retrieval node, added Keenable web search tool (#16396)
2026-06-29 09:45:16 +08:00
__init__.py
Fix: incorrect async chat streamly output (#11679)
2025-12-03 11:15:45 +08:00
constants.py
fix(profile): enforce profile name validation and input constraints (#15694)
2026-06-12 11:13:18 +08:00
ragflow_server.py
Feat: chat channels — connect assistants to external messaging bots (#15850)
2026-06-12 18:21:30 +08:00
settings.py
Move api.settings to common.settings (#11036)
2025-11-06 09:36:38 +08:00
validation.py
Fix errors detected by Ruff (#3918)
2024-12-08 14:21:12 +08:00