zlei6/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2026-06-29 23:41:12 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
58eb957c30fd8021ce6c2f8a6903aefd1982fbe4
ragflow/internal/service
History
nickmopen e023c165b6 Fix(kb): enforce tenant authorization on UpdateMetadataSetting (#15268) (#15270) 
## Summary

Closes #15268.

The `UpdateMetadataSetting` handler at `internal/handler/kb.go:126`
retrieved the authenticated user via `GetUser(c)` but discarded the user
object (`_, errorCode, errorMessage := GetUser(c)`), then forwarded the
caller-supplied `kb_id` straight to the service layer with no ownership
check. Any authenticated user could mutate the `parser_config` /
metadata of any knowledge base in the system by guessing or harvesting a
`kb_id` — a classic IDOR (CWE-284, OWASP A01).

This is the only handler in `internal/handler/kb.go` missing the check;
every sibling (`ListTags`, `ListTagsFromKbs`, `RenameTag`,
`KnowledgeGraph`, `DeleteKnowledgeGraph`, `GetMeta`, `GetBasicInfo`)
already calls `h.kbService.Accessible(kbID, user.ID)`. The same
defensive check on the document preview endpoint was added in PR #14625
— this PR closes the matching gap on the KB metadata endpoint.

---------

Co-authored-by: Jin Hai <haijin.chn@gmail.com>
2026-05-29 10:08:55 +08:00
..
nlp
Go: fix retrieval test error (#14794)
2026-05-11 20:19:08 +08:00
agent.go
feat(go-api): implement GET /api/v1/agents list endpoint (issue #15328) (#15329)
2026-05-28 19:40:54 +08:00
api_token.go
GO: align time units with Python and centralize timestamp injection in BaseModel (#14875)
2026-05-14 13:46:46 +08:00
chat_session.go
Go: add ingestion server (#15094)
2026-05-25 14:00:08 +08:00
chat.go
Go: add ingestion server (#15094)
2026-05-25 14:00:08 +08:00
chunk.go
Update chunk/metadata cli (#15055)
2026-05-20 20:32:06 +08:00
connector.go
feat(go-api): implement connector (data source) management endpoints (#15274)
2026-05-28 19:40:15 +08:00
dataset.go
Go: add cli command, list dataset documents (#14948)
2026-05-15 14:00:45 +08:00
document.go
Implement Elasticsearch functions in GO (#15160)
2026-05-25 19:15:07 +08:00
file.go
Refact functions in engine in GO (#14981)
2026-05-19 17:34:59 +08:00
generator.go
Use GetChatModel, remove duplicate functions in model_service.go (#14546)
2026-05-06 11:33:32 +08:00
heartbeat_sender.go
Update go server (#13589)
2026-03-13 14:41:02 +08:00
kb.go
Fix(kb): enforce tenant authorization on UpdateMetadataSetting (#15268) (#15270)
2026-05-29 10:08:55 +08:00
llm.go
Go: implement provider: ModelScope (#15041)
2026-05-26 18:18:46 +08:00
load_prompt.go
Implement retrieval_test in GO (#14231)
2026-04-24 15:30:14 +08:00
mcp.go
feat: add Go MCP server create API (#15260)
2026-05-28 16:43:21 +08:00
memory.go
Go: fix forgetting policy validation and fix memory update diff checks (#14976)
2026-05-18 19:21:47 +08:00
metadata_filter.go
Use GetChatModel, remove duplicate functions in model_service.go (#14546)
2026-05-06 11:33:32 +08:00
metadata.go
Implement retrieval_test in GO (#14231)
2026-04-24 15:30:14 +08:00
model_service_test.go
fix(go): guard custom base URL driver creation (#15030)
2026-05-20 14:58:20 +08:00
model_service.go
fix(go): guard custom base URL driver creation (#15030)
2026-05-20 14:58:20 +08:00
search.go
Implement retrieval_test in GO (#14231)
2026-04-24 15:30:14 +08:00
skill_indexer.go
Refact functions in engine in GO (#14981)
2026-05-19 17:34:59 +08:00
skill_search.go
Refact functions in engine in GO (#14981)
2026-05-19 17:34:59 +08:00
skill_space.go
Refact functions in engine in GO (#14981)
2026-05-19 17:34:59 +08:00
system_test.go
Go: implement system healthz API (#15307)
2026-05-28 13:30:22 +08:00
system.go
Go: implement system healthz API (#15307)
2026-05-28 13:30:22 +08:00
tag.go
Go: move logger to common module (#14545)
2026-05-06 10:41:58 +08:00
tenant.go
Implement Elasticsearch functions in GO (#15160)
2026-05-25 19:15:07 +08:00
user.go
fix: include user model settings in /user/me response (#15320)
2026-05-28 13:31:16 +08:00