kpdev d26d799467 fix(api): restore accessible check on document preview (#15505) ...

Restore `DocumentService.accessible` on `GET
/api/v1/documents/{doc_id}/preview` so cross-tenant users cannot stream
documents by UUID.

Fixes #15501

### What problem does this PR solve?

PR #15146 (`71a52d579`) moved the agent attachment download route and
accidentally removed the `DocumentService.accessible(doc_id,
current_user.id)` guard from the REST preview handler. The endpoint
still requires login, but any authenticated user who knows another
tenant's `doc_id` can download the raw file bytes.

This restores the same authorization check that existed before #15146,
returning a generic `"Document not found!"` when access is denied (no
cross-tenant ID enumeration). SDK download routes tracked in #15125 are
unchanged.

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)

2026-06-04 09:59:07 +08:00

..

apps

fix(api): restore accessible check on document preview (#15505)

2026-06-04 09:59:07 +08:00

common

Feat：admin api (#10642)

2025-10-18 16:09:48 +08:00

db

fix: show default embedding model when provider is not yet registered (#15511)

2026-06-04 09:55:49 +08:00

utils

Bug fix: Enhance embeding model to give better error message (#15346)

2026-06-01 19:18:16 +08:00

__init__.py

Fix: incorrect async chat streamly output (#11679)

2025-12-03 11:15:45 +08:00

constants.py

Feat/memory (#11812)

2025-12-10 13:34:08 +08:00

ragflow_server.py

Speed up ragflow server (#14894)

2026-05-13 18:01:33 +08:00

settings.py

Move api.settings to common.settings (#11036)

2025-11-06 09:36:38 +08:00

validation.py

Fix errors detected by Ruff (#3918)

2024-12-08 14:21:12 +08:00