mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-06-29 23:41:12 +08:00
e023c165b6
## Summary Closes #15268. The `UpdateMetadataSetting` handler at `internal/handler/kb.go:126` retrieved the authenticated user via `GetUser(c)` but discarded the user object (`_, errorCode, errorMessage := GetUser(c)`), then forwarded the caller-supplied `kb_id` straight to the service layer with no ownership check. Any authenticated user could mutate the `parser_config` / metadata of any knowledge base in the system by guessing or harvesting a `kb_id` — a classic IDOR (CWE-284, OWASP A01). This is the only handler in `internal/handler/kb.go` missing the check; every sibling (`ListTags`, `ListTagsFromKbs`, `RenameTag`, `KnowledgeGraph`, `DeleteKnowledgeGraph`, `GetMeta`, `GetBasicInfo`) already calls `h.kbService.Accessible(kbID, user.ID)`. The same defensive check on the document preview endpoint was added in PR #14625 — this PR closes the matching gap on the KB metadata endpoint. --------- Co-authored-by: Jin Hai <haijin.chn@gmail.com>