Add Authorization checks (#2221)

### What problem does this PR solve? Add Authorization checks #2203 ### Type of change - [x] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: Feiue <10215101452@stu.ecun.edu.cn> Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
2025-12-08 20:42:30 +08:00 · 2024-09-04 10:36:15 +08:00
parent 4f05803690
commit 0164856343
4 changed files with 79 additions and 25 deletions
--- a/api/apps/canvas_app.py
+++ b/api/apps/canvas_app.py
@ -18,6 +18,7 @@ from functools import partial
 from flask import request, Response
 from flask_login import login_required, current_user
 from api.db.services.canvas_service import CanvasTemplateService, UserCanvasService
+from api.settings import RetCode
 from api.utils import get_uuid
 from api.utils.api_utils import get_json_result, server_error_response, validate_request, get_data_error_result
 from agent.canvas import Canvas
@ -43,6 +44,10 @@ def canvas_list():
@login_required
 def rm():
    for i in request.json["canvas_ids"]:
+        if not UserCanvasService.query(user_id=current_user.id,id=i):
+            return get_json_result(
+                data=False, retmsg=f'Only owner of canvas authorized for this operation.',
+                retcode=RetCode.OPERATING_ERROR)
        UserCanvasService.delete_by_id(i)
    return get_json_result(data=True)