From 1ac61c0f0f9db1634df440587c8ee27a0ec24f90 Mon Sep 17 00:00:00 2001
From: Yongteng Lei <yongtengrey@outlook.com>
Date: Fri, 4 Jul 2025 19:40:39 +0800
Subject: [PATCH] Fix: secure canvas (#8670)

### What problem does this PR solve?

Secure canvas access.

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
---
 api/apps/canvas_app.py | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/api/apps/canvas_app.py b/api/apps/canvas_app.py
index d80eb093c..b500d19f1 100644
--- a/api/apps/canvas_app.py
+++ b/api/apps/canvas_app.py
@@ -81,17 +81,16 @@ def save():
     UserCanvasVersionService.delete_all_versions(req["id"])
     return get_json_result(data=req)
 
- 
-
 
 @manager.route('/get/<canvas_id>', methods=['GET'])  # noqa: F821
 @login_required
 def get(canvas_id):
     e, c = UserCanvasService.get_by_tenant_id(canvas_id)
-    if not e:
+    if not e or c["user_id"] != current_user.id:
         return get_data_error_result(message="canvas not found.")
     return get_json_result(data=c)
 
+
 @manager.route('/getsse/<canvas_id>', methods=['GET'])  # type: ignore # noqa: F821
 def getsse(canvas_id):
     token = request.headers.get('Authorization').split()
@@ -101,8 +100,9 @@ def getsse(canvas_id):
     objs = APIToken.query(beta=token)
     if not objs:
         return get_data_error_result(message='Authentication error: API key is invalid!"')
+    tenant_id = objs[0].tenant_id
     e, c = UserCanvasService.get_by_id(canvas_id)
-    if not e:
+    if not e or c.user_id != tenant_id:
         return get_data_error_result(message="canvas not found.")
     return get_json_result(data=c.to_dict())