Fix: secure canvas (#8670)

### What problem does this PR solve? Secure canvas access. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue)
2025-12-08 20:42:30 +08:00 · 2025-07-04 19:40:39 +08:00
parent 39799469d1
commit 1ac61c0f0f
1 changed files with 4 additions and 4 deletions
--- a/api/apps/canvas_app.py
+++ b/api/apps/canvas_app.py
@ -81,17 +81,16 @@ def save():
    UserCanvasVersionService.delete_all_versions(req["id"])
    return get_json_result(data=req)
@manager.route('/get/<canvas_id>', methods=['GET'])  # noqa: F821
@login_required
 def get(canvas_id):
    e, c = UserCanvasService.get_by_tenant_id(canvas_id)
-    if not e:
+    if not e or c["user_id"] != current_user.id:
        return get_data_error_result(message="canvas not found.")
    return get_json_result(data=c)
@manager.route('/getsse/<canvas_id>', methods=['GET'])  # type: ignore # noqa: F821
 def getsse(canvas_id):
    token = request.headers.get('Authorization').split()
@ -101,8 +100,9 @@ def getsse(canvas_id):
    objs = APIToken.query(beta=token)
    if not objs:
        return get_data_error_result(message='Authentication error: API key is invalid!"')
    tenant_id = objs[0].tenant_id
    e, c = UserCanvasService.get_by_id(canvas_id)
-    if not e:
+    if not e or c.user_id != tenant_id:
        return get_data_error_result(message="canvas not found.")
    return get_json_result(data=c.to_dict())