Fix: unexpected operation of document management (#10366)

### What problem does this PR solve? Unexpected operation of document management. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue)
2025-12-08 20:42:30 +08:00 · 2025-09-30 15:20:38 +08:00
parent e7dde69584
commit 7c620bdc69
4 changed files with 80 additions and 6 deletions
--- a/api/apps/file_app.py
+++ b/api/apps/file_app.py
@ -21,6 +21,7 @@ import flask
 from flask import request
 from flask_login import login_required, current_user

+from api.common.check_team_permission import check_file_team_permission
 from api.db.services.document_service import DocumentService
 from api.db.services.file2document_service import File2DocumentService
 from api.utils.api_utils import server_error_response, get_data_error_result, validate_request
@ -178,6 +179,9 @@ def list_files():
        if not e:
            return get_data_error_result(message="Folder not found!")

+        if not check_file_team_permission(file, current_user.id):
+            return get_json_result(data=False, message='No authorization.', code=settings.RetCode.AUTHENTICATION_ERROR)
+
        files, total = FileService.get_by_pf_id(
            current_user.id, pf_id, page_number, items_per_page, orderby, desc, keywords)

@ -209,6 +213,9 @@ def get_parent_folder():
        if not e:
            return get_data_error_result(message="Folder not found!")

+        if not check_file_team_permission(file, current_user.id):
+            return get_json_result(data=False, message='No authorization.', code=settings.RetCode.AUTHENTICATION_ERROR)
+
        parent_folder = FileService.get_parent_folder(file_id)
        return get_json_result(data={"parent_folder": parent_folder.to_json()})
    except Exception as e:
@ -224,6 +231,9 @@ def get_all_parent_folders():
        if not e:
            return get_data_error_result(message="Folder not found!")

+        if not check_file_team_permission(file, current_user.id):
+            return get_json_result(data=False, message='No authorization.', code=settings.RetCode.AUTHENTICATION_ERROR)
+
        parent_folders = FileService.get_all_parent_folders(file_id)
        parent_folders_res = []
        for parent_folder in parent_folders:
@ -246,7 +256,7 @@ def rm():
                return get_data_error_result(message="File or Folder not found!")
            if not file.tenant_id:
                return get_data_error_result(message="Tenant not found!")
-            if file.tenant_id != current_user.id:
+            if not check_file_team_permission(file, current_user.id):
                return get_json_result(data=False, message='No authorization.', code=settings.RetCode.AUTHENTICATION_ERROR)
            if file.source_type == FileSource.KNOWLEDGEBASE:
                continue
@ -294,7 +304,7 @@ def rename():
        e, file = FileService.get_by_id(req["file_id"])
        if not e:
            return get_data_error_result(message="File not found!")
-        if file.tenant_id != current_user.id:
+        if not check_file_team_permission(file, current_user.id):
            return get_json_result(data=False, message='No authorization.', code=settings.RetCode.AUTHENTICATION_ERROR)
        if file.type != FileType.FOLDER.value \
            and pathlib.Path(req["name"].lower()).suffix != pathlib.Path(
@ -332,7 +342,7 @@ def get(file_id):
        e, file = FileService.get_by_id(file_id)
        if not e:
            return get_data_error_result(message="Document not found!")
-        if file.tenant_id != current_user.id:
+        if not check_file_team_permission(file, current_user.id):
            return get_json_result(data=False, message='No authorization.', code=settings.RetCode.AUTHENTICATION_ERROR)

        blob = STORAGE_IMPL.get(file.parent_id, file.location)
@ -373,7 +383,7 @@ def move():
                return get_data_error_result(message="File or Folder not found!")
            if not file.tenant_id:
                return get_data_error_result(message="Tenant not found!")
-            if file.tenant_id != current_user.id:
+            if not check_file_team_permission(file, current_user.id):
                return get_json_result(data=False, message='No authorization.', code=settings.RetCode.AUTHENTICATION_ERROR)
        fe, _ = FileService.get_by_id(parent_id)
        if not fe: