diff --git a/api/apps/file_app.py b/api/apps/file_app.py index eeb66f6ec..a644b20b4 100644 --- a/api/apps/file_app.py +++ b/api/apps/file_app.py @@ -246,6 +246,8 @@ def rm(): return get_data_error_result(message="File or Folder not found!") if not file.tenant_id: return get_data_error_result(message="Tenant not found!") + if file.tenant_id != current_user.id: + return get_json_result(data=False, message='No authorization.', code=settings.RetCode.AUTHENTICATION_ERROR) if file.source_type == FileSource.KNOWLEDGEBASE: continue @@ -292,6 +294,8 @@ def rename(): e, file = FileService.get_by_id(req["file_id"]) if not e: return get_data_error_result(message="File not found!") + if file.tenant_id != current_user.id: + return get_json_result(data=False, message='No authorization.', code=settings.RetCode.AUTHENTICATION_ERROR) if file.type != FileType.FOLDER.value \ and pathlib.Path(req["name"].lower()).suffix != pathlib.Path( file.name.lower()).suffix: @@ -328,6 +332,8 @@ def get(file_id): e, file = FileService.get_by_id(file_id) if not e: return get_data_error_result(message="Document not found!") + if file.tenant_id != current_user.id: + return get_json_result(data=False, message='No authorization.', code=settings.RetCode.AUTHENTICATION_ERROR) blob = STORAGE_IMPL.get(file.parent_id, file.location) if not blob: @@ -367,6 +373,8 @@ def move(): return get_data_error_result(message="File or Folder not found!") if not file.tenant_id: return get_data_error_result(message="Tenant not found!") + if file.tenant_id != current_user.id: + return get_json_result(data=False, message='No authorization.', code=settings.RetCode.AUTHENTICATION_ERROR) fe, _ = FileService.get_by_id(parent_id) if not fe: return get_data_error_result(message="Parent Folder not found!")