pengjunjie/ragflow
1
0
Fork 1
mirror of https://github.com/infiniflow/ragflow.git synced 2025-12-08 20:42:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix: potential risk (#3515)

Browse Source 
### What problem does this PR solve?


### Type of change

- [x] Refactoring
This commit is contained in:
Kevin Hu
2024-11-20 13:47:03 +08:00
committed by Yingfeng Zhang
parent 81c7b6afc5
commit d02a2b131a
1 changed files with 25 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
api/apps/tenant_app.py
View File

@ -17,6 +17,7 @@
from flask import request from flask import request
from flask_login import login_required, current_user from flask_login import login_required, current_user
from api import settings
from api.db import UserTenantRole, StatusEnum from api.db import UserTenantRole, StatusEnum
from api.db.db_models import UserTenant from api.db.db_models import UserTenant
from api.db.services.user_service import UserTenantService, UserService from api.db.services.user_service import UserTenantService, UserService
@ -28,6 +29,12 @@ from api.utils.api_utils import get_json_result, validate_request, server_error_
@manager.route("/<tenant_id>/user/list", methods=["GET"]) @manager.route("/<tenant_id>/user/list", methods=["GET"])
@login_required @login_required
def user_list(tenant_id): def user_list(tenant_id):
if current_user.id != tenant_id:
return get_json_result(
data=False,
message='No authorization.',
code=settings.RetCode.AUTHENTICATION_ERROR)
try: try:
users = UserTenantService.get_by_tenant_id(tenant_id) users = UserTenantService.get_by_tenant_id(tenant_id)
for u in users: for u in users:
@ -41,6 +48,12 @@ def user_list(tenant_id):
@login_required @login_required
@validate_request("email") @validate_request("email")
def create(tenant_id): def create(tenant_id):
if current_user.id != tenant_id:
return get_json_result(
data=False,
message='No authorization.',
code=settings.RetCode.AUTHENTICATION_ERROR)
req = request.json req = request.json
usrs = UserService.query(email=req["email"]) usrs = UserService.query(email=req["email"])
if not usrs: if not usrs:
@ -70,6 +83,12 @@ def create(tenant_id):
@manager.route('/<tenant_id>/user/<user_id>', methods=['DELETE']) @manager.route('/<tenant_id>/user/<user_id>', methods=['DELETE'])
@login_required @login_required
def rm(tenant_id, user_id): def rm(tenant_id, user_id):
if current_user.id != tenant_id:
return get_json_result(
data=False,
message='No authorization.',
code=settings.RetCode.AUTHENTICATION_ERROR)
try: try:
UserTenantService.filter_delete([UserTenant.tenant_id == tenant_id, UserTenant.user_id == user_id]) UserTenantService.filter_delete([UserTenant.tenant_id == tenant_id, UserTenant.user_id == user_id])
return get_json_result(data=True) return get_json_result(data=True)
@ -92,6 +111,12 @@ def tenant_list():
@manager.route("/agree/<tenant_id>", methods=["PUT"]) @manager.route("/agree/<tenant_id>", methods=["PUT"])
@login_required @login_required
def agree(tenant_id): def agree(tenant_id):
if current_user.id != tenant_id:
return get_json_result(
data=False,
message='No authorization.',
code=settings.RetCode.AUTHENTICATION_ERROR)
try: try:
UserTenantService.filter_update([UserTenant.tenant_id == tenant_id, UserTenant.user_id == current_user.id], {"role": UserTenantRole.NORMAL}) UserTenantService.filter_update([UserTenant.tenant_id == tenant_id, UserTenant.user_id == current_user.id], {"role": UserTenantRole.NORMAL})
return get_json_result(data=True) return get_json_result(data=True)