youngkingdom/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2026-03-05 15:47:14 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix: authorization bypass (IDOR) in /v1/document/web_crawl (#13203)

Browse Source 
### What problem does this PR solve?

Fix authorization bypass (IDOR) in `/v1/document/web_crawl` allows
Cross-Tenant Dataset Modification.

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
This commit is contained in:
Yongteng Lei
2026-02-25 12:59:41 +08:00
committed by GitHub
parent 99d1c9725c
commit 2bf2abfdbc
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
api/apps/document_app.py
View File

@ -125,7 +125,7 @@ async def web_crawl():
e, kb = KnowledgebaseService.get_by_id(kb_id)
if not e:
raise LookupError("Can't find this dataset!")
if check_kb_team_permission(kb, current_user.id):
if not check_kb_team_permission(kb, current_user.id):
return get_json_result(data=False, message="No authorization.", code=RetCode.AUTHENTICATION_ERROR)
blob = html2pdf(url)