From 2bf2abfdbcffd80fe8f69f4b387cd10b5159bcb6 Mon Sep 17 00:00:00 2001 From: Yongteng Lei Date: Wed, 25 Feb 2026 12:59:41 +0800 Subject: [PATCH] Fix: authorization bypass (IDOR) in /v1/document/web_crawl (#13203) ### What problem does this PR solve? Fix authorization bypass (IDOR) in `/v1/document/web_crawl` allows Cross-Tenant Dataset Modification. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) --- api/apps/document_app.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/apps/document_app.py b/api/apps/document_app.py index 504eae9eb..5192756e0 100644 --- a/api/apps/document_app.py +++ b/api/apps/document_app.py @@ -125,7 +125,7 @@ async def web_crawl(): e, kb = KnowledgebaseService.get_by_id(kb_id) if not e: raise LookupError("Can't find this dataset!") - if check_kb_team_permission(kb, current_user.id): + if not check_kb_team_permission(kb, current_user.id): return get_json_result(data=False, message="No authorization.", code=RetCode.AUTHENTICATION_ERROR) blob = html2pdf(url)