mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-06-08 08:07:21 +08:00
0c93161a14
### What problem does this PR solve? Closes #15076 Two endpoints in `api/apps/restful_apis/chat_api.py` accepted a `user_id` field from the request body and used it directly when creating a session: ```python # before (vulnerable) "user_id": req.get("user_id", current_user.id) # create_session conv = await _create_session_for_completion(chat_id, dia, req.get("user_id", current_user.id)) # session_completion ``` Any authenticated caller could supply an arbitrary `user_id` and have the new session attributed to a different user — effectively spoofing session ownership. Both call sites are now fixed to always use `current_user.id`, which is set by the authentication middleware and cannot be tampered with via the request payload. ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) ### Changes | File | Change | |------|--------| | `api/apps/restful_apis/chat_api.py` | Remove `req.get("user_id", ...)` fallback in `create_session` and `session_completion`; always use `current_user.id` | | `test/testcases/test_http_api/test_session_management/test_session_sdk_routes_unit.py` | Add `test_create_session_user_id_not_spoofable` and `test_session_completion_user_id_not_spoofable` (both `@pytest.mark.p2`) | ### Testing Two new unit tests assert that a `user_id` value supplied in the request body is silently ignored and the session is always owned by the authenticated user: ``` test_create_session_user_id_not_spoofable test_session_completion_user_id_not_spoofable ``` Run with: ```bash uv run pytest test/testcases/test_http_api/test_session_management/test_session_sdk_routes_unit.py -k "spoofable" -v ```