dale053 714f777fa0 Fix: missing authentication on agent file upload and download endpoints (#14854) ...

### What problem does this PR solve?

Closes #14853

The `/agents/download` and `/agents/<agent_id>/upload` endpoints in the
agent API are missing `@login_required` and `@add_tenant_id_to_kwargs`
decorators, allowing unauthenticated access. This is a security issue —
any user can upload files to or download files from an agent without
being logged in. Additionally, the upload endpoint bypasses canvas
access control (`@_require_canvas_access_async`).
This PR adds the missing authentication and authorization decorators to
both endpoints and replaces the manual `user_id` / `created_by` lookups
with the `tenant_id` provided by the auth middleware, making these
endpoints consistent with the rest of the agent API.
### Type of change
- [x] Bug Fix (non-breaking change which fixes an issue)

2026-05-14 13:48:41 +08:00

..

auth

Refactor user REST API (#14334)

2026-04-24 10:25:15 +08:00

restful_apis

Fix: missing authentication on agent file upload and download endpoints (#14854)

2026-05-14 13:48:41 +08:00

sdk

Fix: dataset document download route (#14910)

2026-05-14 10:59:06 +08:00

services

Fix: enforce tenant authorization for tenant_rerank_id in retrieval flows (#14782)

2026-05-13 19:53:08 +08:00

__init__.py

Fix: bind memory message user_id to authenticated user for JWT auth (#14745)

2026-05-11 13:26:05 +08:00

backward_compat.py

Add REST API backward compatibility (#14872)

2026-05-13 11:44:40 +08:00

llm_app.py

Fix: llm add api key overridden (#14885)

2026-05-13 17:15:32 +08:00