youngkingdom/ragflow
1
0
Fork 0
mirror of https://github.com/infiniflow/ragflow.git synced 2026-05-28 11:43:06 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
c33d0b80816bc0da36cfa04a96115814b4b50ab7
ragflow/api/apps
History
dale053 c33d0b8081 fix: prevent sensitive fields from leaking in user API responses (#14792) 
Closes #14789

### What problem does this PR solve?

User API endpoints (`login`, `user_profile`, `user_add`,
`forget_reset_password`) were returning full user objects via
`to_json()` / `to_dict()`, which included sensitive fields like
`password` and `access_token` in the response body. This leaks
credentials to the client.

This PR adds a `to_safe_dict()` method on the `User` model that strips
sensitive fields (`password`, `access_token`) and replaces all affected
call sites to use it.

### Type of change

- [x] Bug Fix (non-breaking change which fixes an issue)
2026-05-22 15:14:26 +08:00
..
auth
Refactor user REST API (#14334)
2026-04-24 10:25:15 +08:00
restful_apis
fix: prevent sensitive fields from leaking in user API responses (#14792)
2026-05-22 15:14:26 +08:00
sdk
Refactor:improve dify retrieval logic (#15036)
2026-05-21 15:32:24 +08:00
services
Fix: validate memory tenant model IDs on update and enforce tenant scope in memory pipeline (#14923)
2026-05-19 10:11:46 +08:00
__init__.py
Fix: bind memory message user_id to authenticated user for JWT auth (#14745)
2026-05-11 13:26:05 +08:00
backward_compat.py
Add REST API backward compatibility (#14872)
2026-05-13 11:44:40 +08:00
llm_app.py
Fix: restore saved api_key fallback in add_llm (#14921) (#14941)
2026-05-19 15:32:09 +08:00