security(api): fix privilege escalation vulnerability in model config and chat message APIs (#25518)

The `ChatMessageApi` (`POST /console/api/apps/{app_id}/chat-messages`) and `ModelConfigResource` (`POST /console/api/apps/{app_id}/model-config`) endpoints do not properly validate user permissions, allowing users without `editor` permission to access restricted functionality. This PR addresses this issue by adding proper permission check.
2025-09-11 14:53:35 +08:00
parent 07d067d828
commit 874406d934
11 changed files with 298 additions and 31 deletions
--- a/api/controllers/service_api/app/annotation.py
+++ b/api/controllers/service_api/app/annotation.py
@@ -165,7 +165,7 @@ class AnnotationUpdateDeleteApi(Resource):
    def put(self, app_model: App, annotation_id):
        """Update an existing annotation."""
        assert isinstance(current_user, Account)
-        if not current_user.is_editor:
+        if not current_user.has_edit_permission:
            raise Forbidden()

        annotation_id = str(annotation_id)
@@ -189,7 +189,7 @@ class AnnotationUpdateDeleteApi(Resource):
        """Delete an annotation."""
        assert isinstance(current_user, Account)

-        if not current_user.is_editor:
+        if not current_user.has_edit_permission:
            raise Forbidden()

        annotation_id = str(annotation_id)