admin/dify
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

security(api): fix privilege escalation vulnerability in model config and chat message APIs (#25518)

Browse Source 
The `ChatMessageApi` (`POST /console/api/apps/{app_id}/chat-messages`) and 
`ModelConfigResource` (`POST /console/api/apps/{app_id}/model-config`) 
endpoints do not properly validate user permissions, allowing users without `editor` 
permission to access restricted functionality.

This PR addresses this issue by adding proper permission check.
This commit is contained in:
QuantumGhost
2025-09-11 14:53:35 +08:00
committed by GitHub
parent 07d067d828
commit 874406d934
11 changed files with 298 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
api/tests/test_containers_integration_tests/services/test_account_service.py
View File

@@ -962,7 +962,8 @@ class TestAccountService:
Test getting user through non-existent email.
"""
fake = Faker()
non_existent_email = fake.email()
domain = f"test-{fake.random_letters(10)}.com"
non_existent_email = fake.email(domain=domain)
found_user = AccountService.get_user_through_email(non_existent_email)
assert found_user is None