Fix: enforce editor-only access to chat message logs (#25936)

2025-09-18 21:59:51 +08:00
parent 3e54414191
commit b2d8a7eaf1
2 changed files with 108 additions and 0 deletions
--- a/api/controllers/console/app/message.py
+++ b/api/controllers/console/app/message.py
@@ -62,6 +62,9 @@ class ChatMessageListApi(Resource):
    @account_initialization_required
    @marshal_with(message_infinite_scroll_pagination_fields)
    def get(self, app_model):
+        if not isinstance(current_user, Account) or not current_user.has_edit_permission:
+            raise Forbidden()
+
        parser = reqparse.RequestParser()
        parser.add_argument("conversation_id", required=True, type=uuid_value, location="args")
        parser.add_argument("first_id", type=uuid_value, location="args")