jyapayne/dify
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

security(api): fix privilege escalation vulnerability in model config and chat message APIs (#25518)

Browse source 
The `ChatMessageApi` (`POST /console/api/apps/{app_id}/chat-messages`) and 
`ModelConfigResource` (`POST /console/api/apps/{app_id}/model-config`) 
endpoints do not properly validate user permissions, allowing users without `editor` 
permission to access restricted functionality.

This PR addresses this issue by adding proper permission check.
This commit is contained in:
QuantumGhost 2025-09-11 14:53:35 +08:00 committed by GitHub
commit 874406d934
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
11 changed files with 298 additions and 31 deletions
Download patch file Download diff file Expand all files Collapse all files

2
api/controllers/console/app/workflow_draft_variable.py
View file

@ -137,7 +137,7 @@ def _api_prerequisite(f):
@get_app_model(mode=[AppMode.ADVANCED_CHAT, AppMode.WORKFLOW])
def wrapper(*args, **kwargs):
assert isinstance(current_user, Account)
if not current_user.is_editor:
if not current_user.has_edit_permission:
raise Forbidden()
return f(*args, **kwargs)