-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Missing Authorization checks for multiple actions #2203
Comments
KevinHuSh
added a commit
that referenced
this issue
Sep 3, 2024
### What problem does this PR solve? Add Authorization checks #2203 ### Type of change - [x] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: Feiue <[email protected]> Co-authored-by: Kevin Hu <[email protected]>
KevinHuSh
pushed a commit
that referenced
this issue
Sep 3, 2024
### What problem does this PR solve? Add Authorization checks #2203 ### Type of change - [x] New Feature (non-breaking change which adds functionality) Co-authored-by: Feiue <[email protected]>
KevinHuSh
added a commit
that referenced
this issue
Sep 4, 2024
### What problem does this PR solve? Add Authorization checks #2203 ### Type of change - [x] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: Feiue <[email protected]> Co-authored-by: Kevin Hu <[email protected]>
Halfknow
pushed a commit
to Halfknow/ragflow
that referenced
this issue
Nov 11, 2024
### What problem does this PR solve? Add Authorization checks infiniflow#2203 ### Type of change - [x] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: Feiue <[email protected]> Co-authored-by: Kevin Hu <[email protected]>
Halfknow
pushed a commit
to Halfknow/ragflow
that referenced
this issue
Nov 11, 2024
### What problem does this PR solve? Add Authorization checks infiniflow#2203 ### Type of change - [x] New Feature (non-breaking change which adds functionality) Co-authored-by: Feiue <[email protected]>
Halfknow
pushed a commit
to Halfknow/ragflow
that referenced
this issue
Nov 11, 2024
### What problem does this PR solve? Add Authorization checks infiniflow#2203 ### Type of change - [x] New Feature (non-breaking change which adds functionality) --------- Co-authored-by: Feiue <[email protected]> Co-authored-by: Kevin Hu <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Branch name
main
Actual behavior
No authorization checks for the following actions.
Steps to reproduce
For viewing datasets:
Visit the following URL to view the dataset without authorization, http://demo.ragflow.io/knowledge/dataset?id=bb142eb2674211efbde742010a8a0003
For deleting canvas:
Login as any user, send a POST request to v1/canvas/rm with the ID of the canvas to delete.
The canvas will be deleted, even though you are not the user who created it or authorized.
Result
Unauthorized users can execute many critical actions for other users.
How to prevent?
Add authorization checks to all endpoints to validate the user who requested the action has the correct permissions.
The text was updated successfully, but these errors were encountered: