Fix: potential risk (#3515)

### What problem does this PR solve? ### Type of change - [x] Refactoring
2024-11-20 13:47:03 +08:00 · 2024-11-20 13:47:03 +08:00 · d02a2b131a
commit d02a2b131a
parent 81c7b6afc5
1 changed files with 25 additions and 0 deletions
--- a/api/apps/tenant_app.py
+++ b/api/apps/tenant_app.py
@ -17,6 +17,7 @@
 from flask import request
 from flask_login import login_required, current_user

+from api import settings
 from api.db import UserTenantRole, StatusEnum
 from api.db.db_models import UserTenant
 from api.db.services.user_service import UserTenantService, UserService
@ -28,6 +29,12 @@ from api.utils.api_utils import get_json_result, validate_request, server_error_
@manager.route("/<tenant_id>/user/list", methods=["GET"])
@login_required
 def user_list(tenant_id):
+    if current_user.id != tenant_id:
+        return get_json_result(
+            data=False,
+            message='No authorization.',
+            code=settings.RetCode.AUTHENTICATION_ERROR)
+
    try:
        users = UserTenantService.get_by_tenant_id(tenant_id)
        for u in users:
@ -41,6 +48,12 @@ def user_list(tenant_id):
@login_required
@validate_request("email")
 def create(tenant_id):
+    if current_user.id != tenant_id:
+        return get_json_result(
+            data=False,
+            message='No authorization.',
+            code=settings.RetCode.AUTHENTICATION_ERROR)
+
    req = request.json
    usrs = UserService.query(email=req["email"])
    if not usrs:
@ -70,6 +83,12 @@ def create(tenant_id):
@manager.route('/<tenant_id>/user/<user_id>', methods=['DELETE'])
@login_required
 def rm(tenant_id, user_id):
+    if current_user.id != tenant_id:
+        return get_json_result(
+            data=False,
+            message='No authorization.',
+            code=settings.RetCode.AUTHENTICATION_ERROR)
+
    try:
        UserTenantService.filter_delete([UserTenant.tenant_id == tenant_id, UserTenant.user_id == user_id])
        return get_json_result(data=True)
@ -92,6 +111,12 @@ def tenant_list():
@manager.route("/agree/<tenant_id>", methods=["PUT"])
@login_required
 def agree(tenant_id):
+    if current_user.id != tenant_id:
+        return get_json_result(
+            data=False,
+            message='No authorization.',
+            code=settings.RetCode.AUTHENTICATION_ERROR)
+
    try:
        UserTenantService.filter_update([UserTenant.tenant_id == tenant_id, UserTenant.user_id == current_user.id], {"role": UserTenantRole.NORMAL})
        return get_json_result(data=True)