From 16b98ea4da1d983b91e75071b730603fa9192d47 Mon Sep 17 00:00:00 2001 From: xr843 <137012659+xr843@users.noreply.github.com> Date: Tue, 5 May 2026 17:49:34 +0800 Subject: [PATCH] fix(security): also tenant-scope /apps//trace AppTraceApi MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The AppTraceApi GET/POST endpoints in app.py have the same missing- tenant-check bug as ops_trace.py, on the same advisory. Apply the same @get_app_model decorator pattern here too. Bundled into this PR per zafido's draft patch — same advisory, same bug class, same fix pattern. Refs: GHSA-48xc-wmw8-3jr3 Co-Authored-By: Ido Shani --- api/controllers/console/app/app.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/api/controllers/console/app/app.py b/api/controllers/console/app/app.py index 58ed6efc14..05b8aeceaa 100644 --- a/api/controllers/console/app/app.py +++ b/api/controllers/console/app/app.py @@ -840,10 +840,11 @@ class AppTraceApi(Resource): @setup_required @login_required @account_initialization_required - def get(self, app_id): + @get_app_model + def get(self, app_model): """Get app trace""" with session_factory.create_session() as session: - app_trace_config = OpsTraceManager.get_app_tracing_config(app_id, session) + app_trace_config = OpsTraceManager.get_app_tracing_config(app_model.id, session) return app_trace_config @@ -857,12 +858,13 @@ class AppTraceApi(Resource): @login_required @account_initialization_required @edit_permission_required - def post(self, app_id): + @get_app_model + def post(self, app_model): # add app trace args = AppTracePayload.model_validate(console_ns.payload) OpsTraceManager.update_app_tracing_config( - app_id=app_id, + app_id=app_model.id, enabled=args.enabled, tracing_provider=args.tracing_provider, )