security(api): enforce privilege validation for dataset-to-pipeline transformation

The transformation from classic dataset to knowledge pipeline represents an irreversible write operation that permanently alters the dataset structure. To prevent unauthorized modifications, this change implements strict privilege validation in `RagPipelineTransformApi`. Only users with editor privileges or dataset operator roles are authorized to execute this transformation, ensuring proper access control for this critical operation.
2025-09-12 17:07:26 +08:00 · 2025-09-12 17:07:26 +08:00 · 32a1a61d65
parent ac41151571
commit 32a1a61d65
1 changed files with 6 additions and 0 deletions
--- a/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py
+++ b/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py
@ -950,6 +950,12 @@ class RagPipelineTransformApi(Resource):
    @login_required
    @account_initialization_required
    def post(self, dataset_id):
+        if not isinstance(current_user, Account):
+            raise Forbidden()
+
+        if not (current_user.is_editor or current_user.is_dataset_operator):
+            raise Forbidden()
+
        dataset_id = str(dataset_id)
        rag_pipeline_transform_service = RagPipelineTransformService()
        result = rag_pipeline_transform_service.transform_dataset(dataset_id)