From 60f8e93ee77d0fb8c4d62e6649ded993c818e3f2 Mon Sep 17 00:00:00 2001 From: Ido Shani Date: Sun, 3 May 2026 13:35:17 +0300 Subject: [PATCH 1/4] added check on tenant id Signed-off-by: xr843 <137012659+xr843@users.noreply.github.com> --- api/controllers/console/files.py | 3 ++- api/services/file_service.py | 8 ++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/api/controllers/console/files.py b/api/controllers/console/files.py index 109a3cd0d3..afaeeab192 100644 --- a/api/controllers/console/files.py +++ b/api/controllers/console/files.py @@ -105,7 +105,8 @@ class FilePreviewApi(Resource): @account_initialization_required def get(self, file_id): file_id = str(file_id) - text = FileService(db.engine).get_file_preview(file_id) + _, tenant_id = current_account_with_tenant() + text = FileService(db.engine).get_file_preview(file_id, tenant_id) return {"content": text} diff --git a/api/services/file_service.py b/api/services/file_service.py index f60afe2f19..b0319ac06a 100644 --- a/api/services/file_service.py +++ b/api/services/file_service.py @@ -173,12 +173,16 @@ class FileService: return upload_file - def get_file_preview(self, file_id: str): + def get_file_preview(self, file_id: str, tenant_id: str): """ Return a short text preview extracted from a document file. """ with self._session_maker(expire_on_commit=False) as session: - upload_file = session.scalar(select(UploadFile).where(UploadFile.id == file_id).limit(1)) + upload_file = session.scalar( + select(UploadFile) + .where(UploadFile.id == file_id, UploadFile.tenant_id == tenant_id) + .limit(1) + ) if not upload_file: raise NotFound("File not found") From 6ef7685f5c2a60931ce7faa8cc9a97f16caa8c16 Mon Sep 17 00:00:00 2001 From: Ido Shani Date: Sun, 3 May 2026 13:40:46 +0300 Subject: [PATCH 2/4] tests Signed-off-by: xr843 <137012659+xr843@users.noreply.github.com> --- .../services/test_file_service.py | 8 ++++---- api/tests/unit_tests/services/test_file_service.py | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/api/tests/test_containers_integration_tests/services/test_file_service.py b/api/tests/test_containers_integration_tests/services/test_file_service.py index 42dbdef1c9..4532005836 100644 --- a/api/tests/test_containers_integration_tests/services/test_file_service.py +++ b/api/tests/test_containers_integration_tests/services/test_file_service.py @@ -514,7 +514,7 @@ class TestFileService: db_session_with_containers.commit() - result = FileService(engine).get_file_preview(file_id=upload_file.id) + result = FileService(engine).get_file_preview(file_id=upload_file.id, tenant_id=upload_file.tenant_id) assert result == "extracted text content" mock_external_service_dependencies["extract_processor"].load_from_upload_file.assert_called_once() @@ -529,7 +529,7 @@ class TestFileService: non_existent_id = str(fake.uuid4()) with pytest.raises(NotFound, match="File not found"): - FileService(engine).get_file_preview(file_id=non_existent_id) + FileService(engine).get_file_preview(file_id=non_existent_id, tenant_id=str(fake.uuid4())) def test_get_file_preview_unsupported_file_type( self, db_session_with_containers: Session, engine, mock_external_service_dependencies @@ -549,7 +549,7 @@ class TestFileService: db_session_with_containers.commit() with pytest.raises(UnsupportedFileTypeError): - FileService(engine).get_file_preview(file_id=upload_file.id) + FileService(engine).get_file_preview(file_id=upload_file.id, tenant_id=upload_file.tenant_id) def test_get_file_preview_text_truncation( self, db_session_with_containers: Session, engine, mock_external_service_dependencies @@ -572,7 +572,7 @@ class TestFileService: long_text = "x" * 5000 # Longer than PREVIEW_WORDS_LIMIT mock_external_service_dependencies["extract_processor"].load_from_upload_file.return_value = long_text - result = FileService(engine).get_file_preview(file_id=upload_file.id) + result = FileService(engine).get_file_preview(file_id=upload_file.id, tenant_id=upload_file.tenant_id) assert len(result) == 3000 # PREVIEW_WORDS_LIMIT assert result == "x" * 3000 diff --git a/api/tests/unit_tests/services/test_file_service.py b/api/tests/unit_tests/services/test_file_service.py index 8e1b22886b..69bd194a68 100644 --- a/api/tests/unit_tests/services/test_file_service.py +++ b/api/tests/unit_tests/services/test_file_service.py @@ -221,7 +221,7 @@ class TestFileService: mock_extract.return_value = "Extracted text content" # Execute - result = file_service.get_file_preview("file_id") + result = file_service.get_file_preview("file_id", "tenant_id") # Assert assert result == "Extracted text content" @@ -229,7 +229,7 @@ class TestFileService: def test_get_file_preview_not_found(self, file_service, mock_db_session): mock_db_session.scalar.return_value = None with pytest.raises(NotFound, match="File not found"): - file_service.get_file_preview("non_existent") + file_service.get_file_preview("non_existent", "tenant_id") def test_get_file_preview_unsupported_type(self, file_service, mock_db_session): upload_file = MagicMock(spec=UploadFile) @@ -237,7 +237,7 @@ class TestFileService: upload_file.extension = "exe" mock_db_session.scalar.return_value = upload_file with pytest.raises(UnsupportedFileTypeError): - file_service.get_file_preview("file_id") + file_service.get_file_preview("file_id", "tenant_id") def test_get_image_preview_success(self, file_service, mock_db_session): # Setup From 06fcde7298296950e78261aad752375a11ed71cd Mon Sep 17 00:00:00 2001 From: "autofix-ci[bot]" <114827586+autofix-ci[bot]@users.noreply.github.com> Date: Tue, 5 May 2026 09:57:10 +0000 Subject: [PATCH 3/4] [autofix.ci] apply automated fixes --- api/services/file_service.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/api/services/file_service.py b/api/services/file_service.py index b0319ac06a..d2d7b6e7e7 100644 --- a/api/services/file_service.py +++ b/api/services/file_service.py @@ -179,9 +179,7 @@ class FileService: """ with self._session_maker(expire_on_commit=False) as session: upload_file = session.scalar( - select(UploadFile) - .where(UploadFile.id == file_id, UploadFile.tenant_id == tenant_id) - .limit(1) + select(UploadFile).where(UploadFile.id == file_id, UploadFile.tenant_id == tenant_id).limit(1) ) if not upload_file: From 61f13507829018ae61b8772ca77a4517766c1c00 Mon Sep 17 00:00:00 2001 From: xr843 <137012659+xr843@users.noreply.github.com> Date: Sat, 9 May 2026 12:38:20 +0800 Subject: [PATCH 4/4] test: stub current_account_with_tenant in FilePreviewApi test The tenant-scoping fix calls current_account_with_tenant() in FilePreviewApi.get, which hits flask-login and trips on a Flask app without login_manager configured. Reuse the existing mock_account_context fixture to short-circuit it. --- api/tests/unit_tests/controllers/console/test_files.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/api/tests/unit_tests/controllers/console/test_files.py b/api/tests/unit_tests/controllers/console/test_files.py index 5df9daa7f8..9acf68dfc3 100644 --- a/api/tests/unit_tests/controllers/console/test_files.py +++ b/api/tests/unit_tests/controllers/console/test_files.py @@ -278,7 +278,7 @@ class TestFileApiPost: class TestFilePreviewApi: - def test_get_preview(self, app, mock_file_service): + def test_get_preview(self, app, mock_account_context, mock_file_service): api = FilePreviewApi() get_method = unwrap(api.get) mock_file_service.get_file_preview.return_value = "preview text"