From 60f8e93ee77d0fb8c4d62e6649ded993c818e3f2 Mon Sep 17 00:00:00 2001 From: Ido Shani Date: Sun, 3 May 2026 13:35:17 +0300 Subject: [PATCH] added check on tenant id Signed-off-by: xr843 <137012659+xr843@users.noreply.github.com> --- api/controllers/console/files.py | 3 ++- api/services/file_service.py | 8 ++++++-- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/api/controllers/console/files.py b/api/controllers/console/files.py index 109a3cd0d3..afaeeab192 100644 --- a/api/controllers/console/files.py +++ b/api/controllers/console/files.py @@ -105,7 +105,8 @@ class FilePreviewApi(Resource): @account_initialization_required def get(self, file_id): file_id = str(file_id) - text = FileService(db.engine).get_file_preview(file_id) + _, tenant_id = current_account_with_tenant() + text = FileService(db.engine).get_file_preview(file_id, tenant_id) return {"content": text} diff --git a/api/services/file_service.py b/api/services/file_service.py index f60afe2f19..b0319ac06a 100644 --- a/api/services/file_service.py +++ b/api/services/file_service.py @@ -173,12 +173,16 @@ class FileService: return upload_file - def get_file_preview(self, file_id: str): + def get_file_preview(self, file_id: str, tenant_id: str): """ Return a short text preview extracted from a document file. """ with self._session_maker(expire_on_commit=False) as session: - upload_file = session.scalar(select(UploadFile).where(UploadFile.id == file_id).limit(1)) + upload_file = session.scalar( + select(UploadFile) + .where(UploadFile.id == file_id, UploadFile.tenant_id == tenant_id) + .limit(1) + ) if not upload_file: raise NotFound("File not found")