security(api): enforce privilege validation for dataset-to-pipeline transformation (#25603)

The transformation from classic dataset to knowledge pipeline represents an irreversible write operation that permanently alters the dataset structure. To prevent unauthorized modifications, this change implements strict privilege validation in RagPipelineTransformApi. Only users with editor privileges or dataset operator roles are authorized to execute this transformation, ensuring proper access control for this critical operation.
2025-09-12 17:12:06 +08:00 · 2025-09-12 17:12:06 +08:00 · c51cedff7e
parent c2ad68d59a 32a1a61d65
commit c51cedff7e
2 changed files with 6 additions and 1 deletions
--- a/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py
+++ b/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py
@ -950,6 +950,12 @@ class RagPipelineTransformApi(Resource):
    @login_required
    @account_initialization_required
    def post(self, dataset_id):
+        if not isinstance(current_user, Account):
+            raise Forbidden()
+
+        if not (current_user.is_editor or current_user.is_dataset_operator):
+            raise Forbidden()
+
        dataset_id = str(dataset_id)
        rag_pipeline_transform_service = RagPipelineTransformService()
        result = rag_pipeline_transform_service.transform_dataset(dataset_id)
--- a/api/installed_plugins.jsonl
+++ b/api/installed_plugins.jsonl
@ -1 +0,0 @@
-{"not_installed": [], "plugin_install_failed": []}
				`@ -1 +0,0 @@`
				`{"not_installed": [], "plugin_install_failed": []}`