From ac41151571ad1dfb29d67d0375c415f02b857896 Mon Sep 17 00:00:00 2001 From: QuantumGhost Date: Fri, 5 Sep 2025 16:17:47 +0800 Subject: [PATCH 1/2] chore(api): remove unused installed_plugins.jsonl --- api/installed_plugins.jsonl | 1 - 1 file changed, 1 deletion(-) delete mode 100644 api/installed_plugins.jsonl diff --git a/api/installed_plugins.jsonl b/api/installed_plugins.jsonl deleted file mode 100644 index 463e24ae64..0000000000 --- a/api/installed_plugins.jsonl +++ /dev/null @@ -1 +0,0 @@ -{"not_installed": [], "plugin_install_failed": []} \ No newline at end of file From 32a1a61d65a1eec65a6b4f6ebaf0659107dd3c7c Mon Sep 17 00:00:00 2001 From: QuantumGhost Date: Fri, 12 Sep 2025 17:07:26 +0800 Subject: [PATCH 2/2] security(api): enforce privilege validation for dataset-to-pipeline transformation The transformation from classic dataset to knowledge pipeline represents an irreversible write operation that permanently alters the dataset structure. To prevent unauthorized modifications, this change implements strict privilege validation in `RagPipelineTransformApi`. Only users with editor privileges or dataset operator roles are authorized to execute this transformation, ensuring proper access control for this critical operation. --- .../console/datasets/rag_pipeline/rag_pipeline_workflow.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py b/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py index 964de0a863..c70343ec95 100644 --- a/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py +++ b/api/controllers/console/datasets/rag_pipeline/rag_pipeline_workflow.py @@ -950,6 +950,12 @@ class RagPipelineTransformApi(Resource): @login_required @account_initialization_required def post(self, dataset_id): + if not isinstance(current_user, Account): + raise Forbidden() + + if not (current_user.is_editor or current_user.is_dataset_operator): + raise Forbidden() + dataset_id = str(dataset_id) rag_pipeline_transform_service = RagPipelineTransformService() result = rag_pipeline_transform_service.transform_dataset(dataset_id)