opensource
/
dify
mirror of https://github.com/langgenius/dify.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
dify/api/tests/integration_tests
History
QuantumGhost 874406d934
security(api): fix privilege escalation vulnerability in model config and chat message APIs (#25518) 
The `ChatMessageApi` (`POST /console/api/apps/{app_id}/chat-messages`) and 
`ModelConfigResource` (`POST /console/api/apps/{app_id}/model-config`) 
endpoints do not properly validate user permissions, allowing users without `editor` 
permission to access restricted functionality.

This PR addresses this issue by adding proper permission check.
 		2025-09-11 14:53:35 +08:00
..
controllers/console security(api): fix privilege escalation vulnerability in model config and chat message APIs (#25518) 2025-09-11 14:53:35 +08:00
factories add more dataclass (#25039) 2025-09-06 03:20:13 +08:00
model_runtime/__mock remove bare list, dict, Sequence, None, Any (#25058) 2025-09-06 03:32:23 +08:00
plugin Typing test (#24651) 2025-08-28 09:36:39 +08:00
services orm filter -> where (#22801) 2025-07-24 00:57:45 +08:00
storage feat: Add Clickzetta Lakehouse vector database integration (#22551) 2025-08-07 14:21:46 +08:00
tasks feat(api): auto-delete WorkflowDraftVariable when app is deleted (#23737) 2025-08-13 11:13:08 +08:00
tools Typing test (#24651) 2025-08-28 09:36:39 +08:00
utils chore: apply flake8-pytest-style linter rules (#8307) 2024-09-12 18:09:16 +08:00
vdb remove bare list, dict, Sequence, None, Any (#25058) 2025-09-06 03:32:23 +08:00
workflow remove bare list, dict, Sequence, None, Any (#25058) 2025-09-06 03:32:23 +08:00
.env.example Revert "feat: email register refactor" (#25367) 2025-09-08 19:20:09 +08:00
.gitignore Enhance Code Consistency Across Repository with `.editorconfig` (#19023) 2025-04-29 18:04:33 +08:00
__init__.py feat: server multi models support (#799) 2023-08-12 00:57:00 +08:00
conftest.py remove bare list, dict, Sequence, None, Any (#25058) 2025-09-06 03:32:23 +08:00