opensource
/
dify
mirror of https://github.com/langgenius/dify.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
dify/api/controllers
History
QuantumGhost 874406d934
security(api): fix privilege escalation vulnerability in model config and chat message APIs (#25518) 
The `ChatMessageApi` (`POST /console/api/apps/{app_id}/chat-messages`) and 
`ModelConfigResource` (`POST /console/api/apps/{app_id}/model-config`) 
endpoints do not properly validate user permissions, allowing users without `editor` 
permission to access restricted functionality.

This PR addresses this issue by adding proper permission check.
 		2025-09-11 14:53:35 +08:00
..
common feat: API docs for service api (#24425) 2025-08-25 09:26:54 +08:00
console security(api): fix privilege escalation vulnerability in model config and chat message APIs (#25518) 2025-09-11 14:53:35 +08:00
files refactor: Migrate part of the console basic API module to Flask-RESTX (#24732) 2025-09-10 12:15:47 +08:00
inner_api refactor: Migrate part of the console basic API module to Flask-RESTX (#24732) 2025-09-10 12:15:47 +08:00
mcp refactor: Migrate part of the console basic API module to Flask-RESTX (#24732) 2025-09-10 12:15:47 +08:00
service_api security(api): fix privilege escalation vulnerability in model config and chat message APIs (#25518) 2025-09-11 14:53:35 +08:00
web refactor: Migrate part of the console basic API module to Flask-RESTX (#24732) 2025-09-10 12:15:47 +08:00
__init__.py chore(api/controllers): Apply Ruff Formatter. (#7645) 2024-08-26 15:29:10 +08:00