fix child-chunk ownership validation (#24374)

Signed-off-by: kenwoodjw <blackxin55+@gmail.com>
2025-08-23 20:17:44 +08:00
parent e64ff77852
commit 8a348bea21
2 changed files with 28 additions and 2 deletions
--- a/api/controllers/console/datasets/datasets_segments.py
+++ b/api/controllers/console/datasets/datasets_segments.py
@@ -584,7 +584,12 @@ class ChildChunkUpdateApi(Resource):
        child_chunk_id = str(child_chunk_id)
        child_chunk = (
            db.session.query(ChildChunk)
-            .where(ChildChunk.id == str(child_chunk_id), ChildChunk.tenant_id == current_user.current_tenant_id)
+            .where(
+                ChildChunk.id == str(child_chunk_id),
+                ChildChunk.tenant_id == current_user.current_tenant_id,
+                ChildChunk.segment_id == segment.id,
+                ChildChunk.document_id == document_id,
+            )
            .first()
        )
        if not child_chunk:
@@ -633,7 +638,12 @@ class ChildChunkUpdateApi(Resource):
        child_chunk_id = str(child_chunk_id)
        child_chunk = (
            db.session.query(ChildChunk)
-            .where(ChildChunk.id == str(child_chunk_id), ChildChunk.tenant_id == current_user.current_tenant_id)
+            .where(
+                ChildChunk.id == str(child_chunk_id),
+                ChildChunk.tenant_id == current_user.current_tenant_id,
+                ChildChunk.segment_id == segment.id,
+                ChildChunk.document_id == document_id,
+            )
            .first()
        )
        if not child_chunk:
--- a/api/controllers/service_api/dataset/segment.py
+++ b/api/controllers/service_api/dataset/segment.py
@@ -359,6 +359,10 @@ class DatasetChildChunkApi(DatasetApiResource):
        if not segment:
            raise NotFound("Segment not found.")

+        # validate segment belongs to the specified document
+        if segment.document_id != document_id:
+            raise NotFound("Document not found.")
+
        # check child chunk
        child_chunk_id = str(child_chunk_id)
        child_chunk = SegmentService.get_child_chunk_by_id(
@@ -367,6 +371,10 @@ class DatasetChildChunkApi(DatasetApiResource):
        if not child_chunk:
            raise NotFound("Child chunk not found.")

+        # validate child chunk belongs to the specified segment
+        if child_chunk.segment_id != segment.id:
+            raise NotFound("Child chunk not found.")
+
        try:
            SegmentService.delete_child_chunk(child_chunk, dataset)
        except ChildChunkDeleteIndexServiceError as e:
@@ -396,6 +404,10 @@ class DatasetChildChunkApi(DatasetApiResource):
        if not segment:
            raise NotFound("Segment not found.")

+        # validate segment belongs to the specified document
+        if segment.document_id != document_id:
+            raise NotFound("Segment not found.")
+
        # get child chunk
        child_chunk = SegmentService.get_child_chunk_by_id(
            child_chunk_id=child_chunk_id, tenant_id=current_user.current_tenant_id
@@ -403,6 +415,10 @@ class DatasetChildChunkApi(DatasetApiResource):
        if not child_chunk:
            raise NotFound("Child chunk not found.")

+        # validate child chunk belongs to the specified segment
+        if child_chunk.segment_id != segment.id:
+            raise NotFound("Child chunk not found.")
+
        # validate args
        parser = reqparse.RequestParser()
        parser.add_argument("content", type=str, required=True, nullable=False, location="json")