From 580297e29038b5b4b805e38df153b1e9575a1533 Mon Sep 17 00:00:00 2001
From: Joe <79627742+ZhouhaoJiang@users.noreply.github.com>
Date: Wed, 18 Dec 2024 11:02:40 +0800
Subject: [PATCH] fix: file upload auth (#11774)

---
 api/controllers/console/files.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/api/controllers/console/files.py b/api/controllers/console/files.py
index 946d3db37f..ca32d29efa 100644
--- a/api/controllers/console/files.py
+++ b/api/controllers/console/files.py
@@ -1,6 +1,7 @@
 from flask import request
 from flask_login import current_user
 from flask_restful import Resource, marshal_with
+from werkzeug.exceptions import Forbidden
 
 import services
 from configs import dify_config
@@ -58,6 +59,9 @@ class FileApi(Resource):
         if not file.filename:
             raise FilenameNotExistsError
 
+        if source == "datasets" and not current_user.is_dataset_editor:
+            raise Forbidden()
+
         if source not in ("datasets", None):
             source = None