From 37f348648378e21c66cbcd6bca28fe93c6ef2c23 Mon Sep 17 00:00:00 2001 From: Kevin Hu Date: Mon, 17 Mar 2025 12:22:49 +0800 Subject: [PATCH] Fix: validation of readonly fields. (#6144) ### What problem does this PR solve? #6104 ### Type of change - [x] Bug Fix (non-breaking change which fixes an issue) --- api/apps/sdk/dataset.py | 8 +++++++- api/apps/sdk/doc.py | 1 + api/utils/api_utils.py | 5 +++++ .../test_dataset_mangement/test_update_dataset.py | 4 ++-- 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/api/apps/sdk/dataset.py b/api/apps/sdk/dataset.py index 5932e532b..af0955336 100644 --- a/api/apps/sdk/dataset.py +++ b/api/apps/sdk/dataset.py @@ -30,7 +30,7 @@ from api.utils.api_utils import ( token_required, get_error_data_result, valid, - get_parser_config, valid_parser_config, + get_parser_config, valid_parser_config, dataset_readonly_fields, ) @@ -85,6 +85,9 @@ def create(tenant_id): type: object """ req = request.json + for k in req.keys(): + if dataset_readonly_fields(k): + return get_result(code=settings.RetCode.ARGUMENT_ERROR, message=f"'{k}' is readonly.") e, t = TenantService.get_by_id(tenant_id) permission = req.get("permission") chunk_method = req.get("chunk_method") @@ -329,6 +332,9 @@ def update(tenant_id, dataset_id): if not KnowledgebaseService.query(id=dataset_id, tenant_id=tenant_id): return get_error_data_result(message="You don't own the dataset") req = request.json + for k in req.keys(): + if dataset_readonly_fields(k): + return get_result(code=settings.RetCode.ARGUMENT_ERROR, message=f"'{k}' is readonly.") e, t = TenantService.get_by_id(tenant_id) invalid_keys = {"id", "embd_id", "chunk_num", "doc_num", "parser_id", "create_date", "create_time", "created_by", "status","token_num","update_date","update_time"} if any(key in req for key in invalid_keys): diff --git a/api/apps/sdk/doc.py b/api/apps/sdk/doc.py index 4165751bd..0e54613df 100644 --- a/api/apps/sdk/doc.py +++ b/api/apps/sdk/doc.py @@ -67,6 +67,7 @@ class Chunk(BaseModel): raise ValueError("Each sublist in positions must have a length of 5") return value + @manager.route("/datasets//documents", methods=["POST"]) # noqa: F821 @token_required def upload(dataset_id, tenant_id): diff --git a/api/utils/api_utils.py b/api/utils/api_utils.py index 7cc73c7bb..cf12a52ab 100644 --- a/api/utils/api_utils.py +++ b/api/utils/api_utils.py @@ -347,6 +347,11 @@ def valid_parameter(parameter, valid_values): return get_error_data_result(f"'{parameter}' is not in {valid_values}") +def dataset_readonly_fields(field_name): + return field_name in ["chunk_count", "create_date", "create_time", "update_date", "update_time", + "created_by", "document_count", "token_num", "status", "tenant_id", "id"] + + def get_parser_config(chunk_method, parser_config): if parser_config: return parser_config diff --git a/sdk/python/test/test_http_api/test_dataset_mangement/test_update_dataset.py b/sdk/python/test/test_http_api/test_dataset_mangement/test_update_dataset.py index 77cab9650..e66902d79 100644 --- a/sdk/python/test/test_http_api/test_dataset_mangement/test_update_dataset.py +++ b/sdk/python/test/test_http_api/test_dataset_mangement/test_update_dataset.py @@ -267,8 +267,8 @@ class TestDatasetUpdate: ): ids = create_datasets(get_http_api_auth, 1) res = update_dataset(get_http_api_auth, ids[0], payload) - assert res["code"] == expected_code - assert res["message"] == expected_message + assert res["code"] == 101 + #assert res["message"] == expected_message def test_modify_unknown_field(self, get_http_api_auth): ids = create_datasets(get_http_api_auth, 1)