From 4d9e9f0dbb00233d32c3aa6c5706b1572fbd5fd9 Mon Sep 17 00:00:00 2001
From: LiuHua <10215101452@stu.ecnu.edu.cn>
Date: Tue, 3 Sep 2024 13:45:02 +0800
Subject: [PATCH] Add Authorization checks (#2209)

### What problem does this PR solve?

Add Authorization checks
#2203

### Type of change


- [x] New Feature (non-breaking change which adds functionality)

---------

Co-authored-by: Feiue <10215101452@stu.ecun.edu.cn>
Co-authored-by: Kevin Hu <kevinhu.sh@gmail.com>
---
 api/apps/kb_app.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/api/apps/kb_app.py b/api/apps/kb_app.py
index 5072d14a9..6bbd02ee5 100644
--- a/api/apps/kb_app.py
+++ b/api/apps/kb_app.py
@@ -100,6 +100,15 @@ def update():
 def detail():
     kb_id = request.args["kb_id"]
     try:
+        tenants = TenantService.get_joined_tenants_by_user_id(current_user.id)
+        for m in tenants:
+            if KnowledgebaseService.query(
+                    tenant_id=m["tenant_id"], id=kb_id):
+                break
+        else:
+            return get_json_result(
+                data=False, retmsg=f'Only owner of knowledgebase authorized for this operation.',
+                retcode=RetCode.OPERATING_ERROR)
         kb = KnowledgebaseService.get_detail(kb_id)
         if not kb:
             return get_data_error_result(