kotaemon icon indicating copy to clipboard operation
kotaemon copied to clipboard
verified publisher icon Cinnamon

[BUG] - user needs to be checked when download a file from private collection

Open mkhludnev opened this issue 1 year ago • 1 comments

Description

Let's challenge the same #199 concern for individual file download I couldn't fairly reproduce it with gradio_client or curl hence just demonstrate a simple tab trick. Now file access check in private collection is conducted in listing files, but it also should be ensured in download request.

Reproduction steps

  1. assume joeadmin has an access to a file in joeprivate collection, joedoe hasn't.
  2. after joeadmin got file list:
  • we can logout and login in another tab
  • however it might be just a proper curl request with joedoe identity

Expect

joedoe can't download even if he has file_list response and file_id

Actual

file is downloaded

Proposal

Check user_id in https://github.com/Cinnamon/kotaemon/blob/772186b6e5461e73045df87ab4cc7287b4ef35e6/libs/ktem/ktem/index/file/ui.py#L323

Screenshots

image image image Screenshot from 2024-09-04 17-42-57

Logs

SELECT index__9__source.id, index__9__source.name, index__9__source.path, index__9__source.size, index__9__source.date_created, index__9__source.user, index__9__source.note 
FROM index__9__source 
WHERE index__9__source.id = ?

Browsers

Firefox

OS

Linux

Additional information

No response

mkhludnev avatar Sep 04 '24 14:09 mkhludnev

This is a valid issue. Working on a fix.

taprosoft avatar Sep 05 '24 01:09 taprosoft