Skip to content

Commit 041fba4

Browse files
authored
fix: enforce ownership when reading ChatUI sessions (#9141)
1 parent b43cc6d commit 041fba4

2 files changed

Lines changed: 50 additions & 1 deletion

File tree

astrbot/dashboard/services/chat_service.py

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1196,7 +1196,11 @@ async def get_sessions_from_dashboard_query(
11961196

11971197
async def get_session(self, username: str, session_id: str) -> dict:
11981198
session = await self.db.get_platform_session_by_id(session_id)
1199-
platform_id = session.platform_id if session else "webchat"
1199+
if not session:
1200+
raise ChatServiceError(f"Session {session_id} not found")
1201+
if session.creator != username:
1202+
raise ChatServiceError("Permission denied")
1203+
platform_id = session.platform_id
12001204

12011205
project_info = await self.db.get_project_by_session(
12021206
session_id=session_id, creator=username

tests/test_dashboard.py

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2217,6 +2217,51 @@ async def _should_not_call_single_lookup(session_id: str):
22172217
assert called["batch_lookup_count"] == 1
22182218

22192219

2220+
@pytest.mark.asyncio
2221+
@pytest.mark.parametrize(
2222+
"path_template",
2223+
[
2224+
"/api/chat/get_session?session_id={session_id}",
2225+
"/api/v1/chat/sessions/{session_id}",
2226+
],
2227+
)
2228+
async def test_get_chat_session_rejects_session_owned_by_another_user(
2229+
app: FastAPIAppAdapter,
2230+
authenticated_header: dict,
2231+
core_lifecycle_td: AstrBotCoreLifecycle,
2232+
path_template: str,
2233+
):
2234+
test_client = app.test_client()
2235+
session_id = f"foreign_get_session_{uuid.uuid4().hex[:8]}"
2236+
await core_lifecycle_td.db.create_platform_session(
2237+
creator="not_dashboard_user",
2238+
platform_id="webchat",
2239+
session_id=session_id,
2240+
display_name="Foreign Session",
2241+
is_group=0,
2242+
)
2243+
await core_lifecycle_td.platform_message_history_manager.insert(
2244+
platform_id="webchat",
2245+
user_id=session_id,
2246+
content={
2247+
"type": "user",
2248+
"message": [{"type": "text", "text": "foreign session secret"}],
2249+
},
2250+
sender_id="not_dashboard_user",
2251+
sender_name="not_dashboard_user",
2252+
)
2253+
2254+
response = await test_client.get(
2255+
path_template.format(session_id=session_id),
2256+
headers=authenticated_header,
2257+
)
2258+
2259+
assert response.status_code == 200
2260+
data = await response.get_json()
2261+
assert data["status"] == "error"
2262+
assert data["message"] == "Permission denied"
2263+
2264+
22202265
@pytest.mark.asyncio
22212266
async def test_plugins(
22222267
app: FastAPIAppAdapter,

0 commit comments

Comments
 (0)