From 5344d73b797886ebc1bd8688e45fb4d14a4385d0 Mon Sep 17 00:00:00 2001
From: Octopus <liyuan851277048@icloud.com>
Date: Fri, 3 Apr 2026 10:19:51 +0800
Subject: [PATCH 1/2] fix: return 401 in getAllPermissions when user is not
 authenticated (fixes #6105)

When GET /api/v1/auth/resolve is called without authentication, the
request is whitelisted (passthrough) and matches the GET /api/v1/auth/:type
route with type='resolve'. This calls getAllPermissions() where req.user
is undefined, causing a 500 error: 'Cannot read properties of undefined
(reading isOrganizationAdmin)'.

Add an early guard to return 401 Unauthorized if no user is present,
preventing the crash and returning a proper error response.
---
 packages/server/src/enterprise/controllers/auth/index.ts | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/packages/server/src/enterprise/controllers/auth/index.ts b/packages/server/src/enterprise/controllers/auth/index.ts
index bf1c742e99b..8fae291c1a5 100644
--- a/packages/server/src/enterprise/controllers/auth/index.ts
+++ b/packages/server/src/enterprise/controllers/auth/index.ts
@@ -11,6 +11,10 @@ const getAllPermissions = async (req: Request, res: Response, next: NextFunction
         const allPermissions = appServer.identityManager.getPermissions().toJSON()
         const user = req.user as LoggedInUser
 
+        if (!user) {
+            return res.status(StatusCodes.UNAUTHORIZED).json({ message: 'Unauthorized' })
+        }
+
         let permissions: { [key: string]: { key: string; value: string }[] } = allPermissions
 
         // Mapping of feature flags to permission prefixes

From e37bfbe1687e73115a6df008061a713caf1be9b8 Mon Sep 17 00:00:00 2001
From: Octopus <liyuan851277048@icloud.com>
Date: Sat, 4 Apr 2026 11:06:36 +0800
Subject: [PATCH 2/2] fix: restore file upload override when 'file' param is
 enabled (fixes #6102)

Commit c8282c97 removed the special case that allowed FILE-STORAGE:: values
to bypass override permission checks. This broke API file uploads because users
enable the 'file' parameter for override in the UI, but the server maps uploaded
files to type-specific keys ('txtFile', 'pdfFile', etc.) which were then blocked.

Fix: When a FILE-STORAGE:: value is blocked by the specific-param check, also
allow it if the generic 'file' parameter is enabled for that node. This restores
file upload functionality without reintroducing the original security bypass.

Also fix a copy-paste bug in both upsertVector.ts and buildChatflow.ts where the
mime-type fallback branch incorrectly used fileInputFieldFromExt instead of
fileInputFieldFromMimeType.
---
 packages/server/src/utils/buildChatflow.ts |  2 +-
 packages/server/src/utils/index.ts         | 12 ++++++++++--
 packages/server/src/utils/upsertVector.ts  |  2 +-
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/packages/server/src/utils/buildChatflow.ts b/packages/server/src/utils/buildChatflow.ts
index c54c009c43a..02cd62ab205 100644
--- a/packages/server/src/utils/buildChatflow.ts
+++ b/packages/server/src/utils/buildChatflow.ts
@@ -448,7 +448,7 @@ export const executeFlow = async ({
             if (fileInputFieldFromExt !== 'txtFile') {
                 fileInputField = fileInputFieldFromExt
             } else if (fileInputFieldFromMimeType !== 'txtFile') {
-                fileInputField = fileInputFieldFromExt
+                fileInputField = fileInputFieldFromMimeType
             }
 
             if (overrideConfig[fileInputField]) {
diff --git a/packages/server/src/utils/index.ts b/packages/server/src/utils/index.ts
index 7ea3adbfd8e..9158d66cb77 100644
--- a/packages/server/src/utils/index.ts
+++ b/packages/server/src/utils/index.ts
@@ -1187,9 +1187,17 @@ export const replaceInputsWithConfig = (
                     continue
                 }
             } else {
+                // For FILE-STORAGE:: values (uploaded files mapped to txtFile, pdfFile, etc.),
+                // also allow override if the generic 'file' parameter is enabled for the node.
+                // This handles the case where users enable the 'file' input for override in the UI,
+                // which should also permit the server-side file-type fields to be applied.
+                const isFileStorageValue =
+                    typeof overrideConfig[config] === 'string' && overrideConfig[config].includes('FILE-STORAGE::')
                 if (!isParameterEnabled(flowNodeData.label, config)) {
-                    // Only proceed if the parameter is enabled
-                    continue
+                    if (!(isFileStorageValue && isParameterEnabled(flowNodeData.label, 'file'))) {
+                        // Only proceed if the parameter is enabled
+                        continue
+                    }
                 }
             }
 
diff --git a/packages/server/src/utils/upsertVector.ts b/packages/server/src/utils/upsertVector.ts
index b7c17b45dcf..04e26e3bdf8 100644
--- a/packages/server/src/utils/upsertVector.ts
+++ b/packages/server/src/utils/upsertVector.ts
@@ -96,7 +96,7 @@ export const executeUpsert = async ({
             if (fileInputFieldFromExt !== 'txtFile') {
                 fileInputField = fileInputFieldFromExt
             } else if (fileInputFieldFromMimeType !== 'txtFile') {
-                fileInputField = fileInputFieldFromExt
+                fileInputField = fileInputFieldFromMimeType
             }
 
             if (overrideConfig[fileInputField]) {