@@ -62,7 +62,7 @@ def canvas_list():
6262@login_required
6363def rm ():
6464 for i in request .json ["canvas_ids" ]:
65- if not UserCanvasService .query ( user_id = current_user .id , id = i ):
65+ if not UserCanvasService .accessible ( i , current_user .id ):
6666 return get_json_result (
6767 data = False , message = 'Only owner of canvas authorized for this operation.' ,
6868 code = RetCode .OPERATING_ERROR )
@@ -86,7 +86,7 @@ def save():
8686 if not UserCanvasService .save (** req ):
8787 return get_data_error_result (message = "Fail to save canvas." )
8888 else :
89- if not UserCanvasService .query ( user_id = current_user . id , id = req ["id" ]):
89+ if not UserCanvasService .accessible ( req ["id" ], current_user . id ):
9090 return get_json_result (
9191 data = False , message = 'Only owner of canvas authorized for this operation.' ,
9292 code = RetCode .OPERATING_ERROR )
@@ -100,10 +100,9 @@ def save():
100100@manager .route ('/get/<canvas_id>' , methods = ['GET' ]) # noqa: F821
101101@login_required
102102def get (canvas_id ):
103- e , c = UserCanvasService .get_by_tenant_id (canvas_id )
104- tids = [t .tenant_id for t in UserTenantService .query (user_id = current_user .id )]
105- if not e or (c ["user_id" ] != current_user .id and c ["user_id" ] not in tids ):
103+ if not UserCanvasService .accessible (canvas_id , current_user .id ):
106104 return get_data_error_result (message = "canvas not found." )
105+ e , c = UserCanvasService .get_by_tenant_id (canvas_id )
107106 return get_json_result (data = c )
108107
109108
@@ -132,14 +131,15 @@ def run():
132131 files = req .get ("files" , [])
133132 inputs = req .get ("inputs" , {})
134133 user_id = req .get ("user_id" , current_user .id )
135- e , cvs = UserCanvasService .get_by_id (req ["id" ])
136- if not e :
137- return get_data_error_result (message = "canvas not found." )
138- if not UserCanvasService .query (user_id = current_user .id , id = req ["id" ]):
134+ if not UserCanvasService .accessible (req ["id" ], current_user .id ):
139135 return get_json_result (
140136 data = False , message = 'Only owner of canvas authorized for this operation.' ,
141137 code = RetCode .OPERATING_ERROR )
142138
139+ e , cvs = UserCanvasService .get_by_id (req ["id" ])
140+ if not e :
141+ return get_data_error_result (message = "canvas not found." )
142+
143143 if not isinstance (cvs .dsl , str ):
144144 cvs .dsl = json .dumps (cvs .dsl , ensure_ascii = False )
145145
@@ -173,14 +173,14 @@ def sse():
173173@login_required
174174def reset ():
175175 req = request .json
176+ if not UserCanvasService .accessible (req ["id" ], current_user .id ):
177+ return get_json_result (
178+ data = False , message = 'Only owner of canvas authorized for this operation.' ,
179+ code = RetCode .OPERATING_ERROR )
176180 try :
177181 e , user_canvas = UserCanvasService .get_by_id (req ["id" ])
178182 if not e :
179183 return get_data_error_result (message = "canvas not found." )
180- if not UserCanvasService .query (user_id = current_user .id , id = req ["id" ]):
181- return get_json_result (
182- data = False , message = 'Only owner of canvas authorized for this operation.' ,
183- code = RetCode .OPERATING_ERROR )
184184
185185 canvas = Canvas (json .dumps (user_canvas .dsl ), current_user .id )
186186 canvas .reset ()
@@ -291,15 +291,12 @@ def input_form():
291291@login_required
292292def debug ():
293293 req = request .json
294+ if not UserCanvasService .accessible (req ["id" ], current_user .id ):
295+ return get_json_result (
296+ data = False , message = 'Only owner of canvas authorized for this operation.' ,
297+ code = RetCode .OPERATING_ERROR )
294298 try :
295299 e , user_canvas = UserCanvasService .get_by_id (req ["id" ])
296- if not e :
297- return get_data_error_result (message = "canvas not found." )
298- if not UserCanvasService .query (user_id = current_user .id , id = req ["id" ]):
299- return get_json_result (
300- data = False , message = 'Only owner of canvas authorized for this operation.' ,
301- code = RetCode .OPERATING_ERROR )
302-
303300 canvas = Canvas (json .dumps (user_canvas .dsl ), current_user .id )
304301 canvas .reset ()
305302 canvas .message_id = get_uuid ()
@@ -405,6 +402,12 @@ def list_kbs():
405402def setting ():
406403 req = request .json
407404 req ["user_id" ] = current_user .id
405+
406+ if not UserCanvasService .accessible (req ["id" ], current_user .id ):
407+ return get_json_result (
408+ data = False , message = 'Only owner of canvas authorized for this operation.' ,
409+ code = RetCode .OPERATING_ERROR )
410+
408411 e ,flow = UserCanvasService .get_by_id (req ["id" ])
409412 if not e :
410413 return get_data_error_result (message = "canvas not found." )
@@ -416,10 +419,7 @@ def setting():
416419 flow ["permission" ] = req ["permission" ]
417420 if req ["avatar" ]:
418421 flow ["avatar" ] = req ["avatar" ]
419- if not UserCanvasService .query (user_id = current_user .id , id = req ["id" ]):
420- return get_json_result (
421- data = False , message = 'Only owner of canvas authorized for this operation.' ,
422- code = RetCode .OPERATING_ERROR )
422+
423423 num = UserCanvasService .update_by_id (req ["id" ], flow )
424424 return get_json_result (data = num )
425425
@@ -442,8 +442,10 @@ def trace():
442442@login_required
443443def sessions (canvas_id ):
444444 tenant_id = current_user .id
445- if not UserCanvasService .query (user_id = tenant_id , id = canvas_id ):
446- return get_error_data_result (message = f"You don't own the agent { canvas_id } )
445+ if not UserCanvasService .accessible (canvas_id , tenant_id ):
446+ return get_json_result (
447+ data = False , message = 'Only owner of canvas authorized for this operation.' ,
448+ code = RetCode .OPERATING_ERROR )
447449
448450 user_id = request .args .get ("user_id" )
449451 page_number = int (request .args .get ("page" , 1 ))
0 commit comments