MkDev11 · greatjourney589 · May 22, 2026 · May 22, 2026 · May 22, 2026
diff --git a/fixes/issue-133-cross-tenant-document-access.patch b/fixes/issue-133-cross-tenant-document-access.patch
@@ -0,0 +1,21 @@
+diff --git a/api/apps/sdk/doc.py b/api/apps/sdk/doc.py
+--- a/api/apps/sdk/doc.py
++++ b/api/apps/sdk/doc.py
+@@ -18,7 +18,7 @@
+
+ from quart import send_file
+
+-from api.apps import login_required
++from api.apps import current_user, login_required
+ from api.db.db_models import Document, Task
+ from api.db.joint_services.tenant_model_service import get_model_config_by_id, get_model_config_by_type_and_name, get_tenant_default_model_by_type
+ from api.db.services.doc_metadata_service import DocMetadataService
+@@ -152,6 +152,8 @@
+     """
+     if not document_id:
+         return get_error_data_result(message="Specify document_id please.")
++    if not DocumentService.accessible(document_id, current_user.id):
++        return get_error_data_result(message="Document not found!")
+     doc = DocumentService.query(id=document_id)
+     if not doc:
+         return get_error_data_result(message=f"The dataset not own the document {document_id}.")