kunthawat/ALwrity
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: multi-tenant isolation for asset serving, image-studio ownership check, ts compile error

Browse Source
This commit is contained in:
ajaysi
2026-05-25 17:23:59 +05:30
parent 9b3bec698b
commit cb3666dd7b
3 changed files with 33 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
backend/api/assets_serving.py
View File

@@ -38,6 +38,15 @@ MIME_MAP = {
}
def _verify_ownership(url_user_id: str, current_user: Dict[str, Any]) -> str:
"""Verify the URL user_id matches the authenticated user. Returns sanitized user_id."""
raw = current_user.get("id") or current_user.get("user_id") or current_user.get("clerk_user_id")
authed_id = str(raw) if raw else ""
if not authed_id or sanitize_user_id(url_user_id) != sanitize_user_id(authed_id):
raise HTTPException(status_code=403, detail="Access denied: user mismatch")
return sanitize_user_id(url_user_id)
def _resolve_asset_path(user_id: str, category: str, filename: str) -> Path:
"""Resolve asset path in user workspace with path-traversal protection."""
safe_user_id = sanitize_user_id(user_id)
@@ -67,6 +76,7 @@ async def serve_avatar(
"""Serve avatar images. Supports auth via Authorization header or ?token= query param.
Falls back to images/ directory for backward compatibility with old asset library entries."""
require_authenticated_user(current_user)
_verify_ownership(user_id, current_user)
safe_filename = os.path.basename(filename)
file_path = _resolve_asset_path(user_id, "avatars", safe_filename)
@@ -95,6 +105,7 @@ async def serve_voice_sample(
which cannot send Authorization headers.
"""
require_authenticated_user(current_user)
_verify_ownership(user_id, current_user)
safe_filename = os.path.basename(filename)
file_path = _resolve_asset_path(user_id, "voice_samples", safe_filename)
@@ -117,6 +128,7 @@ async def serve_image(
):
"""Serve generated/uploaded images. Supports auth via Authorization header or ?token= query param."""
require_authenticated_user(current_user)
_verify_ownership(user_id, current_user)
safe_filename = os.path.basename(filename)
file_path = _resolve_asset_path(user_id, "images", safe_filename)

22
backend/api/images.py
View File

@@ -27,6 +27,8 @@ from services.subscription import UsageTrackingService, PricingService
from models.subscription_models import APIProvider, UsageSummary
from utils.asset_tracker import save_asset_to_library
from utils.file_storage import save_file_safely, generate_unique_filename, sanitize_filename
from services.content_asset_service import ContentAssetService
from models.content_asset_models import ContentAsset
router = APIRouter(prefix="/api/images", tags=["images"])
@@ -1022,13 +1024,29 @@ def edit(
@router.get("/image-studio/images/{image_filename:path}")
async def serve_image_studio_image(
image_filename: str,
current_user: Dict[str, Any] = Depends(get_current_user)
current_user: Dict[str, Any] = Depends(get_current_user),
db: Session = Depends(get_db),
):
"""Serve a generated or edited image from Image Studio."""
"""Serve a generated or edited image from Image Studio.
Verifies the authenticated user owns the image via asset library lookup."""
try:
if not current_user:
raise HTTPException(status_code=401, detail="Authentication required")
user_id = current_user.get("id") or current_user.get("user_id") or current_user.get("clerk_user_id")
if not user_id:
raise HTTPException(status_code=401, detail="User ID not found")
# Verify ownership: the requesting user must have a content_assets record for this file_url
full_url = f"/api/images/image-studio/images/{image_filename}"
service = ContentAssetService(db)
owned = db.query(ContentAsset).filter(
ContentAsset.user_id == user_id,
ContentAsset.file_url == full_url,
).first()
if not owned:
raise HTTPException(status_code=403, detail="Access denied: image not found in your library")
# Determine if it's an edited image or regular image
base_dir = Path(__file__).parent.parent
image_studio_dir = (base_dir / "image_studio_images").resolve()