Skip to content

[Bug]: An exception was encountered while querying api/v1/datasets. #6216

@role11

Description

@role11

Self Checks

  • I have searched for existing issues search for existing issues, including closed ones.
  • I confirm that I am using English to submit this report (Language Policy).
  • Non-english title submitions will be closed directly ( 非英文标题的提交将会被直接关闭 ) (Language Policy).
  • Please do not modify this template :) and fill in all the required fields.

RAGFlow workspace code commit ID

x

RAGFlow image version

v0.16.0 full

Other environment information

Actual behavior

Non-accepted team invitees can access inviting team's knowledge base while losing personal data access through API.

Expected behavior

When Account B has not accepted the team invitation, the system should not return the team knowledge base list.

Steps to reproduce

Step 1: Invitation Process
Team Account A, which contains multiple internal knowledge bases, initiates an invitation for Account B to join the team.

Step 2: Pending Acceptance
Account B does not click "Accept" to confirm team membership, maintaining a pending invitation status.

Step 3: Unauthorized Data Access
Upon logging into their personal account, Account B uses the "api/v1/datasets" endpoint and discovers the query returns Team Account A's knowledge base list instead of their own.

Step 4: Security Protocol Breach
Critically, this data exposure occurs prior to Account B's acceptance of the team invitation, bypassing normal access control protocols.

Step 5: Personal Data Inaccessibility
Simultaneously, Account B loses access to their original personal knowledge base through the same API endpoint.

Additional information

No error occurs as the api/v1/datasets endpoint authenticates solely via API KEY for knowledge base list retrieval, indicating the root cause likely resides in ragflow.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions