[Bug]: An exception was encountered while querying api/v1/datasets. #6216
Description
Self Checks
- I have searched for existing issues search for existing issues, including closed ones.
- I confirm that I am using English to submit this report (Language Policy).
- Non-english title submitions will be closed directly ( 非英文标题的提交将会被直接关闭 ) (Language Policy).
- Please do not modify this template :) and fill in all the required fields.
RAGFlow workspace code commit ID
x
RAGFlow image version
v0.16.0 full
Other environment information
Actual behavior
Non-accepted team invitees can access inviting team's knowledge base while losing personal data access through API.
Expected behavior
When Account B has not accepted the team invitation, the system should not return the team knowledge base list.
Steps to reproduce
Step 1: Invitation Process
Team Account A, which contains multiple internal knowledge bases, initiates an invitation for Account B to join the team.
Step 2: Pending Acceptance
Account B does not click "Accept" to confirm team membership, maintaining a pending invitation status.
Step 3: Unauthorized Data Access
Upon logging into their personal account, Account B uses the "api/v1/datasets" endpoint and discovers the query returns Team Account A's knowledge base list instead of their own.
Step 4: Security Protocol Breach
Critically, this data exposure occurs prior to Account B's acceptance of the team invitation, bypassing normal access control protocols.
Step 5: Personal Data Inaccessibility
Simultaneously, Account B loses access to their original personal knowledge base through the same API endpoint.Additional information
No error occurs as the api/v1/datasets endpoint authenticates solely via API KEY for knowledge base list retrieval, indicating the root cause likely resides in ragflow.