fix: IDOR on console GET /account/avatar

[NeatGuyCoding]

Important

1. Make sure you have read our contribution guidelines
2. Ensure there is an associated issue and you have been assigned to it
3. Use the correct syntax to link this PR: Fixes #<issue number>.

Summary

Fixes an insecure direct object reference (IDOR) on AccountAvatarApi.get: the handler previously signed any caller-supplied avatar upload file ID via file_helpers.get_signed_file_url without verifying that the file belongs to the current workspace tenant and the current console account.

The endpoint now loads UploadFile by id, requires tenant_id to match current_account_with_tenant()’s tenant, requires created_by_role == ACCOUNT and created_by == current_user.id, and only then signs with upload_file_id=. Absolute http:// / https:// avatar values are returned unchanged (aligned with fields/member_fields.py _build_avatar_url).

Security fix

• Authorize storage-backed avatars against upload_files (tenant_id, created_by, created_by_role).
• Reject missing file, wrong tenant, or non-owning account with generic 404 (NotFound) to limit enumeration leakage.
• Preserve external URL avatars without invoking signing.

Technical details

Before (vulnerable):

def get(self):
    args = AccountAvatarQuery.model_validate(request.args.to_dict(flat=True))
    avatar_url = file_helpers.get_signed_file_url(args.avatar)
    return {"avatar_url": avatar_url}

After (fixed):

def get(self):
    current_user, current_tenant_id = current_account_with_tenant()
    args = AccountAvatarQuery.model_validate(request.args.to_dict(flat=True))
    avatar = args.avatar

    if avatar.startswith(("http://", "https://")):
        return {"avatar_url": avatar}

    upload_file = db.session.scalar(select(UploadFile).where(UploadFile.id == avatar).limit(1))
    if upload_file is None:
        raise NotFound("Avatar file not found")

    if upload_file.tenant_id != current_tenant_id:
        raise NotFound("Avatar file not found")

    if upload_file.created_by_role != CreatorUserRole.ACCOUNT or upload_file.created_by != current_user.id:
        raise NotFound("Avatar file not found")

    avatar_url = file_helpers.get_signed_file_url(upload_file_id=upload_file.id)
    return {"avatar_url": avatar_url}

Screenshots

Before	After
Any authenticated user could obtain a signed URL for another user’s upload_files.id via query param	Signing only after tenant + account ownership checks; otherwise 404

Testing

• Added unit tests: TestAccountAvatarApiGet in dify/api/tests/unit_tests/controllers/console/workspace/test_accounts.py.
• Run: cd dify/api && uv run pytest tests/unit_tests/controllers/console/workspace/test_accounts.py::TestAccountAvatarApiGet -v

Files changed

• dify/api/controllers/console/workspace/account.py — AccountAvatarApi.get authorization + imports (NotFound, UploadFile, CreatorUserRole).
• dify/api/tests/unit_tests/controllers/console/workspace/test_accounts.py — TestAccountAvatarApiGet.

Checklist

• This change requires a documentation update, included: Dify Document
• I understand that this PR may be closed in case there was no previous discussion or issues. (This doesn't apply to typos!)
• I've added a test for each change that was introduced, and I tried as much as possible to make a single atomic change.
• I've updated the documentation accordingly.
• I ran make lint && make type-check (backend) and cd web && pnpm exec vp staged (frontend) to appease the lint gods

Related issue

Fixes #35770