MrSphay/odysseus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enforce owner checks for upload attachments

Browse Source
This commit is contained in:
Duarte Antunes
2026-06-01 08:47:48 +01:00
committed by GitHub
parent 8874a11baf
commit e77d87fa80
6 changed files with 352 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
src/chat_handler.py
View File

@@ -1,7 +1,6 @@
# src/chat_handler.py
"""Handler for chat endpoint operations."""
import os
import json
import asyncio
import logging
from typing import Dict, List, Optional, Any
@@ -149,23 +148,22 @@ class ChatHandler:
vision_enabled = get_setting("vision_enabled", True)
main_is_vision = is_vision_model(sess.model or "")
# Read uploads DB once and index by id (was read twice + linear-scanned per attachment)
# Resolve uploads once with the session owner. Attachment IDs are
# bearer-like references; never trust them without an owner check.
files_by_id: Dict[str, Dict] = {}
owner = getattr(sess, "owner", None)
if att_ids:
uploads_db_path = os.path.join(UPLOAD_DIR, "uploads.json")
try:
with open(uploads_db_path, "r", encoding="utf-8") as f:
_all_files = json.load(f)
files_by_id = {fi["id"]: fi for fi in _all_files.values() if "id" in fi}
except (FileNotFoundError, json.JSONDecodeError):
pass
for att_id in att_ids:
fi = self.upload_handler.resolve_upload(att_id, owner=owner)
if fi:
files_by_id[att_id] = fi
for att_id in att_ids:
fi = files_by_id.get(att_id)
if fi:
attachment_meta.append({
"id": fi["id"],
"name": fi["name"],
"name": fi.get("name") or fi.get("original_name") or fi["id"],
"mime": fi.get("mime", ""),
"size": fi.get("size", 0),
"width": fi.get("width"),
@@ -242,6 +240,8 @@ class ChatHandler:
enhanced_message, att_ids, UPLOAD_DIR, self.upload_handler,
session_id=getattr(sess, "id", None),
auto_opened_docs=auto_opened_docs,
owner=owner,
resolved_uploads=files_by_id,
)
# Strip image_url entries for text-only models (VL description is already in the text)