Merge remote-tracking branch 'origin/main' into fix/ee-1511-set-default-provider-user-id-bug

Merge branch 'main' into fix/ee-1511-set-default-provider-user-id-bug
fix: add TYPE_CHECKING import for Account type annotation
2026-02-04 15:04:16 +00:00 · 2026-02-02 18:51:26 -08:00 · 2026-01-26 17:34:31 -08:00 · 2026-01-26 16:07:49 -08:00 · 2026-01-26 16:00:43 -08:00 · 2026-01-26 15:41:11 -08:00
1 changed files with 23 additions and 7 deletions
--- a/api/services/tools/builtin_tools_manage_service.py
+++ b/api/services/tools/builtin_tools_manage_service.py
@@ -2,7 +2,10 @@ import json
 import logging
 from collections.abc import Mapping
 from pathlib import Path
-from typing import Any
+from typing import TYPE_CHECKING, Any
+
+if TYPE_CHECKING:
+    from models.account import Account

 from sqlalchemy import exists, select
 from sqlalchemy.orm import Session
@@ -406,20 +409,33 @@ class BuiltinToolManageService:
        return {"result": "success"}

    @staticmethod
-    def set_default_provider(tenant_id: str, user_id: str, provider: str, id: str):
+    def set_default_provider(tenant_id: str, user_id: str, provider: str, id: str, account: "Account | None" = None):
        """
        set default provider
        """
        with Session(db.engine) as session:
-            # get provider
-            target_provider = session.query(BuiltinToolProvider).filter_by(id=id).first()
+            # get provider (verify tenant ownership to prevent IDOR)
+            target_provider = session.query(BuiltinToolProvider).filter_by(id=id, tenant_id=tenant_id).first()
            if target_provider is None:
                raise ValueError("provider not found")

            # clear default provider
-            session.query(BuiltinToolProvider).filter_by(
-                tenant_id=tenant_id, user_id=user_id, provider=provider, is_default=True
-            ).update({"is_default": False})
+            if dify_config.ENTERPRISE_ENABLED:
+                # Enterprise: verify admin permission for tenant-wide operation
+                from models.account import TenantAccountRole
+
+                if account and not TenantAccountRole.is_privileged_role(account.current_role):
+                    raise ValueError("Only workspace admins/owners can set default credentials in enterprise mode")
+                # Enterprise: clear ALL defaults for this provider in the tenant
+                # (regardless of user_id, since enterprise credentials may have different user_id)
+                session.query(BuiltinToolProvider).filter_by(
+                    tenant_id=tenant_id, provider=provider, is_default=True
+                ).update({"is_default": False})
+            else:
+                # Non-enterprise: only clear defaults for the current user
+                session.query(BuiltinToolProvider).filter_by(
+                    tenant_id=tenant_id, user_id=user_id, provider=provider, is_default=True
+                ).update({"is_default": False})

            # set new default provider
            target_provider.is_default = True
Author	SHA1	Message	Date
GareArc	6da94b24c4	Merge remote-tracking branch 'origin/main' into fix/ee-1511-set-default-provider-user-id-bug	2026-02-02 18:51:26 -08:00
Xiyuan Chen	577c5f31fa	Merge branch 'main' into fix/ee-1511-set-default-provider-user-id-bug	2026-01-26 17:34:31 -08:00
GareArc	9c470544b1	fix: add TYPE_CHECKING import for Account type annotation	2026-01-26 16:07:49 -08:00
GareArc	be55d688e7	security: fix IDOR and privilege escalation in set_default_provider - Add tenant_id verification to prevent IDOR attacks - Add admin check for enterprise tenant-wide default changes - Preserve non-enterprise behavior (users can set own defaults)	2026-01-26 16:00:43 -08:00
GareArc	4d25384dbb	fix: remove user_id filter when clearing default provider (enterprise only) When setting a new default credential in enterprise mode, the code was only clearing is_default for credentials matching the current user_id. This caused issues when: 1. Enterprise credential A (synced with system user_id) was default 2. User sets local credential B as default 3. A still had is_default=true (different user_id) 4. Both A and B were considered defaults The fix removes user_id from the filter only for enterprise deployments, since enterprise credentials may have different user_id than local ones. Non-enterprise behavior is unchanged to avoid breaking existing setups. Fixes EE-1511	2026-01-26 15:41:11 -08:00