fix: Add authorization check for knowledge_delete node (#1865)

lvxinyu-1117 · web-flow · commit a1da673962d0 · 2025-08-29T03:54:08.000Z
diff --git a/backend/api/model/crossdomain/knowledge/knowledge.go b/backend/api/model/crossdomain/knowledge/knowledge.go
@@ -329,7 +329,8 @@ type CreateDocumentResponse struct {
 }
 
 type DeleteDocumentRequest struct {
-	DocumentID string
+	DocumentID  int64
+	KnowledgeID int64
 }
 
 type DeleteDocumentResponse struct {
diff --git a/backend/crossdomain/impl/knowledge/knowledge.go b/backend/crossdomain/impl/knowledge/knowledge.go
@@ -20,7 +20,6 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"strconv"
 
 	"github.com/coze-dev/coze-studio/backend/api/model/crossdomain/knowledge"
 	model "github.com/coze-dev/coze-studio/backend/api/model/crossdomain/knowledge"
@@ -29,7 +28,9 @@ import (
 	"github.com/coze-dev/coze-studio/backend/domain/knowledge/entity"
 	"github.com/coze-dev/coze-studio/backend/domain/knowledge/service"
 	"github.com/coze-dev/coze-studio/backend/infra/contract/document/parser"
+	"github.com/coze-dev/coze-studio/backend/pkg/errorx"
 	"github.com/coze-dev/coze-studio/backend/pkg/lang/slices"
+	"github.com/coze-dev/coze-studio/backend/types/errno"
 )
 
 var defaultSVC crossknowledge.Knowledge
@@ -132,13 +133,24 @@ func (i *impl) Store(ctx context.Context, document *model.CreateDocumentRequest)
 }
 
 func (i *impl) Delete(ctx context.Context, r *model.DeleteDocumentRequest) (*model.DeleteDocumentResponse, error) {
-	docID, err := strconv.ParseInt(r.DocumentID, 10, 64)
+	if r.KnowledgeID == 0 {
+		return nil, errorx.New(errno.ErrKnowledgeInvalidParamCode, errorx.KV("msg", "knowledge id cannot be 0"))
+	}
+
+	docs, err := i.DomainSVC.ListDocument(ctx, &service.ListDocumentRequest{
+		KnowledgeID: r.KnowledgeID,
+		DocumentIDs: []int64{r.DocumentID},
+		SelectAll:   true,
+	})
 	if err != nil {
-		return nil, fmt.Errorf("invalid document id: %s", r.DocumentID)
+		return nil, err
+	}
+	if len(docs.Documents) == 0 {
+		return nil, errorx.New(errno.ErrKnowledgeDocumentNotExistCode, errorx.KV("msg", "the specified document is not part of this knowledge base"))
 	}
 
 	err = i.DomainSVC.DeleteDocument(ctx, &service.DeleteDocumentRequest{
-		DocumentID: docID,
+		DocumentID: r.DocumentID,
 	})
 	if err != nil {
 		return &model.DeleteDocumentResponse{IsSuccess: false}, err
diff --git a/backend/domain/workflow/internal/nodes/knowledge/knowledge_deleter.go b/backend/domain/workflow/internal/nodes/knowledge/knowledge_deleter.go
@@ -19,6 +19,8 @@ package knowledge
 import (
 	"context"
 	"errors"
+	"fmt"
+	"strconv"
 
 	"github.com/coze-dev/coze-studio/backend/api/model/crossdomain/knowledge"
 	crossknowledge "github.com/coze-dev/coze-studio/backend/crossdomain/contract/knowledge"
@@ -27,9 +29,12 @@ import (
 	"github.com/coze-dev/coze-studio/backend/domain/workflow/internal/canvas/convert"
 	"github.com/coze-dev/coze-studio/backend/domain/workflow/internal/nodes"
 	"github.com/coze-dev/coze-studio/backend/domain/workflow/internal/schema"
+	"github.com/spf13/cast"
 )
 
-type DeleterConfig struct{}
+type DeleterConfig struct {
+	KnowledgeID int64
+}
 
 func (d *DeleterConfig) Adapt(_ context.Context, n *vo.Node, _ ...nodes.AdaptOption) (*schema.NodeSchema, error) {
 	ns := &schema.NodeSchema{
@@ -39,6 +44,18 @@ func (d *DeleterConfig) Adapt(_ context.Context, n *vo.Node, _ ...nodes.AdaptOpt
 		Configs: d,
 	}
 
+	inputs := n.Data.Inputs
+	datasetListInfoParam := inputs.DatasetParam[0]
+	datasetIDs := datasetListInfoParam.Input.Value.Content.([]any)
+	if len(datasetIDs) == 0 {
+		return nil, fmt.Errorf("dataset ids is required")
+	}
+	knowledgeID, err := cast.ToInt64E(datasetIDs[0])
+	if err != nil {
+		return nil, err
+	}
+	d.KnowledgeID = knowledgeID
+
 	if err := convert.SetInputsForNodeSchema(n, ns); err != nil {
 		return nil, err
 	}
@@ -51,19 +68,29 @@ func (d *DeleterConfig) Adapt(_ context.Context, n *vo.Node, _ ...nodes.AdaptOpt
 }
 
 func (d *DeleterConfig) Build(_ context.Context, _ *schema.NodeSchema, _ ...schema.BuildOption) (any, error) {
-	return &Deleter{}, nil
+	return &Deleter{
+		KnowledgeID: d.KnowledgeID,
+	}, nil
 }
 
-type Deleter struct{}
+type Deleter struct {
+	KnowledgeID int64
+}
 
-func (k *Deleter) Invoke(ctx context.Context, input map[string]any) (map[string]any, error) {
+func (d *Deleter) Invoke(ctx context.Context, input map[string]any) (map[string]any, error) {
 	documentID, ok := input["documentID"].(string)
 	if !ok {
 		return nil, errors.New("documentID is required and must be a string")
 	}
 
+	docID, err := strconv.ParseInt(documentID, 10, 64)
+	if err != nil {
+		return nil, fmt.Errorf("invalid document id: %s", documentID)
+	}
+
 	req := &knowledge.DeleteDocumentRequest{
-		DocumentID: documentID,
+		DocumentID:  docID,
+		KnowledgeID: d.KnowledgeID,
 	}
 
 	response, err := crossknowledge.DefaultSVC().Delete(ctx, req)

Original file line number	Diff line number	Diff line change
`@@ -329,7 +329,8 @@ type CreateDocumentResponse struct {`
`329`	`329`	`}`
`330`	`330`
`331`	`331`	`type DeleteDocumentRequest struct {`
`332`		`- DocumentID string`
	`332`	`+ DocumentID int64`
	`333`	`+ KnowledgeID int64`
`333`	`334`	`}`
`334`	`335`
`335`	`336`	`type DeleteDocumentResponse struct {`