fix: enforce permission filter for all users including admins in list_agents#477
fix: enforce permission filter for all users including admins in list_agents#477
Conversation
…_agents Fix Issue #476: Admin can see "only me" agents created by other users. The previous code gave platform_admin and org_admin a special shortcut that returned ALL agents in the tenant without any permission filtering. Now all users (including admins) must go through the same permission logic: - Agents they created - Agents with company-wide visibility (scope_type='company') - Agents with user-specific visibility where they are in scope_ids This ensures that "仅自己可见" agents (scope_type='user', scope_id=creator) are only visible to the creator, even for admins.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 927cac16ac
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
|
|
||
| query = select(Agent).where( | ||
| and_( | ||
| Agent.tenant_id == user_tenant, |
There was a problem hiding this comment.
The new list_agents query now hard-codes tenant scoping to current_user.tenant_id and never reads the tenant_id query parameter, which regresses admin behavior from the previous implementation. In practice, a platform admin can no longer list another tenant’s agents via /agents?tenant_id=..., and a platform admin operating in global mode (no tenant bound in token, which other endpoints explicitly support) will be filtered to tenant_id IS NULL and miss normal tenant agents entirely.
Useful? React with 👍 / 👎.
1 participant
Summary
Fix Issue #476: Admin can see "only me" agents created by other users.
Problem
The
list_agentsendpoint had a special shortcut forplatform_adminandorg_adminthat returned ALL agents in the tenant without any permission filtering. This meant that agents with "仅自己可见" (scope_type='user', scope_id=creator) were still visible to admins.Solution
Remove the admin shortcut and enforce the same permission filtering logic for all users:
Changes
backend/app/api/agents.pylist_agents()Testing
Please verify:
Related Issue
Fixes #476