Issue Station
Sign In
Tools hereToolbox

dify - ✅(Solved) Fix Refactor: fail-closed handling for workspace policy permission checks [1 pull requests, 2 comments, 2 participants]

Official PRs (…)
ON THIS PAGE

Recommended Tools

×6

Utilities matched from this issue’s tags and category — try them while you read without losing context.

GitHub issue graph ai analysis

Paste a GitHub issue URL. We fetch that issue, discover linked issues from bodies/comments/timeline, collect linked pull requests, and produce a structured English report.

The report is written in English Markdown for sharing and archival.

Helpful · Quick feedback

Loading…
GitHub stats
langgenius/dify#35171Fetched 2026-04-15 06:45:36
View on GitHub
Comments
2
Participants
2
Timeline
7
Reactions
1
Author
jimcody1995jimcody1995
Participants
dosubot[bot]dosubot[bot]jimcody1995jimcody1995
Timeline (top)
commented ×2mentioned ×2subscribed ×2cross-referenced ×1

Error Message

  1. Force EnterpriseService.WorkspacePermissionService.get_permission(workspace_id) to fail (e.g., mock exception, network timeout, or temporary backend outage). If workspace policy permission cannot be verified (service error/timeout/exception), the API should fail closed and deny the action with a clear permission-related error. When enterprise policy lookup raises non-Forbidden exceptions, the code logs the error and continues execution. This can allow invite/owner-transfer operations to proceed even though policy validation failed.

Fix Action

Fixed

PR fix notes

PR #35173: fix: enforce fail-closed workspace policy checks

Description (problem / solution / changelog)

Summary

  • deny workspace invite when enterprise permission lookup fails
  • deny owner transfer when enterprise permission lookup fails
  • update unit tests to cover fail-closed behavior for both checks

Related

  • fixes #35171

Test plan

  • run unit tests for api/tests/unit_tests/libs/test_workspace_permission.py

Changed files

  • api/libs/workspace_permission.py (modified, +2/-0)
  • api/tests/unit_tests/libs/test_workspace_permission.py (modified, +25/-4)
RAW_BUFFERClick to expand / collapse

Self Checks

  • I have read the Contributing Guide and Language Policy.
  • This is only for bug report, if you would like to ask a question, please head to Discussions.
  • I have searched for existing issues search for existing issues, including closed ones.
  • I confirm that I am using English to submit this report, otherwise it will be closed.
  • 【中文用户 & Non English User】请使用英语提交,否则会被关闭 :)
  • Please do not modify this template :) and fill in all the required fields.

Dify version

1.13.2

Cloud or Self Hosted

Self Hosted (Docker)

Steps to reproduce

  1. Enable enterprise mode (ENTERPRISE_ENABLED=true).
  2. Use a workspace/account that is allowed to call member invite or owner transfer APIs.
  3. Force EnterpriseService.WorkspacePermissionService.get_permission(workspace_id) to fail (e.g., mock exception, network timeout, or temporary backend outage).
  4. Call one of these flows:
  • POST /console/api/workspaces/current/members/invite-email
  • owner transfer flow endpoints protected by is_allow_transfer_owner
  1. Observe that the operation may still proceed instead of being denied when policy lookup fails.

✔️ Expected Behavior

If workspace policy permission cannot be verified (service error/timeout/exception), the API should fail closed and deny the action with a clear permission-related error.

❌ Actual Behavior

When enterprise policy lookup raises non-Forbidden exceptions, the code logs the error and continues execution. This can allow invite/owner-transfer operations to proceed even though policy validation failed.

extent analysis

TL;DR

The issue can be fixed by modifying the code to handle non-Forbidden exceptions during enterprise policy lookup and denying the action with a clear permission-related error.

Guidance

  • Review the EnterpriseService.WorkspacePermissionService.get_permission(workspace_id) method to ensure it properly handles exceptions and returns a Forbidden error when policy lookup fails.
  • Modify the API endpoints (POST /console/api/workspaces/current/members/invite-email and owner transfer flow endpoints) to check for exceptions during policy lookup and deny the action if an exception occurs.
  • Consider implementing a retry mechanism for temporary backend outages or network timeouts to prevent false negatives.
  • Verify that the code logs the error and provides a clear permission-related error message when policy validation fails.

Example

try:
    permission = EnterpriseService.WorkspacePermissionService.get_permission(workspace_id)
    # proceed with the operation if permission is granted
except Exception as e:
    # log the error and deny the action with a clear permission-related error
    logger.error(f"Error checking permission: {e}")
    return {"error": "Permission denied due to policy validation failure"}

Notes

This fix assumes that the EnterpriseService.WorkspacePermissionService.get_permission(workspace_id) method is the sole point of failure. Additional logging and error handling may be necessary to ensure the fix is effective.

Recommendation

Apply workaround: Modify the code to handle non-Forbidden exceptions during enterprise policy lookup and deny the action with a clear permission-related error, as this will prevent invite/owner-transfer operations from proceeding when policy validation fails.

Vote matrix · Quick signals

Works
Did the solution work? Tap to confirm.
Easy Fix
Was it a quick fix?
Time Saver
Did it save you time?
Blocking
Was it severely blocking?
Common Issue
Are others likely hitting this too?
Flaky / Intermittent
Is it intermittent?
Verified / Reproducible
Can you reproduce it reliably?
Loading…
#api#ssr#authentication issue#prompt issue#agent setup

Still need to ship something?

×6

Another batch ranked right after the header list — different links, same matching logic.

Back to top recommendations

TRENDING