From 31859590960fab4158f86651695af8c0e39925a5 Mon Sep 17 00:00:00 2001
From: junjun <junjie.xia@fit2cloud.com>
Date: Wed, 17 Jun 2026 17:11:22 +0800
Subject: [PATCH] fix: Fix the vulnerability in viewing enumeration values
 across workspaces

---
 backend/apps/datasource/api/datasource.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/backend/apps/datasource/api/datasource.py b/backend/apps/datasource/api/datasource.py
index cbf992c1..1e72c3fb 100644
--- a/backend/apps/datasource/api/datasource.py
+++ b/backend/apps/datasource/api/datasource.py
@@ -243,8 +243,9 @@ def inner():
 
 
 # not used
-@router.post("/fieldEnum/{id}", include_in_schema=False)
-async def field_enum(session: SessionDep, id: int):
+@router.post("/fieldEnum/{ds_id}/{id}", include_in_schema=False)
+@require_permissions(permission=SqlbotPermission(type='ds', keyExpression="ds_id"))
+async def field_enum(session: SessionDep, ds_id: int, id: int):
     def inner():
         return fieldEnum(session, id)