Add owner_id check to resolve_hash_to_path

Filter asset references by owner visibility so the /view endpoint only resolves hashes for assets the requesting user can access. Adds table-driven tests for owner visibility cases. Amp-Thread-ID: https://ampcode.com/threads/T-019ce377-8bde-7048-bc28-a9df063409f9 Co-authored-by: Amp <amp@ampcode.com>
2026-03-13 09:10:12 +00:00 · 2026-03-12 13:03:47 -07:00
parent aa6bd95596
commit 6587a7394e
3 changed files with 52 additions and 3 deletions
--- a/server.py
+++ b/server.py
@@ -504,7 +504,8 @@ class PromptServer():
                # node preview, it constructs /view?filename=<asset_hash>, so this
                # endpoint must resolve blake3 hashes to their on-disk file paths.
                if filename.startswith("blake3:"):
-                    result = resolve_hash_to_path(filename)
+                    owner_id = self.user_manager.get_request_user_id(request)
+                    result = resolve_hash_to_path(filename, owner_id=owner_id)
                    if result is None:
                        return web.Response(status=404)
                    file, filename = result.abs_path, result.download_name