From 0c8c926aac0db8a23df750152fe0520c85e42b15 Mon Sep 17 00:00:00 2001
From: Bai <bugatti_it@163.com>
Date: Wed, 18 Aug 2021 10:22:40 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E6=A0=A1=E9=AA=8C?=
 =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=99=BB=E5=BD=95=E8=A7=84=E5=88=99=E7=9A=84?=
 =?UTF-8?q?API=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/common/permissions.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/apps/common/permissions.py b/apps/common/permissions.py
index 176455f66..71dca0b3c 100644
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -6,6 +6,7 @@ from django.conf import settings
 from common.exceptions import MFAVerifyRequired
 
 from orgs.utils import current_org
+from common.utils import is_uuid
 
 
 class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
@@ -186,7 +187,7 @@ class IsObjectOwner(IsValidUser):
 class HasQueryParamsUserAndIsCurrentOrgMember(permissions.BasePermission):
     def has_permission(self, request, view):
         query_user_id = request.query_params.get('user')
-        if not query_user_id:
+        if not query_user_id or not is_uuid(query_user_id):
             return False
         query_user = current_org.get_members().filter(id=query_user_id).first()
         return bool(query_user)