fix: clear all default providers in tenant for enterprise mode

api/controllers/console/workspace/tool_providers.py

@@ -825,7 +825,11 @@ def post(self, provider):
         current_user, current_tenant_id = current_account_with_tenant()
         args = parser_default_cred.parse_args()
         return BuiltinToolManageService.set_default_provider(
-            tenant_id=current_tenant_id, user_id=current_user.id, provider=provider, id=args["id"]
+            tenant_id=current_tenant_id,
+            user_id=current_user.id,
+            provider=provider,
+            id=args["id"],
+            account=current_user,
         )
 
 

api/services/tools/builtin_tools_manage_service.py

@@ -2,7 +2,10 @@
 import logging
 from collections.abc import Mapping
 from pathlib import Path
-from typing import Any
+from typing import TYPE_CHECKING, Any
+
+if TYPE_CHECKING:
+    from models.account import Account
 
 from sqlalchemy import exists, select
 from sqlalchemy.orm import Session
@@ -406,20 +409,33 @@ def delete_builtin_tool_provider(tenant_id: str, provider: str, credential_id: s
         return {"result": "success"}
 
     @staticmethod
-    def set_default_provider(tenant_id: str, user_id: str, provider: str, id: str):
+    def set_default_provider(tenant_id: str, user_id: str, provider: str, id: str, account: "Account | None" = None):
         """
         set default provider
         """
         with Session(db.engine) as session:
-            # get provider
-            target_provider = session.query(BuiltinToolProvider).filter_by(id=id).first()
+            # get provider (verify tenant ownership to prevent IDOR)
+            target_provider = session.query(BuiltinToolProvider).filter_by(id=id, tenant_id=tenant_id).first()
             if target_provider is None:
                 raise ValueError("provider not found")
 
             # clear default provider
-            session.query(BuiltinToolProvider).filter_by(
-                tenant_id=tenant_id, user_id=user_id, provider=provider, is_default=True
-            ).update({"is_default": False})
+            if dify_config.ENTERPRISE_ENABLED:
+                # Enterprise: verify admin permission for tenant-wide operation
+                from models.account import TenantAccountRole
+
+                if account and not TenantAccountRole.is_privileged_role(account.current_role):
+                    raise ValueError("Only workspace admins/owners can set default credentials in enterprise mode")
+                # Enterprise: clear ALL defaults for this provider in the tenant
+                # (regardless of user_id, since enterprise credentials may have different user_id)
+                session.query(BuiltinToolProvider).filter_by(
+                    tenant_id=tenant_id, provider=provider, is_default=True
+                ).update({"is_default": False})
+            else:
+                # Non-enterprise: only clear defaults for the current user
+                session.query(BuiltinToolProvider).filter_by(
+                    tenant_id=tenant_id, user_id=user_id, provider=provider, is_default=True
+                ).update({"is_default": False})
 
             # set new default provider
             target_provider.is_default = True