From 1b04efe5e71d204b24047d9454c000634823c104 Mon Sep 17 00:00:00 2001
From: KarrixLee <thomasdice1834793903@gmail.com>
Date: Fri, 3 Oct 2025 02:16:54 +0800
Subject: [PATCH] fix: permission check for public share deployment runs

---
 src/api/routes/run.py | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/src/api/routes/run.py b/src/api/routes/run.py
index dd8390c5..4618b322 100644
--- a/src/api/routes/run.py
+++ b/src/api/routes/run.py
@@ -134,12 +134,15 @@ async def get_run(request: Request, run_id: UUID, queue_position: bool = False,
 
     # Permission check
     if deployment is not None and (deployment.environment == "public-share" or deployment.environment == "community-share"):
-        # Public share, no permission check
-        if run.user_id == user_id:
+        # Public share - check if current user owns the deployment
+        if org_id is not None and deployment.org_id == org_id:
+            # Current user's org owns the deployment
             pass
-        elif org_id is not None and run.org_id == org_id:
+        elif deployment.user_id == user_id:
+            # Current user owns the deployment
             pass
         else:
+            # Not the owner, check public access permissions
             apply_org_check_direct(deployment, request)
     else:
         apply_org_check_direct(run, request)