[Bug] GET /knowledge/folder endpoint returns 500 with internal error details exposed #4815
Description
Contact Information
MaxKB Version
v1.10.x (latest Docker image)
Problem Description
The GET /admin/api/workspace/default/knowledge/folder endpoint returns a code 500 error with an internal error message that exposes implementation details about the permission system. The error message 'knowledge_WORKSPACE_USER_RESOURCE_PERMISSION' is not a valid Group reveals internal naming conventions. Error messages returned to API consumers should be generic and not expose internal class/enum names, as this information could aid attackers in understanding the system's permission architecture.
Steps to Reproduce
curl -s -H "Authorization: Bearer <your_token>"
http://localhost:8080/admin/api/workspace/default/knowledge/folder
The expected correct result
Either return a valid folder list, or return a generic error message without exposing internal implementation details:
json{"code": 500, "message": "Internal server error", "data": null}
Or if the endpoint is not implemented:
json{"code": 404, "message": "Not Found", "data": null}
Related log output
{"code": 500, "message": "'knowledge_WORKSPACE_USER_RESOURCE_PERMISSION' is not a valid Group", "data": null}Additional Information
This issue has two aspects:
1.Functional bug: The knowledge folder endpoint fails with a permission group configuration error, suggesting a code or configuration issue.
2.Information leakage: The error response exposes internal permission group naming convention to authenticated users. Recommend implementing a generic error handler that masks internal error details in API responses.