From 3c631aa94c920e98e34044ad5cf321ccbb066303 Mon Sep 17 00:00:00 2001
From: -LAN- <laipz8200@outlook.com>
Date: Mon, 14 Jul 2025 14:38:03 +0800
Subject: [PATCH] 
 docs(api/repositories/sqlalchemy_api_workflow_node_execution_repository.py):
 Add tenant isolation warning in method docstring

Signed-off-by: -LAN- <laipz8200@outlook.com>
---
 .../sqlalchemy_api_workflow_node_execution_repository.py      | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/api/repositories/sqlalchemy_api_workflow_node_execution_repository.py b/api/repositories/sqlalchemy_api_workflow_node_execution_repository.py
index ccde8b8076..e6a23ddf9f 100644
--- a/api/repositories/sqlalchemy_api_workflow_node_execution_repository.py
+++ b/api/repositories/sqlalchemy_api_workflow_node_execution_repository.py
@@ -124,6 +124,10 @@ class DifyAPISQLAlchemyWorkflowNodeExecutionRepository(DifyAPIWorkflowNodeExecut
         This method replicates the query pattern from WorkflowDraftVariableService
         and WorkflowService.single_step_run_workflow_node() using SQLAlchemy 2.0 style syntax.
 
+        When `tenant_id` is None, it's the caller's responsibility to ensure proper data isolation between tenants.
+        If the `execution_id` comes from untrusted sources (e.g., retrieved from an API request), the caller should
+        set `tenant_id` to prevent horizontal privilege escalation.
+
         Args:
             execution_id: The execution identifier
             tenant_id: Optional tenant identifier for additional filtering