From d5e2d0bce0dffef5f61bd8066954bc2d41181fc5 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Sat, 14 Mar 2026 19:38:58 +0800
Subject: [PATCH] :lock:
 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-j7wh-x834-p3r7

Signed-off-by: Daniel <845765@qq.com>
---
 kernel/api/search.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kernel/api/search.go b/kernel/api/search.go
index a22cf25fa..fbb845792 100644
--- a/kernel/api/search.go
+++ b/kernel/api/search.go
@@ -396,6 +396,14 @@ func fullTextSearchBlock(c *gin.Context) {
 	}
 
 	page, pageSize, query, paths, boxes, types, method, orderBy, groupBy := parseSearchBlockArgs(arg)
+
+	// SQL mode requires admin privileges, consistent with /api/query/sql
+	if method == 2 && !model.IsAdminRoleContext(c) {
+		ret.Code = -1
+		ret.Msg = "SQL search requires administrator privileges"
+		return
+	}
+
 	blocks, matchedBlockCount, matchedRootCount, pageCount, docMode := model.FullTextSearchBlock(query, boxes, paths, types, method, orderBy, groupBy, page, pageSize)
 	if model.IsReadOnlyRoleContext(c) {
 		publishAccess := model.GetPublishAccess()