From 990ff0ec5ea25b7e682e09ce93e282425ec7ac43 Mon Sep 17 00:00:00 2001
From: Daniel <845765@qq.com>
Date: Sat, 7 Mar 2026 10:50:19 +0800
Subject: [PATCH] :lock: Fix
 https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f9cq-v43p-v523

Signed-off-by: Daniel <845765@qq.com>
---
 kernel/api/router.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/api/router.go b/kernel/api/router.go
index ffa717939..237a14aab 100644
--- a/kernel/api/router.go
+++ b/kernel/api/router.go
@@ -242,7 +242,7 @@ func ServeAPI(ginServer *gin.Engine) {
 	ginServer.Handle("POST", "/api/block/getBlockRelevantIDs", model.CheckAuth, getBlockRelevantIDs)
 	ginServer.Handle("POST", "/api/block/getBlockTreeInfos", model.CheckAuth, getBlockTreeInfos)
 	ginServer.Handle("POST", "/api/block/checkBlockRef", model.CheckAuth, checkBlockRef)
-	ginServer.Handle("POST", "/api/block/appendHeadingChildren", model.CheckAuth, appendHeadingChildren)
+	ginServer.Handle("POST", "/api/block/appendHeadingChildren", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, appendHeadingChildren)
 
 	ginServer.Handle("POST", "/api/file/getFile", model.CheckAuth, getFile)
 	ginServer.Handle("POST", "/api/file/putFile", model.CheckAuth, model.CheckAdminRole, model.CheckReadonly, putFile)