From 627a38388b3074f6b954f990c5cf9408e7c15c1a Mon Sep 17 00:00:00 2001
From: Fendy Heryanto <fendy@nocodb.com>
Date: Tue, 27 Jan 2026 08:36:52 +0000
Subject: [PATCH] wrap makeAxiosRequest under auth

---
 packages/nocodb/src/controllers/utils.controller.ts | 4 +++-
 packages/nocodb/src/utils/acl.ts                    | 6 ++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/packages/nocodb/src/controllers/utils.controller.ts b/packages/nocodb/src/controllers/utils.controller.ts
index e1ca61edd6..b3587e357a 100644
--- a/packages/nocodb/src/controllers/utils.controller.ts
+++ b/packages/nocodb/src/controllers/utils.controller.ts
@@ -29,6 +29,7 @@ import { MetaTable, RootScopes } from '~/utils/globals';
 import { NcError } from '~/helpers/catchError';
 import { deepMerge, isEE } from '~/utils';
 import Noco from '~/Noco';
+import { DataApiLimiterGuard } from '~/guards/data-api-limiter.guard';
 
 @Controller()
 export class UtilsController {
@@ -146,8 +147,9 @@ export class UtilsController {
     return await this.utilsService.appHealth();
   }
 
-  @UseGuards(PublicApiLimiterGuard)
+  @UseGuards(DataApiLimiterGuard, GlobalGuard)
   @Post(['/api/v1/db/meta/axiosRequestMake', '/api/v2/meta/axiosRequestMake'])
+  @Acl('fetchViaUrl')
   @HttpCode(200)
   async axiosRequestMake(@Body() body: any) {
     return await this.utilsService.axiosRequestMake({ body });
diff --git a/packages/nocodb/src/utils/acl.ts b/packages/nocodb/src/utils/acl.ts
index 783756530c..ecc2623c02 100644
--- a/packages/nocodb/src/utils/acl.ts
+++ b/packages/nocodb/src/utils/acl.ts
@@ -82,6 +82,9 @@ const permissionScopes = {
     'mcpRootList',
 
     'getUserProfile',
+
+    // etc
+    'fetchViaUrl',
   ],
   base: [
     'nestedDataListCopyPasteOrDeleteAll',
@@ -291,6 +294,9 @@ const rolePermissions:
       mcpCreate: true,
       mcpUpdate: true,
       mcpDelete: true,
+
+      // etc
+      fetchViaUrl: true,
     },
   },
   [ProjectRoles.COMMENTER]: {