backend/open_webui/routers/prompts.py

from typing import Optional

from open_webui.models.prompts import (
    PromptForm,
    PromptUserResponse,
    PromptModel,
    Prompts,
)
from open_webui.constants import ERROR_MESSAGES
from fastapi import APIRouter, Depends, HTTPException, status, Request
from open_webui.utils.auth import get_admin_user, get_verified_user
from open_webui.utils.access_control import has_access, has_permission

router = APIRouter()

############################
# GetPrompts
############################


@router.get("/", response_model=list[PromptModel])
async def get_prompts(user=Depends(get_verified_user)):
    if user.role == "admin":
        prompts = Prompts.get_prompts()
    else:
        prompts = Prompts.get_prompts_by_user_id(user.id, "read")

    return prompts


@router.get("/list", response_model=list[PromptUserResponse])
async def get_prompt_list(user=Depends(get_verified_user)):
    if user.role == "admin":
        prompts = Prompts.get_prompts()
    else:
        prompts = Prompts.get_prompts_by_user_id(user.id, "write")

    return prompts


############################
# CreateNewPrompt
############################


@router.post("/create", response_model=Optional[PromptModel])
async def create_new_prompt(
    request: Request, form_data: PromptForm, user=Depends(get_verified_user)
):
    if user.role != "admin" and not has_permission(
        user.id, "workspace.prompts", request.app.state.config.USER_PERMISSIONS
    ):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.UNAUTHORIZED,
        )

    prompt = Prompts.get_prompt_by_command(form_data.command)
    if prompt is None:
        prompt = Prompts.insert_new_prompt(user.id, form_data)

        if prompt:
            return prompt
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.DEFAULT(),
        )
    raise HTTPException(
        status_code=status.HTTP_400_BAD_REQUEST,
        detail=ERROR_MESSAGES.COMMAND_TAKEN,
    )


############################
# GetPromptByCommand
############################


@router.get("/command/{command}", response_model=Optional[PromptModel])
async def get_prompt_by_command(command: str, user=Depends(get_verified_user)):
    prompt = Prompts.get_prompt_by_command(f"/{command}")

    if prompt:
        if (
            user.role == "admin"
            or prompt.user_id == user.id
            or has_access(user.id, "read", prompt.access_control)
        ):
            return prompt
    else:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.NOT_FOUND,
        )


############################
# UpdatePromptByCommand
############################


@router.post("/command/{command}/update", response_model=Optional[PromptModel])
async def update_prompt_by_command(
    command: str,
    form_data: PromptForm,
    user=Depends(get_verified_user),
):
    prompt = Prompts.get_prompt_by_command(f"/{command}")
    if not prompt:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

    # Is the user the original creator, in a group with write access, or an admin
    if (
        prompt.user_id != user.id
        and not has_access(user.id, "write", prompt.access_control)
        and user.role != "admin"
    ):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )

    prompt = Prompts.update_prompt_by_command(f"/{command}", form_data)
    if prompt:
        return prompt
    else:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )


############################
# DeletePromptByCommand
############################


@router.delete("/command/{command}/delete", response_model=bool)
async def delete_prompt_by_command(command: str, user=Depends(get_verified_user)):
    prompt = Prompts.get_prompt_by_command(f"/{command}")
    if not prompt:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

    if (
        prompt.user_id != user.id
        and not has_access(user.id, "write", prompt.access_control)
        and user.role != "admin"
    ):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
        )

    result = Prompts.delete_prompt_by_command(f"/{command}")
    return result
sort and fix backend imports 2024-08-28 00:10:27 +02:00			`from typing import Optional`
feat: prompts backend support 2024-01-02 20:51:19 -08:00
wip 2024-12-10 00:54:13 -08:00			`from open_webui.models.prompts import (`
enh: tools user info 2024-11-18 06:19:34 -08:00			`PromptForm,`
			`PromptUserResponse,`
			`PromptModel,`
			`Prompts,`
			`)`
refac: mv backend files to /open_webui dir 2024-09-04 16:54:48 +02:00			`from open_webui.constants import ERROR_MESSAGES`
refac: user permissions validation 2024-11-17 03:04:31 -08:00			`from fastapi import APIRouter, Depends, HTTPException, status, Request`
refac 2024-12-08 16:01:56 -08:00			`from open_webui.utils.auth import get_admin_user, get_verified_user`
refac: user permissions validation 2024-11-17 03:04:31 -08:00			`from open_webui.utils.access_control import has_access, has_permission`
feat: prompts backend support 2024-01-02 20:51:19 -08:00
			`router = APIRouter()`

			`############################`
			`# GetPrompts`
			`############################`


remove List imports 2024-08-14 13:46:31 +01:00			`@router.get("/", response_model=list[PromptModel])`
refac 2024-06-27 11:29:59 -07:00			`async def get_prompts(user=Depends(get_verified_user)):`
enh: access control 2024-11-16 17:09:15 -08:00			`if user.role == "admin":`
			`prompts = Prompts.get_prompts()`
			`else:`
			`prompts = Prompts.get_prompts_by_user_id(user.id, "read")`

			`return prompts`


enh: tools user info 2024-11-18 06:19:34 -08:00			`@router.get("/list", response_model=list[PromptUserResponse])`
enh: access control 2024-11-16 17:09:15 -08:00			`async def get_prompt_list(user=Depends(get_verified_user)):`
			`if user.role == "admin":`
			`prompts = Prompts.get_prompts()`
			`else:`
			`prompts = Prompts.get_prompts_by_user_id(user.id, "write")`

			`return prompts`
feat: prompts backend support 2024-01-02 20:51:19 -08:00

			`############################`
			`# CreateNewPrompt`
			`############################`


			`@router.post("/create", response_model=Optional[PromptModel])`
refac: user permissions validation 2024-11-17 03:04:31 -08:00			`async def create_new_prompt(`
			`request: Request, form_data: PromptForm, user=Depends(get_verified_user)`
			`):`
			`if user.role != "admin" and not has_permission(`
			`user.id, "workspace.prompts", request.app.state.config.USER_PERMISSIONS`
			`):`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.UNAUTHORIZED,`
			`)`

feat(sqlalchemy): remove session reference from router 2024-06-21 14:58:57 +02:00			`prompt = Prompts.get_prompt_by_command(form_data.command)`
replace == None with is None 2024-08-14 13:39:53 +01:00			`if prompt is None:`
feat(sqlalchemy): remove session reference from router 2024-06-21 14:58:57 +02:00			`prompt = Prompts.insert_new_prompt(user.id, form_data)`
feat: prompt crud 2024-01-02 21:35:47 -08:00
			`if prompt:`
			`return prompt`
feat: prompts backend support 2024-01-02 20:51:19 -08:00			`raise HTTPException(`
feat: prompt crud 2024-01-02 21:35:47 -08:00			`status_code=status.HTTP_400_BAD_REQUEST,`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-08 18:05:01 -06:00			`detail=ERROR_MESSAGES.DEFAULT(),`
feat: prompts backend support 2024-01-02 20:51:19 -08:00			`)`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-08 18:05:01 -06:00			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail=ERROR_MESSAGES.COMMAND_TAKEN,`
			`)`
feat: prompts backend support 2024-01-02 20:51:19 -08:00

			`############################`
			`# GetPromptByCommand`
			`############################`


fix: allow command named create 2024-01-06 17:55:41 -08:00			`@router.get("/command/{command}", response_model=Optional[PromptModel])`
refac 2024-06-27 11:29:59 -07:00			`async def get_prompt_by_command(command: str, user=Depends(get_verified_user)):`
feat(sqlalchemy): remove session reference from router 2024-06-21 14:58:57 +02:00			`prompt = Prompts.get_prompt_by_command(f"/{command}")`
feat: prompts backend support 2024-01-02 20:51:19 -08:00
			`if prompt:`
refac: prompts access control 2024-11-16 18:00:49 -08:00			`if (`
			`user.role == "admin"`
			`or prompt.user_id == user.id`
			`or has_access(user.id, "read", prompt.access_control)`
			`):`
			`return prompt`
feat: prompts backend support 2024-01-02 20:51:19 -08:00			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.NOT_FOUND,`
			`)`


			`############################`
			`# UpdatePromptByCommand`
			`############################`


fix: allow command named create 2024-01-06 17:55:41 -08:00			`@router.post("/command/{command}/update", response_model=Optional[PromptModel])`
			`async def update_prompt_by_command(`
feat(sqlalchemy): Replace peewee with sqlalchemy 2024-06-18 15:03:31 +02:00			`command: str,`
			`form_data: PromptForm,`
enh: access control 2024-11-16 17:09:15 -08:00			`user=Depends(get_verified_user),`
fix: allow command named create 2024-01-06 17:55:41 -08:00			`):`
refac: prompts access control 2024-11-16 18:00:49 -08:00			`prompt = Prompts.get_prompt_by_command(f"/{command}")`
			`if not prompt:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.NOT_FOUND,`
			`)`
chore: format backend 2025-01-19 11:59:07 -08:00
Add toggle to read/write perms on access control 2025-01-10 18:44:26 +00:00			`# Is the user the original creator, in a group with write access, or an admin`
chore: format backend 2025-01-19 11:59:07 -08:00			`if (`
			`prompt.user_id != user.id`
			`and not has_access(user.id, "write", prompt.access_control)`
			`and user.role != "admin"`
			`):`
refac: prompts access control 2024-11-16 18:00:49 -08:00			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`

feat(sqlalchemy): remove session reference from router 2024-06-21 14:58:57 +02:00			`prompt = Prompts.update_prompt_by_command(f"/{command}", form_data)`
feat: prompts backend support 2024-01-02 20:51:19 -08:00			`if prompt:`
			`return prompt`
			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`


			`############################`
			`# DeletePromptByCommand`
			`############################`


fix: allow command named create 2024-01-06 17:55:41 -08:00			`@router.delete("/command/{command}/delete", response_model=bool)`
enh: access control 2024-11-16 17:09:15 -08:00			`async def delete_prompt_by_command(command: str, user=Depends(get_verified_user)):`
refac: prompts access control 2024-11-16 18:00:49 -08:00			`prompt = Prompts.get_prompt_by_command(f"/{command}")`
			`if not prompt:`
			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.NOT_FOUND,`
			`)`

Adding more checks for write access. Adding accessRoles to Model & Knowledge creation 2025-01-27 18:11:52 +00:00			`if (`
			`prompt.user_id != user.id`
			`and not has_access(user.id, "write", prompt.access_control)`
			`and user.role != "admin"`
			`):`
refac: prompts access control 2024-11-16 18:00:49 -08:00			`raise HTTPException(`
			`status_code=status.HTTP_401_UNAUTHORIZED,`
			`detail=ERROR_MESSAGES.ACCESS_PROHIBITED,`
			`)`

feat(sqlalchemy): remove session reference from router 2024-06-21 14:58:57 +02:00			`result = Prompts.delete_prompt_by_command(f"/{command}")`
feat: prompts backend support 2024-01-02 20:51:19 -08:00			`return result`