fix: access control behaviour

2025-12-16 03:47:49 +01:00 · 2024-11-17 02:51:57 -08:00
parent 892f6ba42b
commit 1d4c3a8c58
3 changed files with 70 additions and 57 deletions
--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@@ -557,8 +557,11 @@ class ChatCompletionMiddleware(BaseHTTPMiddleware):

        model_info = Models.get_model_by_id(model["id"])
        if user.role == "user":
-            if model_info and not has_access(
-                user.id, type="read", access_control=model_info.access_control
+            if model_info and not (
+                user.id == model_info.user_id
+                or has_access(
+                    user.id, type="read", access_control=model_info.access_control
+                )
            ):
                return JSONResponse(
                    status_code=status.HTTP_403_FORBIDDEN,
@@ -1106,7 +1109,7 @@ async def get_models(user=Depends(get_verified_user)):
        for model in models:
            model_info = Models.get_model_by_id(model["id"])
            if model_info:
-                if has_access(
+                if user.id == model_info.user_id or has_access(
                    user.id, type="read", access_control=model_info.access_control
                ):
                    filtered_models.append(model)
@@ -1144,8 +1147,11 @@ async def generate_chat_completions(
    # Check if user has access to the model
    if user.role == "user":
        model_info = Models.get_model_by_id(model_id)
-        if not has_access(
-            user.id, type="read", access_control=model_info.access_control
+        if not (
+            user.id == model_info.user_id
+            or has_access(
+                user.id, type="read", access_control=model_info.access_control
+            )
        ):
            raise HTTPException(
                status_code=403,