From 2977910ffd9d2369dfa504aa6ab12745b3dbd19a Mon Sep 17 00:00:00 2001 From: Timothy Jaeryang Baek Date: Sat, 9 May 2026 01:25:01 +0900 Subject: [PATCH] refac --- backend/open_webui/tools/builtin.py | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/backend/open_webui/tools/builtin.py b/backend/open_webui/tools/builtin.py index f191cad758..dad212c90d 100644 --- a/backend/open_webui/tools/builtin.py +++ b/backend/open_webui/tools/builtin.py @@ -3177,8 +3177,10 @@ async def update_calendar_event( return json.dumps({'error': 'Event not found'}) # Check write access to the event's calendar - cal = await Calendars.get_calendar_by_id(event.calendar_id) - if cal and cal.user_id != user_id and __user__.get('role') != 'admin': + if event.user_id != user_id and __user__.get('role') != 'admin': + cal = await Calendars.get_calendar_by_id(event.calendar_id) + if not cal: + return json.dumps({'error': 'Access denied'}) user_group_ids = [g.id for g in await Groups.get_groups_by_member_id(user_id)] if not await AccessGrants.has_access( user_id=user_id, @@ -3278,8 +3280,10 @@ async def delete_calendar_event( return json.dumps({'error': 'Event not found'}) # Check write access - cal = await Calendars.get_calendar_by_id(event.calendar_id) - if cal and cal.user_id != user_id and __user__.get('role') != 'admin': + if event.user_id != user_id and __user__.get('role') != 'admin': + cal = await Calendars.get_calendar_by_id(event.calendar_id) + if not cal: + return json.dumps({'error': 'Access denied'}) user_group_ids = [g.id for g in await Groups.get_groups_by_member_id(user_id)] if not await AccessGrants.has_access( user_id=user_id,