Adding more checks for write access. Adding accessRoles to Model & Knowledge creation

2025-12-15 19:37:47 +01:00 · 2025-01-27 18:11:52 +00:00
parent 6eb51ab62e
commit 751a61a364
6 changed files with 53 additions and 11 deletions
--- a/backend/open_webui/routers/knowledge.py
+++ b/backend/open_webui/routers/knowledge.py
@@ -264,7 +264,10 @@ def add_file_to_knowledge_by_id(
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+    ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@@ -342,7 +345,12 @@ def update_file_from_knowledge_by_id(
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (
+        knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+        ):
+
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@@ -406,7 +414,11 @@ def remove_file_from_knowledge_by_id(
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (
+        knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+        ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@@ -484,7 +496,11 @@ async def delete_knowledge_by_id(id: str, user=Depends(get_verified_user)):
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (
+        knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+        ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@@ -543,7 +559,11 @@ async def reset_knowledge_by_id(id: str, user=Depends(get_verified_user)):
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (
+        knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+        ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@@ -582,7 +602,11 @@ def add_files_to_knowledge_batch(
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (
+        knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+        ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,