mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-10 12:35:55 +02:00
fix(auth): enforce features.api_keys permission on GET and DELETE /api_key endpoints (#25992)
This commit is contained in:
@@ -1237,20 +1237,26 @@ async def update_ldap_config(request: Request, form_data: LdapConfigForm, user=D
|
||||
############################
|
||||
|
||||
|
||||
# create api key
|
||||
@router.post('/api_key', response_model=ApiKey)
|
||||
async def generate_api_key(
|
||||
request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)
|
||||
):
|
||||
async def _check_api_key_permission(request: Request, user, db: AsyncSession):
|
||||
if not request.app.state.config.ENABLE_API_KEYS or (
|
||||
user.role != 'admin'
|
||||
and not await has_permission(user.id, 'features.api_keys', request.app.state.config.USER_PERMISSIONS)
|
||||
and not await has_permission(
|
||||
user.id, 'features.api_keys', request.app.state.config.USER_PERMISSIONS, db=db
|
||||
)
|
||||
):
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail=ERROR_MESSAGES.API_KEY_CREATION_NOT_ALLOWED,
|
||||
)
|
||||
|
||||
|
||||
# create api key
|
||||
@router.post('/api_key', response_model=ApiKey)
|
||||
async def generate_api_key(
|
||||
request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)
|
||||
):
|
||||
await _check_api_key_permission(request, user, db)
|
||||
|
||||
api_key = create_api_key()
|
||||
success = await Users.update_user_api_key_by_id(user.id, api_key, db=db)
|
||||
|
||||
@@ -1264,13 +1270,19 @@ async def generate_api_key(
|
||||
|
||||
# delete api key
|
||||
@router.delete('/api_key', response_model=bool)
|
||||
async def delete_api_key(user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)):
|
||||
async def delete_api_key(
|
||||
request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)
|
||||
):
|
||||
await _check_api_key_permission(request, user, db)
|
||||
return await Users.delete_user_api_key_by_id(user.id, db=db)
|
||||
|
||||
|
||||
# get api key
|
||||
@router.get('/api_key', response_model=ApiKey)
|
||||
async def get_api_key(user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)):
|
||||
async def get_api_key(
|
||||
request: Request, user=Depends(get_current_user), db: AsyncSession = Depends(get_async_session)
|
||||
):
|
||||
await _check_api_key_permission(request, user, db)
|
||||
api_key = await Users.get_user_api_key_by_id(user.id, db=db)
|
||||
if api_key:
|
||||
return {
|
||||
|
||||
Reference in New Issue
Block a user