From bc5b3ec6b8ec0fef894eb8046c636ee33688b8c4 Mon Sep 17 00:00:00 2001
From: Timothy Jaeryang Baek <tim@openwebui.com>
Date: Sun, 15 Mar 2026 17:21:14 -0500
Subject: [PATCH] refac

---
 backend/open_webui/routers/tools.py | 86 ++++++++++++++++++++---------
 1 file changed, 59 insertions(+), 27 deletions(-)

diff --git a/backend/open_webui/routers/tools.py b/backend/open_webui/routers/tools.py
index 0569414d4d..1fcc5b14bb 100644
--- a/backend/open_webui/routers/tools.py
+++ b/backend/open_webui/routers/tools.py
@@ -653,19 +653,35 @@ async def get_tools_valves_by_id(
     id: str, user=Depends(get_verified_user), db: Session = Depends(get_session)
 ):
     tools = Tools.get_tool_by_id(id, db=db)
-    if tools:
-        try:
-            valves = Tools.get_tool_valves_by_id(id, db=db)
-            return valves
-        except Exception as e:
-            raise HTTPException(
-                status_code=status.HTTP_400_BAD_REQUEST,
-                detail=ERROR_MESSAGES.DEFAULT(str(e)),
-            )
-    else:
+    if not tools:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=ERROR_MESSAGES.NOT_FOUND,
+        )
+
+    if (
+        tools.user_id != user.id
+        and not AccessGrants.has_access(
+            user_id=user.id,
+            resource_type="tool",
+            resource_id=tools.id,
+            permission="write",
+            db=db,
+        )
+        and user.role != "admin"
+    ):
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
-            detail=ERROR_MESSAGES.NOT_FOUND,
+            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+        )
+
+    try:
+        valves = Tools.get_tool_valves_by_id(id, db=db)
+        return valves
+    except Exception as e:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=ERROR_MESSAGES.DEFAULT(str(e)),
         )
 
 
@@ -682,26 +698,42 @@ async def get_tools_valves_spec_by_id(
     db: Session = Depends(get_session),
 ):
     tools = Tools.get_tool_by_id(id, db=db)
-    if tools:
-        if id in request.app.state.TOOLS:
-            tools_module = request.app.state.TOOLS[id]
-        else:
-            tools_module, _ = load_tool_module_by_id(id)
-            request.app.state.TOOLS[id] = tools_module
-
-        if hasattr(tools_module, "Valves"):
-            Valves = tools_module.Valves
-            schema = Valves.schema()
-            # Resolve dynamic options for select dropdowns
-            schema = resolve_valves_schema_options(Valves, schema, user)
-            return schema
-        return None
-    else:
+    if not tools:
         raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
+            status_code=status.HTTP_404_NOT_FOUND,
             detail=ERROR_MESSAGES.NOT_FOUND,
         )
 
+    if (
+        tools.user_id != user.id
+        and not AccessGrants.has_access(
+            user_id=user.id,
+            resource_type="tool",
+            resource_id=tools.id,
+            permission="write",
+            db=db,
+        )
+        and user.role != "admin"
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+        )
+
+    if id in request.app.state.TOOLS:
+        tools_module = request.app.state.TOOLS[id]
+    else:
+        tools_module, _ = load_tool_module_by_id(id)
+        request.app.state.TOOLS[id] = tools_module
+
+    if hasattr(tools_module, "Valves"):
+        Valves = tools_module.Valves
+        schema = Valves.schema()
+        # Resolve dynamic options for select dropdowns
+        schema = resolve_valves_schema_options(Valves, schema, user)
+        return schema
+    return None
+
 
 ############################
 # UpdateToolValves