fix: require write permission for pin_channel_message on standard channels (#24521)

`pin_channel_message` (channels.py:1242) checked `permission='read'` on the standard-channel branch before mutating `is_pinned` / `pinned_by` / `pinned_at` via `Messages.update_is_pinned_by_id`. Pin/unpin is a write operation; gating it on read access let any user with read-only channel access pin or unpin any message in the channel, including admin posts. One-character fix: change `permission='read'` to `permission='write'`. Reported by kikayli in GHSA-5gc6-xhv4-2wg6. Co-authored-by: kikayli <kikayli@users.noreply.github.com>
2026-05-18 05:05:09 +02:00 · 2026-05-10 17:59:50 +02:00
parent 2d9939ed49
commit d3737176bc
1 changed files with 2 additions and 1 deletions
--- a/backend/open_webui/routers/channels.py
+++ b/backend/open_webui/routers/channels.py
@@ -1256,7 +1256,8 @@ async def pin_channel_message(
        if not await Channels.is_user_channel_member(channel.id, user.id, db=db):
            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())
    else:
-        if user.role != 'admin' and not await channel_has_access(user.id, channel, permission='read', db=db):
+        # Pin/unpin mutates is_pinned/pinned_by/pinned_at — require write.
+        if user.role != 'admin' and not await channel_has_access(user.id, channel, permission='write', db=db):
            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT())

    message = await Messages.get_message_by_id(message_id, db=db)