Merge pull request #9003 from tarmst/fix-no-file-upload-for-write-groups

Fix: Users with write adding docs to knowledge, deleting, and fixing read/write toggle on model & knowledge creation
2025-04-11 21:39:07 +02:00 · 2025-01-27 10:30:18 -08:00 · 2025-01-27 10:30:18 -08:00 · acdcb32ac5
commit acdcb32ac5
parent 6eb51ab62e 751a61a364
6 changed files with 53 additions and 11 deletions
--- a/backend/open_webui/routers/knowledge.py
+++ b/backend/open_webui/routers/knowledge.py
@ -264,7 +264,10 @@ def add_file_to_knowledge_by_id(
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+    ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@ -342,7 +345,12 @@ def update_file_from_knowledge_by_id(
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (
+        knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+        ):
+
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@ -406,7 +414,11 @@ def remove_file_from_knowledge_by_id(
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (
+        knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+        ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@ -484,7 +496,11 @@ async def delete_knowledge_by_id(id: str, user=Depends(get_verified_user)):
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (
+        knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+        ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@ -543,7 +559,11 @@ async def reset_knowledge_by_id(id: str, user=Depends(get_verified_user)):
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (
+        knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+        ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@ -582,7 +602,11 @@ def add_files_to_knowledge_batch(
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if knowledge.user_id != user.id and user.role != "admin":
+    if (
+        knowledge.user_id != user.id
+        and not has_access(user.id, "write", knowledge.access_control)
+        and user.role != "admin"
+        ):
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
--- a/backend/open_webui/routers/models.py
+++ b/backend/open_webui/routers/models.py
@ -183,7 +183,11 @@ async def delete_model_by_id(id: str, user=Depends(get_verified_user)):
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if model.user_id != user.id and user.role != "admin":
+    if (
+            user.role == "admin"
+            or model.user_id == user.id
+            or has_access(user.id, "write", model.access_control)
+        ):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.UNAUTHORIZED,
--- a/backend/open_webui/routers/prompts.py
+++ b/backend/open_webui/routers/prompts.py
@ -147,7 +147,11 @@ async def delete_prompt_by_command(command: str, user=Depends(get_verified_user)
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if prompt.user_id != user.id and user.role != "admin":
+    if (
+        prompt.user_id != user.id
+        and not has_access(user.id, "write", prompt.access_control)
+        and user.role != "admin"
+    ):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
--- a/backend/open_webui/routers/tools.py
+++ b/backend/open_webui/routers/tools.py
@ -227,7 +227,11 @@ async def delete_tools_by_id(
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

-    if tools.user_id != user.id and user.role != "admin":
+    if (
+        tools.user_id != user.id
+        and not has_access(user.id, "write", tools.access_control)
+        and user.role != "admin"
+    ):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=ERROR_MESSAGES.UNAUTHORIZED,
--- a/src/lib/components/workspace/Knowledge/CreateKnowledgeBase.svelte
+++ b/src/lib/components/workspace/Knowledge/CreateKnowledgeBase.svelte
@ -112,7 +112,10 @@

 		<div class="mt-2">
 			<div class="px-3 py-2 bg-gray-50 dark:bg-gray-950 rounded-lg">
-				<AccessControl bind:accessControl />
+				<AccessControl 
+				bind:accessControl 
+				accessRoles={['read', 'write']}
+				/>
 			</div>
 		</div>

--- a/src/lib/components/workspace/Models/ModelEditor.svelte
+++ b/src/lib/components/workspace/Models/ModelEditor.svelte
@ -531,7 +531,10 @@

 					<div class="my-2">
 						<div class="px-3 py-2 bg-gray-50 dark:bg-gray-950 rounded-lg">
-							<AccessControl bind:accessControl />
+							<AccessControl 
+							bind:accessControl 
+							accessRoles={['read', 'write']}
+							/>
 						</div>
 					</div>