fix: add explicit HTTPException for access control failures (#20280)

Fix implicit None returns in get_model_by_id, get_knowledge_by_id, get_tools_by_id, and get_prompt_by_command. Now properly returns 401 for access denied and 404 for not found instead of silently returning None.
2025-12-31 08:28:59 +01:00
parent 6351077958
commit a2e9263af0
4 changed files with 24 additions and 4 deletions
--- a/backend/open_webui/routers/knowledge.py
+++ b/backend/open_webui/routers/knowledge.py
@@ -306,9 +306,14 @@ async def get_knowledge_by_id(
                    or has_access(user.id, "write", knowledge.access_control, db=db)
                ),
            )
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+            )
    else:
        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
+            status_code=status.HTTP_404_NOT_FOUND,
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

--- a/backend/open_webui/routers/models.py
+++ b/backend/open_webui/routers/models.py
@@ -281,9 +281,14 @@ async def get_model_by_id(id: str, user=Depends(get_verified_user), db: Session
            or has_access(user.id, "read", model.access_control, db=db)
        ):
            return model
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+            )
    else:
        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
+            status_code=status.HTTP_404_NOT_FOUND,
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

--- a/backend/open_webui/routers/prompts.py
+++ b/backend/open_webui/routers/prompts.py
@@ -98,9 +98,14 @@ async def get_prompt_by_command(command: str, user=Depends(get_verified_user), d
            or has_access(user.id, "read", prompt.access_control, db=db)
        ):
            return prompt
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+            )
    else:
        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
+            status_code=status.HTTP_404_NOT_FOUND,
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

--- a/backend/open_webui/routers/tools.py
+++ b/backend/open_webui/routers/tools.py
@@ -349,9 +349,14 @@ async def get_tools_by_id(id: str, user=Depends(get_verified_user), db: Session
            or has_access(user.id, "read", tools.access_control, db=db)
        ):
            return tools
+        else:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+            )
    else:
        raise HTTPException(
-            status_code=status.HTTP_401_UNAUTHORIZED,
+            status_code=status.HTTP_404_NOT_FOUND,
            detail=ERROR_MESSAGES.NOT_FOUND,
        )