From a2e9263af0e24b20b8dd3b88bd98eb2916e04390 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Wed, 31 Dec 2025 08:28:59 +0100 Subject: [PATCH] fix: add explicit HTTPException for access control failures (#20280) Fix implicit None returns in get_model_by_id, get_knowledge_by_id, get_tools_by_id, and get_prompt_by_command. Now properly returns 401 for access denied and 404 for not found instead of silently returning None. --- backend/open_webui/routers/knowledge.py | 7 ++++++- backend/open_webui/routers/models.py | 7 ++++++- backend/open_webui/routers/prompts.py | 7 ++++++- backend/open_webui/routers/tools.py | 7 ++++++- 4 files changed, 24 insertions(+), 4 deletions(-) diff --git a/backend/open_webui/routers/knowledge.py b/backend/open_webui/routers/knowledge.py index 0b322fa86..aa85e59f2 100644 --- a/backend/open_webui/routers/knowledge.py +++ b/backend/open_webui/routers/knowledge.py @@ -306,9 +306,14 @@ async def get_knowledge_by_id( or has_access(user.id, "write", knowledge.access_control, db=db) ), ) + else: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail=ERROR_MESSAGES.ACCESS_PROHIBITED, + ) else: raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, + status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND, ) diff --git a/backend/open_webui/routers/models.py b/backend/open_webui/routers/models.py index d65a28cc1..4d31ac2f9 100644 --- a/backend/open_webui/routers/models.py +++ b/backend/open_webui/routers/models.py @@ -281,9 +281,14 @@ async def get_model_by_id(id: str, user=Depends(get_verified_user), db: Session or has_access(user.id, "read", model.access_control, db=db) ): return model + else: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail=ERROR_MESSAGES.ACCESS_PROHIBITED, + ) else: raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, + status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND, ) diff --git a/backend/open_webui/routers/prompts.py b/backend/open_webui/routers/prompts.py index 4633cee86..70f9f71e5 100644 --- a/backend/open_webui/routers/prompts.py +++ b/backend/open_webui/routers/prompts.py @@ -98,9 +98,14 @@ async def get_prompt_by_command(command: str, user=Depends(get_verified_user), d or has_access(user.id, "read", prompt.access_control, db=db) ): return prompt + else: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail=ERROR_MESSAGES.ACCESS_PROHIBITED, + ) else: raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, + status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND, ) diff --git a/backend/open_webui/routers/tools.py b/backend/open_webui/routers/tools.py index 144f017ed..fd99b1581 100644 --- a/backend/open_webui/routers/tools.py +++ b/backend/open_webui/routers/tools.py @@ -349,9 +349,14 @@ async def get_tools_by_id(id: str, user=Depends(get_verified_user), db: Session or has_access(user.id, "read", tools.access_control, db=db) ): return tools + else: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail=ERROR_MESSAGES.ACCESS_PROHIBITED, + ) else: raise HTTPException( - status_code=status.HTTP_401_UNAUTHORIZED, + status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND, )