refac: get permissions

2025-06-26 18:26:48 +00:00 · 2024-11-16 21:16:42 -08:00 · 2024-11-16 21:16:42 -08:00 · 07e0712b87
commit 07e0712b87
parent c0371f6525
1 changed files with 22 additions and 18 deletions
--- a/backend/open_webui/utils/access_control.py
+++ b/backend/open_webui/utils/access_control.py
@ -1,37 +1,41 @@
-from typing import Optional, Union, List, Dict
+from typing import Optional, Union, List, Dict, Any
 from open_webui.apps.webui.models.groups import Groups


 def get_permissions(
    user_id: str,
-    default_permissions: Dict[str, bool] = {},
-) -> dict:
+    default_permissions: Dict[str, Any] = {},
+) -> Dict[str, Any]:
    """
    Get all permissions for a user by combining the permissions of all groups the user is a member of.
-    If a permission is defined in multiple groups, the most permissive value is used.
+    If a permission is defined in multiple groups, the most permissive value is used (True > False).
+    Permissions are nested in a dict with the permission key as the key and a boolean as the value.
    """

-    def merge_permissions(
-        permissions: Dict[str, bool], new_permissions: Dict[str, bool]
-    ) -> Dict[str, bool]:
-        """Merge two permission dictionaries, keeping the most permissive value."""
-        for key, value in new_permissions.items():
-            if key not in permissions:
-                permissions[key] = value
+    def combine_permissions(
+        permissions: Dict[str, Any], group_permissions: Dict[str, Any]
+    ) -> Dict[str, Any]:
+        """Combine permissions from multiple groups by taking the most permissive value."""
+        for key, value in group_permissions.items():
+            if isinstance(value, dict):
+                if key not in permissions:
+                    permissions[key] = {}
+                permissions[key] = combine_permissions(permissions[key], value)
            else:
-                permissions[key] = (
-                    permissions[key] or value
-                )  # Use the most permissive value
-
+                if key not in permissions:
+                    permissions[key] = value
+                else:
+                    permissions[key] = permissions[key] or value
        return permissions

    user_groups = Groups.get_groups_by_member_id(user_id)
-    user_permissions = default_permissions.copy()
+    permissions = default_permissions.copy()

    for group in user_groups:
-        user_permissions = merge_permissions(user_permissions, group.permissions)
+        group_permissions = group.permissions
+        permissions = combine_permissions(permissions, group_permissions)

-    return user_permissions
+    return permissions


 def has_permission(