OpenWebUI/open-webui
1
0
Fork 0
mirror of https://github.com/open-webui/open-webui synced 2025-06-26 18:26:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: user chat delete loophole

Browse Source
This commit is contained in:
Timothy J. Baek
2024-03-02 00:07:50 -08:00
parent a4c6a8d5a4
commit 74809e7330
3 changed files with 15 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
backend/apps/web/routers/chats.py
View File

@@ -271,6 +271,16 @@ async def delete_all_chat_tags_by_id(id: str, user=Depends(get_current_user)):
@router.delete("/", response_model=bool)
async def delete_all_user_chats(user=Depends(get_current_user)):
async def delete_all_user_chats(request: Request, user=Depends(get_current_user)):
if (
user.role == "user"
and not request.app.state.USER_PERMISSIONS["chat"]["deletion"]
):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
)
result = Chats.delete_chats_by_user_id(user.id)
return result