diff --git a/backend/open_webui/routers/knowledge.py b/backend/open_webui/routers/knowledge.py
index cce3d6311..a85ccd05e 100644
--- a/backend/open_webui/routers/knowledge.py
+++ b/backend/open_webui/routers/knowledge.py
@@ -264,7 +264,10 @@ def add_file_to_knowledge_by_id(
detail=ERROR_MESSAGES.NOT_FOUND,
)
- if knowledge.user_id != user.id and user.role != "admin":
+ if (knowledge.user_id != user.id
+ and not has_access(user.id, "write", knowledge.access_control)
+ and user.role != "admin"
+ ):
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@@ -342,7 +345,12 @@ def update_file_from_knowledge_by_id(
detail=ERROR_MESSAGES.NOT_FOUND,
)
- if knowledge.user_id != user.id and user.role != "admin":
+ if (
+ knowledge.user_id != user.id
+ and not has_access(user.id, "write", knowledge.access_control)
+ and user.role != "admin"
+ ):
+
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@@ -406,7 +414,11 @@ def remove_file_from_knowledge_by_id(
detail=ERROR_MESSAGES.NOT_FOUND,
)
- if knowledge.user_id != user.id and user.role != "admin":
+ if (
+ knowledge.user_id != user.id
+ and not has_access(user.id, "write", knowledge.access_control)
+ and user.role != "admin"
+ ):
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@@ -484,7 +496,11 @@ async def delete_knowledge_by_id(id: str, user=Depends(get_verified_user)):
detail=ERROR_MESSAGES.NOT_FOUND,
)
- if knowledge.user_id != user.id and user.role != "admin":
+ if (
+ knowledge.user_id != user.id
+ and not has_access(user.id, "write", knowledge.access_control)
+ and user.role != "admin"
+ ):
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@@ -543,7 +559,11 @@ async def reset_knowledge_by_id(id: str, user=Depends(get_verified_user)):
detail=ERROR_MESSAGES.NOT_FOUND,
)
- if knowledge.user_id != user.id and user.role != "admin":
+ if (
+ knowledge.user_id != user.id
+ and not has_access(user.id, "write", knowledge.access_control)
+ and user.role != "admin"
+ ):
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
@@ -582,7 +602,11 @@ def add_files_to_knowledge_batch(
detail=ERROR_MESSAGES.NOT_FOUND,
)
- if knowledge.user_id != user.id and user.role != "admin":
+ if (
+ knowledge.user_id != user.id
+ and not has_access(user.id, "write", knowledge.access_control)
+ and user.role != "admin"
+ ):
raise HTTPException(
status_code=status.HTTP_400_BAD_REQUEST,
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
diff --git a/backend/open_webui/routers/models.py b/backend/open_webui/routers/models.py
index 6c8519b2c..a45814d32 100644
--- a/backend/open_webui/routers/models.py
+++ b/backend/open_webui/routers/models.py
@@ -183,7 +183,11 @@ async def delete_model_by_id(id: str, user=Depends(get_verified_user)):
detail=ERROR_MESSAGES.NOT_FOUND,
)
- if model.user_id != user.id and user.role != "admin":
+ if (
+ user.role == "admin"
+ or model.user_id == user.id
+ or has_access(user.id, "write", model.access_control)
+ ):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.UNAUTHORIZED,
diff --git a/backend/open_webui/routers/prompts.py b/backend/open_webui/routers/prompts.py
index 014e5652e..9fb946c6e 100644
--- a/backend/open_webui/routers/prompts.py
+++ b/backend/open_webui/routers/prompts.py
@@ -147,7 +147,11 @@ async def delete_prompt_by_command(command: str, user=Depends(get_verified_user)
detail=ERROR_MESSAGES.NOT_FOUND,
)
- if prompt.user_id != user.id and user.role != "admin":
+ if (
+ prompt.user_id != user.id
+ and not has_access(user.id, "write", prompt.access_control)
+ and user.role != "admin"
+ ):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
diff --git a/backend/open_webui/routers/tools.py b/backend/open_webui/routers/tools.py
index 7b9144b4c..d6a5c5532 100644
--- a/backend/open_webui/routers/tools.py
+++ b/backend/open_webui/routers/tools.py
@@ -227,7 +227,11 @@ async def delete_tools_by_id(
detail=ERROR_MESSAGES.NOT_FOUND,
)
- if tools.user_id != user.id and user.role != "admin":
+ if (
+ tools.user_id != user.id
+ and not has_access(user.id, "write", tools.access_control)
+ and user.role != "admin"
+ ):
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=ERROR_MESSAGES.UNAUTHORIZED,
diff --git a/src/lib/components/workspace/Knowledge/CreateKnowledgeBase.svelte b/src/lib/components/workspace/Knowledge/CreateKnowledgeBase.svelte
index 5d1e79808..8253c1f68 100644
--- a/src/lib/components/workspace/Knowledge/CreateKnowledgeBase.svelte
+++ b/src/lib/components/workspace/Knowledge/CreateKnowledgeBase.svelte
@@ -112,7 +112,10 @@
diff --git a/src/lib/components/workspace/Models/ModelEditor.svelte b/src/lib/components/workspace/Models/ModelEditor.svelte
index 58628f0d1..ae10c6eba 100644
--- a/src/lib/components/workspace/Models/ModelEditor.svelte
+++ b/src/lib/components/workspace/Models/ModelEditor.svelte
@@ -531,7 +531,10 @@