From 803b39b00cbf011bdeb06f406f9d6af43c338d7e Mon Sep 17 00:00:00 2001 From: Timothy Jaeryang Baek Date: Wed, 7 May 2025 02:45:00 +0400 Subject: [PATCH] refac --- backend/open_webui/routers/users.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/backend/open_webui/routers/users.py b/backend/open_webui/routers/users.py index 50014a5f6..a2bfbf665 100644 --- a/backend/open_webui/routers/users.py +++ b/backend/open_webui/routers/users.py @@ -21,7 +21,7 @@ from fastapi import APIRouter, Depends, HTTPException, Request, status from pydantic import BaseModel from open_webui.utils.auth import get_admin_user, get_password_hash, get_verified_user -from open_webui.utils.access_control import get_permissions +from open_webui.utils.access_control import get_permissions, has_permission log = logging.getLogger(__name__) @@ -205,9 +205,22 @@ async def get_user_settings_by_session_user(user=Depends(get_verified_user)): @router.post("/user/settings/update", response_model=UserSettings) async def update_user_settings_by_session_user( - form_data: UserSettings, user=Depends(get_verified_user) + request: Request, form_data: UserSettings, user=Depends(get_verified_user) ): - user = Users.update_user_settings_by_id(user.id, form_data.model_dump()) + updated_user_settings = form_data.model_dump() + if ( + user.role != "admin" + and "toolServers" in updated_user_settings.get("ui").keys() + and not has_permission( + user.id, + "features.direct_tool_servers", + request.app.state.config.USER_PERMISSIONS, + ) + ): + # If the user is not an admin and does not have permission to use tool servers, remove the key + updated_user_settings["ui"].pop("toolServers", None) + + user = Users.update_user_settings_by_id(user.id, updated_user_settings) if user: return user.settings else: