From 982c84c8acf139f8b0dd5c2a4a2a751d3fdb12c7 Mon Sep 17 00:00:00 2001 From: Timothy Jaeryang Baek Date: Mon, 5 May 2025 23:31:37 +0400 Subject: [PATCH] fix: non admin user notes --- backend/open_webui/routers/notes.py | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/backend/open_webui/routers/notes.py b/backend/open_webui/routers/notes.py index 7bda0caaf..5ad5ff051 100644 --- a/backend/open_webui/routers/notes.py +++ b/backend/open_webui/routers/notes.py @@ -124,8 +124,10 @@ async def get_note_by_id(request: Request, id: str, user=Depends(get_verified_us status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND ) - if user.role != "admin" and not has_access( - user.id, type="read", access_control=note.access_control + if ( + user.role != "admin" + and user.id != note.user_id + and not has_access(user.id, type="read", access_control=note.access_control) ): raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT() @@ -157,8 +159,10 @@ async def update_note_by_id( status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND ) - if user.role != "admin" and not has_access( - user.id, type="write", access_control=note.access_control + if ( + user.role != "admin" + and user.id != note.user_id + and not has_access(user.id, type="write", access_control=note.access_control) ): raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT() @@ -195,8 +199,10 @@ async def delete_note_by_id(request: Request, id: str, user=Depends(get_verified status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND ) - if user.role != "admin" and not has_access( - user.id, type="write", access_control=note.access_control + if ( + user.role != "admin" + and user.id != note.user_id + and not has_access(user.id, type="write", access_control=note.access_control) ): raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT()