fix: only allow admin uploaded html to be rendered as html

2025-06-11 08:56:21 +00:00 · 2025-04-30 19:34:53 +04:00 · 2025-04-30 19:34:53 +04:00 · ef2aeb7c0e
commit ef2aeb7c0e
parent 783d409b1d
1 changed files with 10 additions and 0 deletions
--- a/backend/open_webui/routers/files.py
+++ b/backend/open_webui/routers/files.py
@ -19,6 +19,8 @@ from fastapi import (
 from fastapi.responses import FileResponse, StreamingResponse
 from open_webui.constants import ERROR_MESSAGES
 from open_webui.env import SRC_LOG_LEVELS
+
+from open_webui.models.users import Users
 from open_webui.models.files import (
    FileForm,
    FileModel,
@ -449,6 +451,14 @@ async def get_html_file_content_by_id(id: str, user=Depends(get_verified_user)):
            detail=ERROR_MESSAGES.NOT_FOUND,
        )

+    file_user = Users.get_user_by_id(file.user_id)
+    if not file_user.role == "admin":
+        if not file_user:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=ERROR_MESSAGES.NOT_FOUND,
+            )
+
    if (
        file.user_id == user.id
        or user.role == "admin"