From ef2aeb7c0eb976bac759e59ac359c94a5b8dc7e0 Mon Sep 17 00:00:00 2001
From: Timothy Jaeryang Baek <tim@openwebui.com>
Date: Wed, 30 Apr 2025 19:34:53 +0400
Subject: [PATCH] fix: only allow admin uploaded html to be rendered as html

---
 backend/open_webui/routers/files.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/backend/open_webui/routers/files.py b/backend/open_webui/routers/files.py
index c93d96259..9ddbd2311 100644
--- a/backend/open_webui/routers/files.py
+++ b/backend/open_webui/routers/files.py
@@ -19,6 +19,8 @@ from fastapi import (
 from fastapi.responses import FileResponse, StreamingResponse
 from open_webui.constants import ERROR_MESSAGES
 from open_webui.env import SRC_LOG_LEVELS
+
+from open_webui.models.users import Users
 from open_webui.models.files import (
     FileForm,
     FileModel,
@@ -449,6 +451,14 @@ async def get_html_file_content_by_id(id: str, user=Depends(get_verified_user)):
             detail=ERROR_MESSAGES.NOT_FOUND,
         )
 
+    file_user = Users.get_user_by_id(file.user_id)
+    if not file_user.role == "admin":
+        if not file_user:
+            raise HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail=ERROR_MESSAGES.NOT_FOUND,
+            )
+
     if (
         file.user_id == user.id
         or user.role == "admin"