OpenWebUI/open-webui
1
0
Fork 0
mirror of https://github.com/open-webui/open-webui synced 2025-06-26 18:26:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: only allow admin uploaded html to be rendered as html

Browse Source
This commit is contained in:
Timothy Jaeryang Baek 2025-04-30 19:34:53 +04:00
parent 783d409b1d
commit ef2aeb7c0e
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
backend/open_webui/routers/files.py
View File

@ -19,6 +19,8 @@ from fastapi import (
from fastapi.responses import FileResponse, StreamingResponse from fastapi.responses import FileResponse, StreamingResponse
from open_webui.constants import ERROR_MESSAGES from open_webui.constants import ERROR_MESSAGES
from open_webui.env import SRC_LOG_LEVELS from open_webui.env import SRC_LOG_LEVELS
from open_webui.models.users import Users
from open_webui.models.files import ( from open_webui.models.files import (
FileForm, FileForm,
FileModel, FileModel,
@ -449,6 +451,14 @@ async def get_html_file_content_by_id(id: str, user=Depends(get_verified_user)):
detail=ERROR_MESSAGES.NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND,
) )
file_user = Users.get_user_by_id(file.user_id)
if not file_user.role == "admin":
if not file_user:
raise HTTPException(
status_code=status.HTTP_404_NOT_FOUND,
detail=ERROR_MESSAGES.NOT_FOUND,
)
if ( if (
file.user_id == user.id file.user_id == user.id
or user.role == "admin" or user.role == "admin"