From 8fc5532e2fb70ee5b82aeb286cdde0995c9c8657 Mon Sep 17 00:00:00 2001
From: Timothy Jaeryang Baek <tim@openwebui.com>
Date: Thu, 23 Jan 2025 10:37:44 -0800
Subject: [PATCH] fix: tools valves access

---
 backend/open_webui/routers/tools.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/backend/open_webui/routers/tools.py b/backend/open_webui/routers/tools.py
index bb19c6f3b..7b9144b4c 100644
--- a/backend/open_webui/routers/tools.py
+++ b/backend/open_webui/routers/tools.py
@@ -309,6 +309,17 @@ async def update_tools_valves_by_id(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail=ERROR_MESSAGES.NOT_FOUND,
         )
+
+    if (
+        tools.user_id != user.id
+        and not has_access(user.id, "write", tools.access_control)
+        and user.role != "admin"
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+        )
+
     if id in request.app.state.TOOLS:
         tools_module = request.app.state.TOOLS[id]
     else: