From dd6de749d570e0bf8309d66f3fcf7f242d5f397e Mon Sep 17 00:00:00 2001
From: Timothy Jaeryang Baek <tim@openwebui.com>
Date: Thu, 23 Jan 2025 10:40:49 -0800
Subject: [PATCH] fix: model update access

---
 backend/open_webui/routers/models.py | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/backend/open_webui/routers/models.py b/backend/open_webui/routers/models.py
index db981a913..6c8519b2c 100644
--- a/backend/open_webui/routers/models.py
+++ b/backend/open_webui/routers/models.py
@@ -155,6 +155,16 @@ async def update_model_by_id(
             detail=ERROR_MESSAGES.NOT_FOUND,
         )
 
+    if (
+        model.user_id != user.id
+        and not has_access(user.id, "write", model.access_control)
+        and user.role != "admin"
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+        )
+
     model = Models.update_model_by_id(id, form_data)
     return model