From e4cc9f2b4f8808393e1df0c0a4383e8d72b69908 Mon Sep 17 00:00:00 2001
From: Timothy Jaeryang Baek <tim@openwebui.com>
Date: Sun, 30 Mar 2025 23:36:15 -0700
Subject: [PATCH] refac: folders

---
 backend/open_webui/models/folders.py  | 19 +++++++++++++------
 backend/open_webui/routers/folders.py | 17 +++++++++++++++--
 2 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/backend/open_webui/models/folders.py b/backend/open_webui/models/folders.py
index 19739bc5f..1c97de26c 100644
--- a/backend/open_webui/models/folders.py
+++ b/backend/open_webui/models/folders.py
@@ -9,6 +9,8 @@ from open_webui.models.chats import Chats
 from open_webui.env import SRC_LOG_LEVELS
 from pydantic import BaseModel, ConfigDict
 from sqlalchemy import BigInteger, Column, Text, JSON, Boolean
+from open_webui.utils.access_control import get_permissions
+
 
 log = logging.getLogger(__name__)
 log.setLevel(SRC_LOG_LEVELS["MODELS"])
@@ -234,15 +236,18 @@ class FolderTable:
             log.error(f"update_folder: {e}")
             return
 
-    def delete_folder_by_id_and_user_id(self, id: str, user_id: str) -> bool:
+    def delete_folder_by_id_and_user_id(
+        self, id: str, user_id: str, delete_chats=True
+    ) -> bool:
         try:
             with get_db() as db:
                 folder = db.query(Folder).filter_by(id=id, user_id=user_id).first()
                 if not folder:
                     return False
 
-                # Delete all chats in the folder
-                Chats.delete_chats_by_user_id_and_folder_id(user_id, folder.id)
+                if delete_chats:
+                    # Delete all chats in the folder
+                    Chats.delete_chats_by_user_id_and_folder_id(user_id, folder.id)
 
                 # Delete all children folders
                 def delete_children(folder):
@@ -250,9 +255,11 @@ class FolderTable:
                         folder.id, user_id
                     )
                     for folder_child in folder_children:
-                        Chats.delete_chats_by_user_id_and_folder_id(
-                            user_id, folder_child.id
-                        )
+                        if delete_chats:
+                            Chats.delete_chats_by_user_id_and_folder_id(
+                                user_id, folder_child.id
+                            )
+
                         delete_children(folder_child)
 
                         folder = db.query(Folder).filter_by(id=folder_child.id).first()
diff --git a/backend/open_webui/routers/folders.py b/backend/open_webui/routers/folders.py
index ca2fbd213..cf37f9329 100644
--- a/backend/open_webui/routers/folders.py
+++ b/backend/open_webui/routers/folders.py
@@ -20,11 +20,13 @@ from open_webui.env import SRC_LOG_LEVELS
 from open_webui.constants import ERROR_MESSAGES
 
 
-from fastapi import APIRouter, Depends, File, HTTPException, UploadFile, status
+from fastapi import APIRouter, Depends, File, HTTPException, UploadFile, status, Request
 from fastapi.responses import FileResponse, StreamingResponse
 
 
 from open_webui.utils.auth import get_admin_user, get_verified_user
+from open_webui.utils.access_control import has_permission
+
 
 log = logging.getLogger(__name__)
 log.setLevel(SRC_LOG_LEVELS["MODELS"])
@@ -228,7 +230,18 @@ async def update_folder_is_expanded_by_id(
 
 
 @router.delete("/{id}")
-async def delete_folder_by_id(id: str, user=Depends(get_verified_user)):
+async def delete_folder_by_id(
+    request: Request, id: str, user=Depends(get_verified_user)
+):
+    chat_delete_permission = has_permission(
+        user.id, "chat.delete", request.app.state.config.USER_PERMISSIONS
+    )
+    if not chat_delete_permission:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+        )
+
     folder = Folders.get_folder_by_id_and_user_id(id, user.id)
     if folder:
         try: