diff --git a/backend/open_webui/routers/tools.py b/backend/open_webui/routers/tools.py index c017233765..5f82e7f1bd 100644 --- a/backend/open_webui/routers/tools.py +++ b/backend/open_webui/routers/tools.py @@ -4,6 +4,7 @@ from typing import Optional import time import re import aiohttp +from open_webui.models.groups import Groups from pydantic import BaseModel, HttpUrl from fastapi import APIRouter, Depends, HTTPException, Request, status @@ -71,11 +72,12 @@ async def get_tools(request: Request, user=Depends(get_verified_user)): # Admin can see all tools return tools else: + user_group_ids = {group.id for group in Groups.get_groups_by_member_id(user.id)} tools = [ tool for tool in tools if tool.user_id == user.id - or has_access(user.id, "read", tool.access_control) + or has_access(user.id, "read", tool.access_control, user_group_ids) ] return tools diff --git a/backend/open_webui/utils/access_control.py b/backend/open_webui/utils/access_control.py index c36d861ad6..1529773c44 100644 --- a/backend/open_webui/utils/access_control.py +++ b/backend/open_webui/utils/access_control.py @@ -1,4 +1,4 @@ -from typing import Optional, Union, List, Dict, Any +from typing import Optional, Set, Union, List, Dict, Any from open_webui.models.users import Users, UserModel from open_webui.models.groups import Groups @@ -109,12 +109,15 @@ def has_access( user_id: str, type: str = "write", access_control: Optional[dict] = None, + user_group_ids: Optional[Set[str]] = None, ) -> bool: if access_control is None: return type == "read" - user_groups = Groups.get_groups_by_member_id(user_id) - user_group_ids = [group.id for group in user_groups] + if user_group_ids is None: + user_groups = Groups.get_groups_by_member_id(user_id) + user_group_ids = {group.id for group in user_groups} + permission_access = access_control.get(type, {}) permitted_group_ids = permission_access.get("group_ids", []) permitted_user_ids = permission_access.get("user_ids", [])