From 32cb9df3c49155f2e625672a806f1afe7fa1e3fb Mon Sep 17 00:00:00 2001 From: Timothy Jaeryang Baek Date: Tue, 9 Sep 2025 18:08:31 +0400 Subject: [PATCH] refac/enh: knowledge ac backend validation --- backend/open_webui/routers/knowledge.py | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/backend/open_webui/routers/knowledge.py b/backend/open_webui/routers/knowledge.py index 316eb3da2d..71722d706e 100644 --- a/backend/open_webui/routers/knowledge.py +++ b/backend/open_webui/routers/knowledge.py @@ -151,6 +151,18 @@ async def create_new_knowledge( detail=ERROR_MESSAGES.UNAUTHORIZED, ) + # Check if user can share publicly + if ( + user.role != "admin" + and form_data.access_control == None + and not has_permission( + user.id, + "sharing.public_knowledge", + request.app.state.config.USER_PERMISSIONS, + ) + ): + form_data.access_control = {} + knowledge = Knowledges.insert_new_knowledge(user.id, form_data) if knowledge: @@ -285,6 +297,7 @@ async def get_knowledge_by_id(id: str, user=Depends(get_verified_user)): @router.post("/{id}/update", response_model=Optional[KnowledgeFilesResponse]) async def update_knowledge_by_id( + request: Request, id: str, form_data: KnowledgeForm, user=Depends(get_verified_user), @@ -306,6 +319,18 @@ async def update_knowledge_by_id( detail=ERROR_MESSAGES.ACCESS_PROHIBITED, ) + # Check if user can share publicly + if ( + user.role != "admin" + and form_data.access_control == None + and not has_permission( + user.id, + "sharing.public_knowledge", + request.app.state.config.USER_PERMISSIONS, + ) + ): + form_data.access_control = {} + knowledge = Knowledges.update_knowledge_by_id(id=id, form_data=form_data) if knowledge: file_ids = knowledge.data.get("file_ids", []) if knowledge.data else []