fix: notes permissions issue

2025-12-12 12:25:20 +00:00 · 2025-06-16 11:35:01 +04:00 · 2025-06-16 11:35:01 +04:00 · 805e980ae5
commit 805e980ae5
parent b50cfd0940
1 changed files with 4 additions and 4 deletions
--- a/backend/open_webui/routers/notes.py
+++ b/backend/open_webui/routers/notes.py
@ -124,9 +124,9 @@ async def get_note_by_id(request: Request, id: str, user=Depends(get_verified_us
            status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND
        )
-    if user.role != "admin" or (
+    if user.role != "admin" and (
        user.id != note.user_id
-        and not has_access(user.id, type="read", access_control=note.access_control)
+        and (not has_access(user.id, type="read", access_control=note.access_control))
    ):
        raise HTTPException(
            status_code=status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.DEFAULT()
@ -158,7 +158,7 @@ async def update_note_by_id(
            status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND
        )
-    if user.role != "admin" or (
+    if user.role != "admin" and (
        user.id != note.user_id
        and not has_access(user.id, type="write", access_control=note.access_control)
    ):
@ -197,7 +197,7 @@ async def delete_note_by_id(request: Request, id: str, user=Depends(get_verified
            status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND
        )
-    if user.role != "admin" or (
+    if user.role != "admin" and (
        user.id != note.user_id
        and not has_access(user.id, type="write", access_control=note.access_control)
    ):