fix: enforce global ENABLE_CHANNELS check on all channel endpoints (#19957)

* fix: enforce global ENABLE_CHANNELS check on all channel endpoints When channels are disabled globally (ENABLE_CHANNELS=false), users with channel permissions could still fetch channels via API endpoints. This fix adds a get_enabled_channels dependency to all 22 channel endpoints that returns 403 Forbidden when channels are globally disabled. Fixes #19914 * refac * refac
2025-12-21 16:55:22 +00:00 · 2025-12-20 08:15:29 -05:00 · 2025-12-20 08:15:29 -05:00 · d65116282c
commit d65116282c
parent e61724d2b1
1 changed files with 107 additions and 16 deletions
--- a/backend/open_webui/routers/channels.py
+++ b/backend/open_webui/routers/channels.py
@ -68,6 +68,21 @@ log.setLevel(SRC_LOG_LEVELS["MODELS"])

 router = APIRouter()

+
+############################
+# Channels Enabled Dependency
+############################
+
+
+def check_channels_access(request: Request):
+    """Dependency to ensure channels are globally enabled."""
+    if not request.app.state.config.ENABLE_CHANNELS:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Channels are not enabled",
+        )
+
+
 ############################
 # GetChatList
 ############################
@ -82,7 +97,11 @@ class ChannelListItemResponse(ChannelModel):


@router.get("/", response_model=list[ChannelListItemResponse])
-async def get_channels(request: Request, user=Depends(get_verified_user)):
+async def get_channels(
+    request: Request,
+    user=Depends(get_verified_user),
+):
+    check_channels_access(request)
    if user.role != "admin" and not has_permission(
        user.id, "features.channels", request.app.state.config.USER_PERMISSIONS
    ):
@ -134,7 +153,11 @@ async def get_channels(request: Request, user=Depends(get_verified_user)):


@router.get("/list", response_model=list[ChannelModel])
-async def get_all_channels(user=Depends(get_verified_user)):
+async def get_all_channels(
+    request: Request,
+    user=Depends(get_verified_user),
+):
+    check_channels_access(request)
    if user.role == "admin":
        return Channels.get_channels()
    return Channels.get_channels_by_user_id(user.id)
@ -147,8 +170,11 @@ async def get_all_channels(user=Depends(get_verified_user)):

@router.get("/users/{user_id}", response_model=Optional[ChannelModel])
 async def get_dm_channel_by_user_id(
-    request: Request, user_id: str, user=Depends(get_verified_user)
+    request: Request,
+    user_id: str,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    if user.role != "admin" and not has_permission(
        user.id, "features.channels", request.app.state.config.USER_PERMISSIONS
    ):
@ -216,8 +242,11 @@ async def get_dm_channel_by_user_id(

@router.post("/create", response_model=Optional[ChannelModel])
 async def create_new_channel(
-    request: Request, form_data: CreateChannelForm, user=Depends(get_verified_user)
+    request: Request,
+    form_data: CreateChannelForm,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    if user.role != "admin" and not has_permission(
        user.id, "features.channels", request.app.state.config.USER_PERMISSIONS
    ):
@ -296,7 +325,12 @@ class ChannelFullResponse(ChannelResponse):


@router.get("/{id}", response_model=Optional[ChannelFullResponse])
-async def get_channel_by_id(id: str, user=Depends(get_verified_user)):
+async def get_channel_by_id(
+    request: Request,
+    id: str,
+    user=Depends(get_verified_user),
+):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(
@ -383,6 +417,7 @@ PAGE_ITEM_COUNT = 30

@router.get("/{id}/members", response_model=UserListResponse)
 async def get_channel_members_by_id(
+    request: Request,
    id: str,
    query: Optional[str] = None,
    order_by: Optional[str] = None,
@ -390,6 +425,7 @@ async def get_channel_members_by_id(
    page: Optional[int] = 1,
    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)

    channel = Channels.get_channel_by_id(id)
    if not channel:
@ -472,10 +508,12 @@ class UpdateActiveMemberForm(BaseModel):

@router.post("/{id}/members/active", response_model=bool)
 async def update_is_active_member_by_id_and_user_id(
+    request: Request,
    id: str,
    form_data: UpdateActiveMemberForm,
    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(
@ -508,6 +546,7 @@ async def add_members_by_id(
    form_data: UpdateMembersForm,
    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    if user.role != "admin" and not has_permission(
        user.id, "features.channels", request.app.state.config.USER_PERMISSIONS
    ):
@ -556,6 +595,7 @@ async def remove_members_by_id(
    form_data: RemoveMembersForm,
    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    if user.role != "admin" and not has_permission(
        user.id, "features.channels", request.app.state.config.USER_PERMISSIONS
    ):
@ -593,8 +633,12 @@ async def remove_members_by_id(

@router.post("/{id}/update", response_model=Optional[ChannelModel])
 async def update_channel_by_id(
-    request: Request, id: str, form_data: ChannelForm, user=Depends(get_verified_user)
+    request: Request,
+    id: str,
+    form_data: ChannelForm,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    if user.role != "admin" and not has_permission(
        user.id, "features.channels", request.app.state.config.USER_PERMISSIONS
    ):
@ -631,8 +675,11 @@ async def update_channel_by_id(

@router.delete("/{id}/delete", response_model=bool)
 async def delete_channel_by_id(
-    request: Request, id: str, user=Depends(get_verified_user)
+    request: Request,
+    id: str,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    if user.role != "admin" and not has_permission(
        user.id, "features.channels", request.app.state.config.USER_PERMISSIONS
    ):
@ -682,8 +729,13 @@ class MessageUserResponse(MessageResponse):

@router.get("/{id}/messages", response_model=list[MessageUserResponse])
 async def get_channel_messages(
-    id: str, skip: int = 0, limit: int = 50, user=Depends(get_verified_user)
+    request: Request,
+    id: str,
+    skip: int = 0,
+    limit: int = 50,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(
@ -745,8 +797,12 @@ PAGE_ITEM_COUNT_PINNED = 20

@router.get("/{id}/messages/pinned", response_model=list[MessageWithReactionsResponse])
 async def get_pinned_channel_messages(
-    id: str, page: int = 1, user=Depends(get_verified_user)
+    request: Request,
+    id: str,
+    page: int = 1,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(
@ -1090,6 +1146,7 @@ async def post_new_message(
    background_tasks: BackgroundTasks,
    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)

    try:
        message, channel = await new_message_handler(request, id, form_data, user)
@ -1134,8 +1191,12 @@ async def post_new_message(

@router.get("/{id}/messages/{message_id}", response_model=Optional[MessageResponse])
 async def get_channel_message(
-    id: str, message_id: str, user=Depends(get_verified_user)
+    request: Request,
+    id: str,
+    message_id: str,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(
@ -1183,8 +1244,12 @@ async def get_channel_message(

@router.get("/{id}/messages/{message_id}/data", response_model=Optional[dict])
 async def get_channel_message_data(
-    id: str, message_id: str, user=Depends(get_verified_user)
+    request: Request,
+    id: str,
+    message_id: str,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(
@ -1231,8 +1296,13 @@ class PinMessageForm(BaseModel):
    "/{id}/messages/{message_id}/pin", response_model=Optional[MessageUserResponse]
 )
 async def pin_channel_message(
-    id: str, message_id: str, form_data: PinMessageForm, user=Depends(get_verified_user)
+    request: Request,
+    id: str,
+    message_id: str,
+    form_data: PinMessageForm,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(
@ -1290,12 +1360,14 @@ async def pin_channel_message(
    "/{id}/messages/{message_id}/thread", response_model=list[MessageUserResponse]
 )
 async def get_channel_thread_messages(
+    request: Request,
    id: str,
    message_id: str,
    skip: int = 0,
    limit: int = 50,
    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(
@ -1348,8 +1420,13 @@ async def get_channel_thread_messages(
    "/{id}/messages/{message_id}/update", response_model=Optional[MessageModel]
 )
 async def update_message_by_id(
-    id: str, message_id: str, form_data: MessageForm, user=Depends(get_verified_user)
+    request: Request,
+    id: str,
+    message_id: str,
+    form_data: MessageForm,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(
@ -1423,8 +1500,13 @@ class ReactionForm(BaseModel):

@router.post("/{id}/messages/{message_id}/reactions/add", response_model=bool)
 async def add_reaction_to_message(
-    id: str, message_id: str, form_data: ReactionForm, user=Depends(get_verified_user)
+    request: Request,
+    id: str,
+    message_id: str,
+    form_data: ReactionForm,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(
@ -1492,8 +1574,13 @@ async def add_reaction_to_message(

@router.post("/{id}/messages/{message_id}/reactions/remove", response_model=bool)
 async def remove_reaction_by_id_and_user_id_and_name(
-    id: str, message_id: str, form_data: ReactionForm, user=Depends(get_verified_user)
+    request: Request,
+    id: str,
+    message_id: str,
+    form_data: ReactionForm,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(
@ -1564,8 +1651,12 @@ async def remove_reaction_by_id_and_user_id_and_name(

@router.delete("/{id}/messages/{message_id}/delete", response_model=bool)
 async def delete_message_by_id(
-    id: str, message_id: str, user=Depends(get_verified_user)
+    request: Request,
+    id: str,
+    message_id: str,
+    user=Depends(get_verified_user),
 ):
+    check_channels_access(request)
    channel = Channels.get_channel_by_id(id)
    if not channel:
        raise HTTPException(