refac/fix: proper notes db operations

backend/open_webui/models/notes.py

@@ -128,7 +128,7 @@ class NoteTable:
             notes = query.all()
             return [NoteModel.model_validate(note) for note in notes]
 
-    def get_notes_by_access(
+    def get_notes_by_permission(
         self,
         user_id: str,
         permission: str = "write",
@@ -137,40 +137,44 @@ class NoteTable:
     ) -> list[NoteModel]:
         with get_db() as db:
             user_groups = Groups.get_groups_by_member_id(user_id)
-            user_group_ids = {group_id for group_id in user_groups}
+            user_group_ids = {group.id for group in user_groups}
 
-            query = db.query(Note)
+            # Order newest-first. We stream to keep memory usage low.
-
+            query = (
-            access_conditions = [Note.user_id == user_id]
+                db.query(Note)
-
+                .order_by(Note.updated_at.desc())
-            if user_group_ids:
+                .execution_options(stream_results=True)
-                access_conditions.append(
+                .yield_per(256)
-                    and_(
-                        Note.access_control.isnot(None),
-                        Note.access_control != '{}',
-                        Note.access_control != 'null'
-                    )
             )
 
-            query = query.filter(or_(*access_conditions))
+            results: list[NoteModel] = []
+            n_skipped = 0
 
-            query = query.order_by(Note.updated_at.desc())
+            for note in query:
+                # Fast-pass #1: owner
+                if note.user_id == user_id:
+                    permitted = True
+                # Fast-pass #2: public/open
+                elif note.access_control is None:
+                    permitted = True
+                else:
+                    permitted = has_access(
+                        user_id, permission, note.access_control, user_group_ids
+                    )
 
-            if skip is not None:
+                if not permitted:
-                query = query.offset(skip)
+                    continue
-            if limit is not None:
-                query = query.limit(limit)
 
-            notes = query.all()
+                # Apply skip AFTER permission filtering so it counts only accessible notes
-            note_models = [NoteModel.model_validate(note) for note in notes]
+                if skip and n_skipped < skip:
+                    n_skipped += 1
+                    continue
 
-            filtered_notes = []
+                results.append(NoteModel.model_validate(note))
-            for note in note_models:
+                if limit is not None and len(results) >= limit:
-                if (note.user_id == user_id or
+                    break
-                    has_access(user_id, permission, note.access_control, user_group_ids)):
-                    filtered_notes.append(note)
 
-            return filtered_notes
+            return results
 
     def get_note_by_id(self, id: str) -> Optional[NoteModel]:
         with get_db() as db:

backend/open_webui/routers/notes.py

@@ -48,7 +48,7 @@ async def get_notes(request: Request, user=Depends(get_verified_user)):
                 "user": UserResponse(**Users.get_user_by_id(note.user_id).model_dump()),
             }
         )
-        for note in Notes.get_notes_by_access(user.id, "write")
+        for note in Notes.get_notes_by_permission(user.id, "write")
     ]
 
     return notes
@@ -81,7 +81,9 @@ async def get_note_list(
 
     notes = [
         NoteTitleIdResponse(**note.model_dump())
-        for note in Notes.get_notes_by_access(user.id, "write", skip=skip, limit=limit)
+        for note in Notes.get_notes_by_permission(
+            user.id, "write", skip=skip, limit=limit
+        )
     ]
 
     return notes