[PR #24493] [MERGED] fix: gate public sharing of calendars behind sharing.public_calendars permission #114991

Closed
opened 2026-05-18 15:53:53 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24493
Author: @Classic298
Created: 5/9/2026
Status: Merged
Merged: 5/9/2026
Merged by: @tjbck

Base: devHead: fix/calendar-missing-public-sharing-permission-gate


📝 Commits (2)

  • da8ed31 fix: gate public sharing of calendars behind sharing.public_calendars permission
  • d20e56a fix: expose public_calendars + features.calendar through admin permissions surface

📊 Changes

5 files changed (+55 additions, -3 deletions)

View changed files

📝 backend/open_webui/config.py (+5 -0)
📝 backend/open_webui/routers/calendar.py (+26 -1)
📝 backend/open_webui/routers/users.py (+2 -0)
📝 src/lib/components/admin/Users/Groups/Permissions.svelte (+18 -0)
📝 src/lib/constants/permissions.ts (+4 -2)

📄 Description

… permission

The calendar router did not call filter_allowed_access_grants on either the create or update endpoint, while every other shareable resource in the codebase (channels, knowledge, models, notes, prompts, skills, tools) does. A verified non-admin owner could therefore attach
{"principal_type":"user","principal_id":"*","permission":"read"|"write"} to their own calendar in the create or update payload and have it persisted unfiltered. Any other verified user with the (default-on) features.calendar permission could then read or, for write grants, write events on it via the existing /events* endpoints, bypassing the per-user sharing.public_ permission gate the rest of the resource cohort enforces.

Three changes:

  • config.py: add USER_PERMISSIONS_CALENDAR_ALLOW_PUBLIC_SHARING (default False, env-overridable) and surface it in DEFAULT_USER_PERMISSIONS ['sharing']['public_calendars'] so admins can grant it per group via the same UI used for notes/models/etc.
  • routers/calendar.py: import filter_allowed_access_grants and call it in create_calendar with the new sharing.public_calendars key, identical to the channel router's pattern.
  • routers/calendar.py: call filter_allowed_access_grants in update_calendar too. The pre-existing owner-only gate at L350 only restricts WHO may change grants; the new filter restricts WHICH grants they may set, so a non-admin owner cannot make their own calendar publicly readable or writable without the corresponding sharing permission.

Contributor License Agreement

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24493 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 5/9/2026 **Status:** ✅ Merged **Merged:** 5/9/2026 **Merged by:** [@tjbck](https://github.com/tjbck) **Base:** `dev` ← **Head:** `fix/calendar-missing-public-sharing-permission-gate` --- ### 📝 Commits (2) - [`da8ed31`](https://github.com/open-webui/open-webui/commit/da8ed3117a6c558147da6cbe4adbc5facf6f18eb) fix: gate public sharing of calendars behind sharing.public_calendars permission - [`d20e56a`](https://github.com/open-webui/open-webui/commit/d20e56a2959733f4df06602d6612b2c46b4a0523) fix: expose public_calendars + features.calendar through admin permissions surface ### 📊 Changes **5 files changed** (+55 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+5 -0) 📝 `backend/open_webui/routers/calendar.py` (+26 -1) 📝 `backend/open_webui/routers/users.py` (+2 -0) 📝 `src/lib/components/admin/Users/Groups/Permissions.svelte` (+18 -0) 📝 `src/lib/constants/permissions.ts` (+4 -2) </details> ### 📄 Description … permission The calendar router did not call filter_allowed_access_grants on either the create or update endpoint, while every other shareable resource in the codebase (channels, knowledge, models, notes, prompts, skills, tools) does. A verified non-admin owner could therefore attach `{"principal_type":"user","principal_id":"*","permission":"read"|"write"}` to their own calendar in the create or update payload and have it persisted unfiltered. Any other verified user with the (default-on) features.calendar permission could then read or, for write grants, write events on it via the existing /events* endpoints, bypassing the per-user sharing.public_<X> permission gate the rest of the resource cohort enforces. Three changes: - config.py: add USER_PERMISSIONS_CALENDAR_ALLOW_PUBLIC_SHARING (default False, env-overridable) and surface it in DEFAULT_USER_PERMISSIONS ['sharing']['public_calendars'] so admins can grant it per group via the same UI used for notes/models/etc. - routers/calendar.py: import filter_allowed_access_grants and call it in create_calendar with the new sharing.public_calendars key, identical to the channel router's pattern. - routers/calendar.py: call filter_allowed_access_grants in update_calendar too. The pre-existing owner-only gate at L350 only restricts WHO may change grants; the new filter restricts WHICH grants they may set, so a non-admin owner cannot make their own calendar publicly readable or writable without the corresponding sharing permission. ### Contributor License Agreement <!-- 🚨 DO NOT DELETE THE TEXT BELOW 🚨 Keep the "Contributor License Agreement" confirmation text intact. Deleting it will trigger the CLA-Bot to INVALIDATE your PR. Your PR will NOT be reviewed or merged until you check the box below confirming that you have read and agree to the terms of the CLA. --> - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-18 15:53:54 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#114991