mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-11 10:34:13 -05:00
[PR #24513] [MERGED] fix: gate tool content updates behind workspace.tools to match create endpoint #115006
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24513
Author: @Classic298
Created: 5/9/2026
Status: ✅ Merged
Merged: 5/10/2026
Merged by: @tjbck
Base:
dev← Head:fix/tools-update-content-workspace-permission📝 Commits (2)
9c8b8bcfix: gate tool content updates behind workspace.tools to match create endpoint02aec57chore: trim comment📊 Changes
1 file changed (+13 additions, -0 deletions)
View changed files
📝
backend/open_webui/routers/tools.py(+13 -0)📄 Description
update_tools_by_id(routers/tools.py:452) authorizes a caller as long as they are the tool's owner, hold awriteaccess grant on the tool, or are an admin. This means a verified user who has been given a write grant on a tool — typically as part of a metadata-collaboration workflow (edit description, adjust valves, manage access grants) — can also overwrite the tool's Python source. Becauseload_tool_module_by_idfurther down callsexec(content, module.__dict__)at module-import time, anything the new content puts outside theclass Tools:body executes immediately on the server with the worker's privileges (root in the default Docker deployment).The
create_new_toolsendpoint already requiresworkspace.tools(orworkspace.tools_import) precisely because creating a tool means submitting executable code. The update endpoint did not mirror that check, producing an asymmetric authorization surface in which a write-grantee with no workspace permission can still reach the same exec sink as a workspace.tools-trusted creator. SECURITY.md framesworkspace.toolsas the trust signal an admin uses to delegate code-execution capability; the previous behavior let that signal be bypassed by a per-resource share.Fix: after the existing ownership / write-grant / admin gate, add a content-change check. If
form_data.content != tools.content, requireworkspace.toolsorworkspace.tools_import(or admin role). Metadata edits —name,description, valves config, access grants — continue to flow through the existing gate, so the legitimate share-for- collaboration workflow is unaffected.Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.