[PR #24526] [CLOSED] fix: enforce per-file ownership when attaching files to folders/KBs #131374

Closed
opened 2026-05-21 16:47:00 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/24526
Author: @Classic298
Created: 5/10/2026
Status: Closed

Base: devHead: fix/file-id-ownership-folder-and-knowledge


📝 Commits (1)

  • bdf7932 fix: enforce per-file ownership when attaching files to folders/KBs

📊 Changes

3 files changed (+75 additions, -2 deletions)

View changed files

📝 backend/open_webui/routers/folders.py (+23 -0)
📝 backend/open_webui/routers/knowledge.py (+21 -0)
📝 backend/open_webui/utils/middleware.py (+31 -2)

📄 Description

Three writers accept a user-supplied file_id (or list thereof) and attach the referenced file to a resource the caller controls without checking the caller's access to the file itself:

  • folders.py update_folder_name_by_id — folder.data['files'] is read by chat middleware as RAG context for the next chat in the folder.
  • knowledge.py add_file_to_knowledge_by_id — file becomes reachable via /api/v1/files/{id}/content (read) and /api/v1/files/{id}/data/ content/update (write) once linked to a KB the caller owns, because has_access_to_file treats KB membership as access.
  • knowledge.py add_files_to_knowledge_batch — same as above for many.

Add a per-file read-access check at each writer (Files.check_access_by_ user_id for the folder path, has_access_to_file for the knowledge paths). Admins bypass.

Defensive layer in middleware: filter folder.data['files'] down to entries the caller can still read before they enter form_data['files'] as RAG context. Closes the window where a future writer drift, an out-of-band data write, or a revoked grant could turn folder knowledge into an exfiltration primitive at the chat sink.

Contributor License Agreement

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/24526 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 5/10/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/file-id-ownership-folder-and-knowledge` --- ### 📝 Commits (1) - [`bdf7932`](https://github.com/open-webui/open-webui/commit/bdf79322535b81d2bc2c0ec651bb9b777c5b0d13) fix: enforce per-file ownership when attaching files to folders/KBs ### 📊 Changes **3 files changed** (+75 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/folders.py` (+23 -0) 📝 `backend/open_webui/routers/knowledge.py` (+21 -0) 📝 `backend/open_webui/utils/middleware.py` (+31 -2) </details> ### 📄 Description Three writers accept a user-supplied file_id (or list thereof) and attach the referenced file to a resource the caller controls without checking the caller's access to the file itself: - folders.py update_folder_name_by_id — folder.data['files'] is read by chat middleware as RAG context for the next chat in the folder. - knowledge.py add_file_to_knowledge_by_id — file becomes reachable via /api/v1/files/{id}/content (read) and /api/v1/files/{id}/data/ content/update (write) once linked to a KB the caller owns, because has_access_to_file treats KB membership as access. - knowledge.py add_files_to_knowledge_batch — same as above for many. Add a per-file read-access check at each writer (Files.check_access_by_ user_id for the folder path, has_access_to_file for the knowledge paths). Admins bypass. Defensive layer in middleware: filter folder.data['files'] down to entries the caller can still read before they enter form_data['files'] as RAG context. Closes the window where a future writer drift, an out-of-band data write, or a revoked grant could turn folder knowledge into an exfiltration primitive at the chat sink. ### Contributor License Agreement <!-- 🚨 DO NOT DELETE THE TEXT BELOW 🚨 Keep the "Contributor License Agreement" confirmation text intact. Deleting it will trigger the CLA-Bot to INVALIDATE your PR. Your PR will NOT be reviewed or merged until you check the box below confirming that you have read and agree to the terms of the CLA. --> - [x] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-21 16:47:00 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#131374