github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 19:08:59 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #23586] bug: missing db=db parameter in filter_allowed_access_grants call in update_note_access_by_id #20020

New Issue
Closed
opened 2026-04-20 02:36:06 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-20 02:36:06 -05:00
Owner
Copy Link

Originally created by @kuishou68 on GitHub (Apr 11, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23586

Description

In backend/open_webui/routers/notes.py, the update_note_access_by_id endpoint calls filter_allowed_access_grants without passing the db (SQLAlchemy session) parameter. This means the function has no database session available when it tries to check user group-based permissions.

Bug Location

File: backend/open_webui/routers/notes.py
Function: update_note_access_by_id
Line: ~345

# BUGGY CODE (missing db=db):
form_data.access_grants = filter_allowed_access_grants(
    request.app.state.config.USER_PERMISSIONS,
    user.id,
    user.role,
    form_data.access_grants,
    'sharing.public_notes',
    # db=db  <-- MISSING!
)

Compare with update_note_by_id in the same file (line ~281), which correctly passes db=db:

# CORRECT CODE in update_note_by_id:
form_data.access_grants = filter_allowed_access_grants(
    request.app.state.config.USER_PERMISSIONS,
    user.id,
    user.role,
    form_data.access_grants,
    'sharing.public_notes',
    db=db,  # <-- correctly passed here
)

Impact

The filter_allowed_access_grants function (in backend/open_webui/utils/access_control/__init__.py) calls has_permission() internally, which calls Groups.get_groups_by_member_id(user_id, db=db). Without a valid db session, group-based permission lookups will fail with an error (or silently use None as the db session, which the ORM layer may handle incorrectly).

This means that when a non-admin user with group-based sharing.public_notes or access_grants.allow_users permissions tries to call the POST /{id}/access/update endpoint, the permission check will fail even though the user is legitimately allowed to update note access grants.

Fix

Pass db=db to the filter_allowed_access_grants call in update_note_access_by_id:

form_data.access_grants = filter_allowed_access_grants(
    request.app.state.config.USER_PERMISSIONS,
    user.id,
    user.role,
    form_data.access_grants,
    'sharing.public_notes',
    db=db,  # Add this
)

Environment

  • Affects all versions where this code exists
  • Reproducible when a non-admin user with group-granted sharing.public_notes permission tries to update note access
Originally created by @kuishou68 on GitHub (Apr 11, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23586 ## Description In `backend/open_webui/routers/notes.py`, the `update_note_access_by_id` endpoint calls `filter_allowed_access_grants` **without** passing the `db` (SQLAlchemy session) parameter. This means the function has no database session available when it tries to check user group-based permissions. ## Bug Location **File:** `backend/open_webui/routers/notes.py` **Function:** `update_note_access_by_id` **Line:** ~345 ```python # BUGGY CODE (missing db=db): form_data.access_grants = filter_allowed_access_grants( request.app.state.config.USER_PERMISSIONS, user.id, user.role, form_data.access_grants, 'sharing.public_notes', # db=db <-- MISSING! ) ``` Compare with `update_note_by_id` in the same file (line ~281), which correctly passes `db=db`: ```python # CORRECT CODE in update_note_by_id: form_data.access_grants = filter_allowed_access_grants( request.app.state.config.USER_PERMISSIONS, user.id, user.role, form_data.access_grants, 'sharing.public_notes', db=db, # <-- correctly passed here ) ``` ## Impact The `filter_allowed_access_grants` function (in `backend/open_webui/utils/access_control/__init__.py`) calls `has_permission()` internally, which calls `Groups.get_groups_by_member_id(user_id, db=db)`. Without a valid `db` session, group-based permission lookups will fail with an error (or silently use `None` as the db session, which the ORM layer may handle incorrectly). This means that when a non-admin user with group-based `sharing.public_notes` or `access_grants.allow_users` permissions tries to call the `POST /{id}/access/update` endpoint, the permission check will fail even though the user is legitimately allowed to update note access grants. ## Fix Pass `db=db` to the `filter_allowed_access_grants` call in `update_note_access_by_id`: ```python form_data.access_grants = filter_allowed_access_grants( request.app.state.config.USER_PERMISSIONS, user.id, user.role, form_data.access_grants, 'sharing.public_notes', db=db, # Add this ) ``` ## Environment - Affects all versions where this code exists - Reproducible when a non-admin user with group-granted `sharing.public_notes` permission tries to update note access
GiteaMirror commented 2026-04-20 02:36:07 -05:00
Author
Owner
Copy Link

@kuishou68 commented on GitHub (Apr 11, 2026):

I've opened PR #23587 (https://github.com/open-webui/open-webui/pull/23587) to fix this issue.

The fix is a one-line change: adding the missing db=db keyword argument to the filter_allowed_access_grants call in update_note_access_by_id, consistent with the identical call in update_note_by_id in the same file.

<!-- gh-comment-id:4227584638 --> @kuishou68 commented on GitHub (Apr 11, 2026): I've opened PR #23587 (https://github.com/open-webui/open-webui/pull/23587) to fix this issue. The fix is a one-line change: adding the missing `db=db` keyword argument to the `filter_allowed_access_grants` call in `update_note_access_by_id`, consistent with the identical call in `update_note_by_id` in the same file.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#20020
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?