mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-17 08:21:12 -05:00
[PR #22428] [CLOSED] fix: public-read access grant should not confer write access to notes #49733
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/22428
Author: @gambletan
Created: 3/8/2026
Status: ❌ Closed
Base:
main← Head:fix/notes-write-access-public-read📝 Commits (1)
34631e6fix: remove incorrect public-read grant from note write_access check📊 Changes
1 file changed (+0 additions, -1 deletions)
View changed files
📝
backend/open_webui/routers/notes.py(+0 -1)📄 Description
Summary
The
get_note_by_idendpoint incorrectly includeshas_public_read_access_grant(note.access_grants)in thewrite_accesscalculation. This means any note shared publicly for reading would appear editable by all authenticated users.Root cause
The
write_accessboolean is computed as:The last condition checks for public read access but uses it to grant write access — a privilege escalation bug.
Fix
Removed
has_public_read_access_grant()from thewrite_accesscheck. Write access should only be granted to admins, the note owner, or users with an explicit write access grant.🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.