[PR #23627] [CLOSED] fix: enforce access checks on RAG vector search collection queries #50334

New Issue

GiteaMirror · 2026-04-30T02:59:57-05:00

GiteaMirror commented

2026-04-30 02:59:57 -05:00

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/23627
Author: @Classic298
Created: 4/12/2026
Status: ❌ Closed

Base: dev ← Head: fix/rag-collection-access-check

📝 Commits (3)

d6062c7 fix: enforce access checks on RAG vector search collection queries
e1b08c2 Merge remote-tracking branch 'origin/dev' into fix/rag-collection-access-check
c4dcb7c chore: adapt _has_access_to_collection to upstream async DB migration

📊 Changes

1 file changed (+92 additions, -11 deletions)

View changed files

📝 backend/open_webui/retrieval/utils.py (+92 -11)

📄 Description

The non-full-context file path, text collection_name path, and bare collection_name/collection_names fallback all queried the vector store without verifying the user has read access to the underlying file or knowledge base.

Adds _has_access_to_collection helper that resolves collection name format (file-, knowledge UUID, legacy bare ID) to the underlying resource and verifies ownership or access grants. All three unprotected paths now gate on this check before querying.

Contributor License Agreement

By submitting this pull request, I confirm that I have read and fully agree to the Contributor License Agreement (CLA), and I am providing my contributions under its terms.

Note

Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/23627 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 4/12/2026 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `fix/rag-collection-access-check` --- ### 📝 Commits (3) - [`d6062c7`](https://github.com/open-webui/open-webui/commit/d6062c7328aaae34147e75ab7b086258e2a9991b) fix: enforce access checks on RAG vector search collection queries - [`e1b08c2`](https://github.com/open-webui/open-webui/commit/e1b08c2889573cf3c52880d3f1a73893e8f88d0a) Merge remote-tracking branch 'origin/dev' into fix/rag-collection-access-check - [`c4dcb7c`](https://github.com/open-webui/open-webui/commit/c4dcb7c3faeac8cbb46fcb8368e925099cb2444c) chore: adapt _has_access_to_collection to upstream async DB migration ### 📊 Changes **1 file changed** (+92 additions, -11 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/retrieval/utils.py` (+92 -11) </details> ### 📄 Description The non-full-context file path, text collection_name path, and bare collection_name/collection_names fallback all queried the vector store without verifying the user has read access to the underlying file or knowledge base. Adds _has_access_to_collection helper that resolves collection name format (file-<id>, knowledge UUID, legacy bare ID) to the underlying resource and verifies ownership or access grants. All three unprotected paths now gate on this check before querying. ### Contributor License Agreement  - [X] By submitting this pull request, I confirm that I have read and fully agree to the [Contributor License Agreement (CLA)](https://github.com/open-webui/open-webui/blob/main/CONTRIBUTOR_LICENSE_AGREEMENT), and I am providing my contributions under its terms. > [!NOTE] > Deleting the CLA section will lead to immediate closure of your PR and it will not be merged in. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

GiteaMirror added the pull-request label 2026-04-30 02:59:57 -05:00

GiteaMirror closed this issue

2026-04-30 03:00:07 -05:00

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/open-webui#50334