github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 21:09:41 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #8483] User can't access pdfs #53809

New Issue
Closed
opened 2026-05-05 15:22:39 -05:00 by GiteaMirror · 9 comments
GiteaMirror commented 2026-05-05 15:22:39 -05:00
Owner
Copy Link

Originally created by @Urizien on GitHub (Jan 12, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/8483

  • I have read and followed all the instructions provided in the README.md.
  • I am on the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below.

Expected Behavior:

User should be able to open pdf source

Actual Behavior:

User can't open/download pdf and he sees {"detail": "We could not find what you're looking for :/"}

Steps to Reproduce:
Create server, try to login from phone, put knowledge base in as admin, then as user from phone ask for this knowledge and try to open source mentioned by chatbot

Logs and Screenshots

image

Originally created by @Urizien on GitHub (Jan 12, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/8483 - [X] I have read and followed all the instructions provided in the README.md. - [X] I am on the latest version of both Open WebUI and Ollama. - [ ] I have included the browser console logs. - [ ] I have included the Docker container logs. - [x] I have provided the exact steps to reproduce the bug in the "Steps to Reproduce" section below. ## Expected Behavior: User should be able to open pdf source ## Actual Behavior: User can't open/download pdf and he sees {"detail": "We could not find what you're looking for :/"} **Steps to Reproduce:** Create server, try to login from phone, put knowledge base in as admin, then as user from phone ask for this knowledge and try to open source mentioned by chatbot ## Logs and Screenshots ![image](https://github.com/user-attachments/assets/841a0688-b366-46ee-89a6-22e18be41ab6)
GiteaMirror commented 2026-05-05 15:22:44 -05:00
Author
Owner
Copy Link

@yhdelgado commented on GitHub (Jan 12, 2025):

I am facing the same issue.

<!-- gh-comment-id:2585878597 --> @yhdelgado commented on GitHub (Jan 12, 2025): I am facing the same issue.
GiteaMirror commented 2026-05-05 15:22:46 -05:00
Author
Owner
Copy Link

@LucasVascovici commented on GitHub (Jan 14, 2025):

I think this is because of those kind of lines in backend/open_webui/routers/files.py:

@router.get("/{id}/content")
async def get_file_content_by_id(id: str, user=Depends(get_verified_user)):
    file = Files.get_file_by_id(id)
-    if file and (file.user_id == user.id or user.role == "admin"):

You can access files only if you are an admin or you uploaded them.

<!-- gh-comment-id:2589573972 --> @LucasVascovici commented on GitHub (Jan 14, 2025): I think this is because of those kind of lines in `backend/open_webui/routers/files.py`: ```diff @router.get("/{id}/content") async def get_file_content_by_id(id: str, user=Depends(get_verified_user)): file = Files.get_file_by_id(id) - if file and (file.user_id == user.id or user.role == "admin"): ``` You can access files only if you are an admin or you uploaded them.
GiteaMirror commented 2026-05-05 15:22:47 -05:00
Author
Owner
Copy Link

@BobMiles commented on GitHub (Jan 28, 2025):

We have the same issue - shouldn't the line above check if the user is granted access to the knowledge rather than if he uploaded the file himself?

<!-- gh-comment-id:2617959475 --> @BobMiles commented on GitHub (Jan 28, 2025): We have the same issue - shouldn't the line above check if the user is granted access to the knowledge rather than if he uploaded the file himself?
GiteaMirror commented 2026-05-05 15:22:48 -05:00
Author
Owner
Copy Link

@mmcaulay commented on GitHub (Feb 2, 2025):

This is related to #8889 just a different area of the code

<!-- gh-comment-id:2629604698 --> @mmcaulay commented on GitHub (Feb 2, 2025): This is related to #8889 just a different area of the code
GiteaMirror commented 2026-05-05 15:22:49 -05:00
Author
Owner
Copy Link

@pablocerdeira commented on GitHub (Feb 12, 2025):

I confirm that this issue is caused by the current implementation in files.py, specifically in the route @router.get("/{id}/content"). As pointed out, the function only checks if the user is the uploader (file.user_id == user.id) or an admin (user.role == "admin") to allow file access. This leaves out users who have legitimate access to the associated knowledge base (collection_name).

Issue Explanation:

The get_file_content_by_id function needs to verify if the user has access to the knowledge base linked to the file (collection_name). Without this check, even users with read access to the knowledge base will receive a 403 Forbidden or 404 Not Found when attempting to download files.

Here’s the relevant change to address this issue:

Original Code:

@router.get("/{id}/content")
async def get_file_content_by_id(id: str, user=Depends(get_verified_user)):
    file = Files.get_file_by_id(id)
    if file and (file.user_id == user.id or user.role == "admin"):
        # File download logic here
        ...
    else:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND)

Updated Code:

from open_webui.models.knowledge import Knowledges

@router.get("/{id}/content")
async def get_file_content_by_id(id: str, user=Depends(get_verified_user)):
    file = Files.get_file_by_id(id)
    if not file:
        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND)

    if file.user_id == user.id or user.role == "admin":
        pass  # File owner or admin access
    else:
        knowledge_base_id = file.meta.get("collection_name") if file.meta else None
        if knowledge_base_id:
            user_access = Knowledges.get_knowledge_bases_by_user_id(user.id, "read")
            for kb in user_access:
                if kb.id == knowledge_base_id:
                    break
            else:
                raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="You do not have access to this file.")
        else:
            raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="You do not have access to this file.")

Temporary Workaround:

To apply this change without rebuilding the container, you can bind your custom files.py to the container using docker-compose:

services:
  open-webui:
    volumes:
      - ./files.py:/app/backend/open_webui/routers/files.py:ro

This will ensure that your modified files.py replaces the default one during runtime.

<!-- gh-comment-id:2652870388 --> @pablocerdeira commented on GitHub (Feb 12, 2025): I confirm that this issue is caused by the current implementation in files.py, specifically in the route @router.get("/{id}/content"). As pointed out, the function only checks if the user is the uploader (file.user_id == user.id) or an admin (user.role == "admin") to allow file access. This leaves out users who have legitimate access to the associated knowledge base (collection_name). **Issue Explanation:** The `get_file_content_by_id` function needs to verify if the user has access to the knowledge base linked to the file (collection_name). Without this check, even users with read access to the knowledge base will receive a 403 Forbidden or 404 Not Found when attempting to download files. Here’s the relevant change to address this issue: **Original Code:** ``` @router.get("/{id}/content") async def get_file_content_by_id(id: str, user=Depends(get_verified_user)): file = Files.get_file_by_id(id) if file and (file.user_id == user.id or user.role == "admin"): # File download logic here ... else: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND) ``` **Updated Code:** `from open_webui.models.knowledge import Knowledges` ``` @router.get("/{id}/content") async def get_file_content_by_id(id: str, user=Depends(get_verified_user)): file = Files.get_file_by_id(id) if not file: raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=ERROR_MESSAGES.NOT_FOUND) if file.user_id == user.id or user.role == "admin": pass # File owner or admin access else: knowledge_base_id = file.meta.get("collection_name") if file.meta else None if knowledge_base_id: user_access = Knowledges.get_knowledge_bases_by_user_id(user.id, "read") for kb in user_access: if kb.id == knowledge_base_id: break else: raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="You do not have access to this file.") else: raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="You do not have access to this file.") ``` **Temporary Workaround:** To apply this change without rebuilding the container, you can bind your custom files.py to the container using docker-compose: ``` services: open-webui: volumes: - ./files.py:/app/backend/open_webui/routers/files.py:ro ``` This will ensure that your modified files.py replaces the default one during runtime.
GiteaMirror commented 2026-05-05 15:22:51 -05:00
Author
Owner
Copy Link

@tarmst commented on GitHub (Feb 14, 2025):

I'll get started on a PR for this & will link it when done.

<!-- gh-comment-id:2660042381 --> @tarmst commented on GitHub (Feb 14, 2025): I'll get started on a PR for this & will link it when done.
GiteaMirror commented 2026-05-05 15:22:52 -05:00
Author
Owner
Copy Link

@arty-hlr commented on GitHub (Mar 29, 2025):

I also experienced this today. Hope the PR can be reviewed and merged quickly! Unfortunately there is no alternative for documents in the knowledge base as afaik only the admin can upload them and link them to a model...

<!-- gh-comment-id:2764245528 --> @arty-hlr commented on GitHub (Mar 29, 2025): I also experienced this today. Hope the PR can be reviewed and merged quickly! Unfortunately there is no alternative for documents in the knowledge base as afaik only the admin can upload them and link them to a model...
GiteaMirror commented 2026-05-05 15:22:53 -05:00
Author
Owner
Copy Link

@Baghla911 commented on GitHub (Jun 12, 2025):

We are still facing this issue that Knowledge Base's files are not accessible to user even with group access or even for the public knowledge basis.

Image

<!-- gh-comment-id:2966118987 --> @Baghla911 commented on GitHub (Jun 12, 2025): We are still facing this issue that Knowledge Base's files are not accessible to user even with group access or even for the public knowledge basis. ![Image](https://github.com/user-attachments/assets/dff3c0cf-964a-4b31-9367-cf29f070f0df)
GiteaMirror commented 2026-05-05 15:22:55 -05:00
Author
Owner
Copy Link

@Xi-Gong commented on GitHub (Dec 7, 2025):

We are still facing this issue that Knowledge Base's files are not accessible to user even with group access or even for the public knowledge basis.

Image

the issue didn't fix, and is still remain.

<!-- gh-comment-id:3621796075 --> @Xi-Gong commented on GitHub (Dec 7, 2025): > We are still facing this issue that Knowledge Base's files are not accessible to user even with group access or even for the public knowledge basis. > > ![Image](https://github.com/user-attachments/assets/dff3c0cf-964a-4b31-9367-cf29f070f0df) the issue didn't fix, and is still remain.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#53809
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?