[PR #22428] [CLOSED] fix: public-read access grant should not confer write access to notes #81558

Closed
opened 2026-05-13 15:54:28 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/22428
Author: @gambletan
Created: 3/8/2026
Status: Closed

Base: mainHead: fix/notes-write-access-public-read


📝 Commits (1)

  • 34631e6 fix: remove incorrect public-read grant from note write_access check

📊 Changes

1 file changed (+0 additions, -1 deletions)

View changed files

📝 backend/open_webui/routers/notes.py (+0 -1)

📄 Description

Summary

The get_note_by_id endpoint incorrectly includes has_public_read_access_grant(note.access_grants) in the write_access calculation. This means any note shared publicly for reading would appear editable by all authenticated users.

Root cause

The write_access boolean is computed as:

write_access = (
    user.role == "admin"
    or (user.id == note.user_id)
    or AccessGrants.has_access(..., permission="write", ...)
    or has_public_read_access_grant(note.access_grants)  # BUG
)

The last condition checks for public read access but uses it to grant write access — a privilege escalation bug.

Fix

Removed has_public_read_access_grant() from the write_access check. Write access should only be granted to admins, the note owner, or users with an explicit write access grant.


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/22428 **Author:** [@gambletan](https://github.com/gambletan) **Created:** 3/8/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix/notes-write-access-public-read` --- ### 📝 Commits (1) - [`34631e6`](https://github.com/open-webui/open-webui/commit/34631e6fa62ed9790b721c646afc030c1f85134b) fix: remove incorrect public-read grant from note write_access check ### 📊 Changes **1 file changed** (+0 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/routers/notes.py` (+0 -1) </details> ### 📄 Description ## Summary The `get_note_by_id` endpoint incorrectly includes `has_public_read_access_grant(note.access_grants)` in the `write_access` calculation. This means any note shared publicly for **reading** would appear **editable** by all authenticated users. ### Root cause The `write_access` boolean is computed as: ```python write_access = ( user.role == "admin" or (user.id == note.user_id) or AccessGrants.has_access(..., permission="write", ...) or has_public_read_access_grant(note.access_grants) # BUG ) ``` The last condition checks for **public read** access but uses it to grant **write** access — a privilege escalation bug. ### Fix Removed `has_public_read_access_grant()` from the `write_access` check. Write access should only be granted to admins, the note owner, or users with an explicit write access grant. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-05-13 15:54:28 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#81558