mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-18 02:04:06 -05:00
[PR #23638] [MERGED] fix: enforce filter_allowed_access_grants on channel create and update #82168
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/23638
Author: @Classic298
Created: 4/12/2026
Status: ✅ Merged
Merged: 4/12/2026
Merged by: @tjbck
Base:
dev← Head:fix/channel-access-grants-bypass📝 Commits (1)
6e7a7b7fix: enforce filter_allowed_access_grants on channel create and update📊 Changes
1 file changed (+17 additions, -1 deletions)
View changed files
📝
backend/open_webui/routers/channels.py(+17 -1)📄 Description
Unlike all other resource routers (knowledge, models, notes, prompts, tools, skills), the channel router did not call filter_allowed_access_grants. This allowed any user to set wildcard access grants on group channels, bypassing the admin's public sharing permission framework.
Adds filter_allowed_access_grants with the sharing.public_channels permission key to both create and update endpoints, matching the pattern used by all other resource routers.
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.