mirror of
https://github.com/open-webui/open-webui.git
synced 2026-05-04 19:29:27 -05:00
8979987eed
* fix: drop extra='allow' on FolderForm and FolderUpdateForm These request models were configured to accept arbitrary extra fields, which were then merged into the folder row via form_data.model_dump(). In insert_new_folder the server-assigned user_id is placed before the form spread, so a client-supplied user_id in the request body would override it and the folder would be persisted against another account. Strictly typed inputs are the correct shape for these endpoints — the client has no legitimate reason to send fields beyond the declared ones, and dropping extra='allow' closes the mass-assignment sink at the validation layer instead of relying on every callsite to merge fields in the right order. * fix: reject unknown fields on FolderForm and FolderUpdateForm Address review feedback: dropping extra='allow' fell back to Pydantic v2's default extra='ignore', which only silently drops unknown fields instead of rejecting them. The intent for these request models is a strict input contract — fail fast when a client sends anything the server does not expect — so explicitly set extra='forbid'. This also makes the hardening visible in the form definition rather than implicit in the default.