mirror of
https://github.com/open-webui/open-webui.git
synced 2026-05-03 18:59:38 -05:00
e790e7be7a
The /responses proxy endpoint only required authentication via get_verified_user but did not check per-model access grants. This allowed any authenticated user to access any model through this endpoint, bypassing the access control system. Extract a shared check_model_access helper into utils/access_control and replace all inline access control blocks across openai.py and ollama.py (7 locations) with calls to this helper. This eliminates code duplication and prevents future policy drift between endpoints. CWE-862: Missing Authorization CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H (6.5 Medium)