Home Explore Help
Register Sign In
lqb
/
open-webui
mirror of https://github.com/open-webui/open-webui.git
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Merge pull request #12894 from Classic298/patch-2

security/fix: prevent email and password changes to the primary admin account
Tim Jaeryang Baek 3 months ago
parent
165eb50c22 4f14b17c34
commit
414ebc87ee
1 changed files with 27 additions and 0 deletions
Split View Show Diff Stats
  1. 27 0
      backend/open_webui/routers/users.py

+ 27 - 0
backend/open_webui/routers/users.py
View File 

@@ -288,6 +288,19 @@ async def update_user_by_id(
 
     form_data: UserUpdateForm,
 
     session_user=Depends(get_admin_user),
 
 ):
 
+    # Prevent modification of the primary admin user by other admins
 
+    try:
 
+        first_user = Users.get_first_user()
 
+        if first_user and user_id == first_user.id and session_user.id != user_id:
 
+            raise HTTPException(
 
+                status_code=status.HTTP_403_FORBIDDEN,
 
+                detail=ERROR_MESSAGES.ACTION_PROHIBITED,
 
+            )
 
+    except Exception as e:
 
+        log.error(f"Error checking primary admin status: {e}")
 
+        raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail="Could not verify primary admin status.")
 
+
 
+
 
     user = Users.get_user_by_id(user_id)
 
 
     if user:
 
@@ -328,6 +341,7 @@ async def update_user_by_id(
 
     )
 
 
 
+
 
 ############################
 
 # DeleteUserById
 
 ############################
 
@@ -335,6 +349,18 @@ async def update_user_by_id(
 
 
 @router.delete("/{user_id}", response_model=bool)
 
 async def delete_user_by_id(user_id: str, user=Depends(get_admin_user)):
 
+    # Prevent deletion of the primary admin user
 
+    try:
 
+        first_user = Users.get_first_user()
 
+        if first_user and user_id == first_user.id:
 
+            raise HTTPException(
 
+                status_code=status.HTTP_403_FORBIDDEN,
 
+                detail=ERROR_MESSAGES.ACTION_PROHIBITED,
 
+            )
 
+    except Exception as e:
 
+        log.error(f"Error checking primary admin status: {e}")
 
+        raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail="Could not verify primary admin status.")
 
+
 
     if user.id != user_id:
 
         result = Auths.delete_auth_by_id(user_id)
 
 
@@ -346,6 +372,7 @@ async def delete_user_by_id(user_id: str, user=Depends(get_admin_user)):
 
             detail=ERROR_MESSAGES.DELETE_USER_ERROR,
 
         )
 
 
+    # Prevent self-deletion
 
     raise HTTPException(
 
         status_code=status.HTTP_403_FORBIDDEN,
 
         detail=ERROR_MESSAGES.ACTION_PROHIBITED,