From 73180d115a4a9736b64cdb39708f9faac421606a Mon Sep 17 00:00:00 2001
From: SubashMohan <subashmohan75@gmail.com>
Date: Sat, 9 Aug 2025 12:45:20 +0530
Subject: [PATCH 1/2] fix: restrict user file access to current user only

---
 backend/onyx/file_store/utils.py | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/backend/onyx/file_store/utils.py b/backend/onyx/file_store/utils.py
index 107504b33bb..9527537ba42 100644
--- a/backend/onyx/file_store/utils.py
+++ b/backend/onyx/file_store/utils.py
@@ -244,14 +244,14 @@ def get_user_files_as_user(
     Fetches all UserFile database records for a given user.
     """
     user_files = get_user_files(user_file_ids, user_folder_ids, db_session)
+    current_user_files = []
     for user_file in user_files:
         # Note: if user_id is None, then all files should be None as well
         # (since auth must be disabled in this case)
-        if user_file.user_id != user_id:
-            raise ValueError(
-                f"User {user_id} does not have access to file {user_file.id}"
-            )
-    return user_files
+        if user_file.user_id == user_id:
+            current_user_files.append(user_file)
+
+    return current_user_files
 
 
 def save_file_from_url(url: str) -> str:

From e5241b572163fa6b2c6a7d6bf1b99e4ec59f9710 Mon Sep 17 00:00:00 2001
From: SubashMohan <subashmohan75@gmail.com>
Date: Sun, 10 Aug 2025 14:05:45 +0530
Subject: [PATCH 2/2] fix: enhance user file access control for recent folder

---
 backend/onyx/file_store/utils.py | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/backend/onyx/file_store/utils.py b/backend/onyx/file_store/utils.py
index 9527537ba42..d11b9864ecc 100644
--- a/backend/onyx/file_store/utils.py
+++ b/backend/onyx/file_store/utils.py
@@ -22,6 +22,8 @@
 
 logger = setup_logger()
 
+RECENT_FOLDER_ID = -1
+
 
 def user_file_id_to_plaintext_file_name(user_file_id: int) -> str:
     """Generate a consistent file name for storing plaintext content of a user file."""
@@ -248,7 +250,14 @@ def get_user_files_as_user(
     for user_file in user_files:
         # Note: if user_id is None, then all files should be None as well
         # (since auth must be disabled in this case)
-        if user_file.user_id == user_id:
+        if user_file.folder_id == RECENT_FOLDER_ID:
+            if user_file.user_id == user_id:
+                current_user_files.append(user_file)
+        else:
+            if user_file.user_id != user_id:
+                raise ValueError(
+                    f"User {user_id} does not have access to file {user_file.id}"
+                )
             current_user_files.append(user_file)
 
     return current_user_files