fix: model update access

backend/open_webui/routers/models.py

@@ -155,6 +155,16 @@ async def update_model_by_id(
             detail=ERROR_MESSAGES.NOT_FOUND,
         )
 
+    if (
+        model.user_id != user.id
+        and not has_access(user.id, "write", model.access_control)
+        and user.role != "admin"
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+        )
+
     model = Models.update_model_by_id(id, form_data)
     return model