Merge pull request #16498 from Classic298/fix_model_access

fix: Chat model selector bypasses ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS privacy setting
2025-12-13 12:55:19 +00:00 · 2025-08-13 18:11:46 +04:00 · 2025-08-13 18:11:46 +04:00 · 20101579e0
commit 20101579e0
parent 2cb87a71f7 8a745b9bbf
2 changed files with 9 additions and 8 deletions
--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@ -376,6 +376,7 @@ from open_webui.config import (
    RESPONSE_WATERMARK,
    # Admin
    ENABLE_ADMIN_CHAT_ACCESS,
+    ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS,
    ENABLE_ADMIN_EXPORT,
    # Tasks
    TASK_MODEL,
@ -1279,14 +1280,16 @@ async def get_models(
                ):
                    filtered_models.append(model)
                continue
-
+    
            model_info = Models.get_model_by_id(model["id"])
            if model_info:
-                if user.id == model_info.user_id or has_access(
-                    user.id, type="read", access_control=model_info.access_control
+                if (
+                    (user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS)
+                    or user.id == model_info.user_id 
+                    or has_access(user.id, type="read", access_control=model_info.access_control)
                ):
                    filtered_models.append(model)
-
+    
        return filtered_models

    all_models = await get_all_models(request, refresh=refresh, user=user)
@ -1322,9 +1325,7 @@ async def get_models(
        )

    # Filter out models that the user does not have access to
-    if not BYPASS_MODEL_ACCESS_CONTROL and (
-        user.role != "admin" or not ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS
-    ):
+    if (user.role == "user" or (user.role == "admin" and not ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS)) and not BYPASS_MODEL_ACCESS_CONTROL:
        models = get_filtered_models(models, user)

    log.debug(
--- a/backend/open_webui/routers/models.py
+++ b/backend/open_webui/routers/models.py
@ -117,7 +117,7 @@ async def get_model_by_id(id: str, user=Depends(get_verified_user)):
    model = Models.get_model_by_id(id)
    if model:
        if (
-            user.role == "admin"
+            (user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS)
            or model.user_id == user.id
            or has_access(user.id, "read", model.access_control)
        ):