From d8c4dd6f79b39e105a084b79f4467cf74697730e Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Mon, 11 Aug 2025 23:23:44 +0200 Subject: [PATCH 1/4] Fix admin model access (#17) * Update models.py * Update models.py * Update models.py * Update ollama.py * Update openai.py * Update models.py * Update openai.py * Update ollama.py --- backend/open_webui/routers/models.py | 2 +- backend/open_webui/utils/models.py | 96 +++++++++++++++++----------- 2 files changed, 58 insertions(+), 40 deletions(-) diff --git a/backend/open_webui/routers/models.py b/backend/open_webui/routers/models.py index 3d5f6ccf96..e1a5ec1937 100644 --- a/backend/open_webui/routers/models.py +++ b/backend/open_webui/routers/models.py @@ -117,7 +117,7 @@ async def get_model_by_id(id: str, user=Depends(get_verified_user)): model = Models.get_model_by_id(id) if model: if ( - user.role == "admin" + (user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS) or model.user_id == user.id or has_access(user.id, "read", model.access_control) ): diff --git a/backend/open_webui/utils/models.py b/backend/open_webui/utils/models.py index b713b84307..58b324e6cd 100644 --- a/backend/open_webui/utils/models.py +++ b/backend/open_webui/utils/models.py @@ -23,6 +23,7 @@ from open_webui.utils.access_control import has_access from open_webui.config import ( DEFAULT_ARENA_MODEL, + ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS, ) from open_webui.env import SRC_LOG_LEVELS, GLOBAL_LOG_LEVEL @@ -181,45 +182,62 @@ async def get_all_models(request, refresh: bool = False, user: UserModel = None) elif custom_model.is_active and ( custom_model.id not in [model["id"] for model in models] ): - owned_by = "openai" - pipe = None - - action_ids = [] - filter_ids = [] - - for model in models: - if ( - custom_model.base_model_id == model["id"] - or custom_model.base_model_id == model["id"].split(":")[0] - ): - owned_by = model.get("owned_by", "unknown owner") - if "pipe" in model: - pipe = model["pipe"] - break - - if custom_model.meta: - meta = custom_model.meta.model_dump() - - if "actionIds" in meta: - action_ids.extend(meta["actionIds"]) - - if "filterIds" in meta: - filter_ids.extend(meta["filterIds"]) - - models.append( - { - "id": f"{custom_model.id}", - "name": custom_model.name, - "object": "model", - "created": custom_model.created_at, - "owned_by": owned_by, - "info": custom_model.model_dump(), - "preset": True, - **({"pipe": pipe} if pipe is not None else {}), - "action_ids": action_ids, - "filter_ids": filter_ids, - } - ) + # Check access control for custom models + should_include = False + + if user and user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS: + # Admin with full workspace access + should_include = True + elif user and user.id == custom_model.user_id: + # Owner always has access + should_include = True + elif user and has_access(user.id, "read", custom_model.access_control): + # User has explicit read access + should_include = True + elif not user: + # No user context - include for backwards compatibility + should_include = True + + if should_include: + owned_by = "openai" + pipe = None + + action_ids = [] + filter_ids = [] + + for model in models: + if ( + custom_model.base_model_id == model["id"] + or custom_model.base_model_id == model["id"].split(":")[0] + ): + owned_by = model.get("owned_by", "unknown owner") + if "pipe" in model: + pipe = model["pipe"] + break + + if custom_model.meta: + meta = custom_model.meta.model_dump() + + if "actionIds" in meta: + action_ids.extend(meta["actionIds"]) + + if "filterIds" in meta: + filter_ids.extend(meta["filterIds"]) + + models.append( + { + "id": f"{custom_model.id}", + "name": custom_model.name, + "object": "model", + "created": custom_model.created_at, + "owned_by": owned_by, + "info": custom_model.model_dump(), + "preset": True, + **({"pipe": pipe} if pipe is not None else {}), + "action_ids": action_ids, + "filter_ids": filter_ids, + } + ) # Process action_ids to get the actions def get_action_items_from_module(function, module): From 357b57e1d609efcf14991e62cbbf6f71459e8225 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Mon, 11 Aug 2025 23:36:48 +0200 Subject: [PATCH 2/4] Update models.py --- backend/open_webui/utils/models.py | 96 ++++++++++++------------------ 1 file changed, 39 insertions(+), 57 deletions(-) diff --git a/backend/open_webui/utils/models.py b/backend/open_webui/utils/models.py index 58b324e6cd..b713b84307 100644 --- a/backend/open_webui/utils/models.py +++ b/backend/open_webui/utils/models.py @@ -23,7 +23,6 @@ from open_webui.utils.access_control import has_access from open_webui.config import ( DEFAULT_ARENA_MODEL, - ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS, ) from open_webui.env import SRC_LOG_LEVELS, GLOBAL_LOG_LEVEL @@ -182,62 +181,45 @@ async def get_all_models(request, refresh: bool = False, user: UserModel = None) elif custom_model.is_active and ( custom_model.id not in [model["id"] for model in models] ): - # Check access control for custom models - should_include = False - - if user and user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS: - # Admin with full workspace access - should_include = True - elif user and user.id == custom_model.user_id: - # Owner always has access - should_include = True - elif user and has_access(user.id, "read", custom_model.access_control): - # User has explicit read access - should_include = True - elif not user: - # No user context - include for backwards compatibility - should_include = True - - if should_include: - owned_by = "openai" - pipe = None - - action_ids = [] - filter_ids = [] - - for model in models: - if ( - custom_model.base_model_id == model["id"] - or custom_model.base_model_id == model["id"].split(":")[0] - ): - owned_by = model.get("owned_by", "unknown owner") - if "pipe" in model: - pipe = model["pipe"] - break - - if custom_model.meta: - meta = custom_model.meta.model_dump() - - if "actionIds" in meta: - action_ids.extend(meta["actionIds"]) - - if "filterIds" in meta: - filter_ids.extend(meta["filterIds"]) - - models.append( - { - "id": f"{custom_model.id}", - "name": custom_model.name, - "object": "model", - "created": custom_model.created_at, - "owned_by": owned_by, - "info": custom_model.model_dump(), - "preset": True, - **({"pipe": pipe} if pipe is not None else {}), - "action_ids": action_ids, - "filter_ids": filter_ids, - } - ) + owned_by = "openai" + pipe = None + + action_ids = [] + filter_ids = [] + + for model in models: + if ( + custom_model.base_model_id == model["id"] + or custom_model.base_model_id == model["id"].split(":")[0] + ): + owned_by = model.get("owned_by", "unknown owner") + if "pipe" in model: + pipe = model["pipe"] + break + + if custom_model.meta: + meta = custom_model.meta.model_dump() + + if "actionIds" in meta: + action_ids.extend(meta["actionIds"]) + + if "filterIds" in meta: + filter_ids.extend(meta["filterIds"]) + + models.append( + { + "id": f"{custom_model.id}", + "name": custom_model.name, + "object": "model", + "created": custom_model.created_at, + "owned_by": owned_by, + "info": custom_model.model_dump(), + "preset": True, + **({"pipe": pipe} if pipe is not None else {}), + "action_ids": action_ids, + "filter_ids": filter_ids, + } + ) # Process action_ids to get the actions def get_action_items_from_module(function, module): From f758bf74c2e308a6af7613a376e7cd28b6a3f558 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Mon, 11 Aug 2025 23:39:01 +0200 Subject: [PATCH 3/4] Update main.py --- backend/open_webui/main.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/backend/open_webui/main.py b/backend/open_webui/main.py index 076d4c486d..c2cd587c8e 100644 --- a/backend/open_webui/main.py +++ b/backend/open_webui/main.py @@ -375,6 +375,7 @@ from open_webui.config import ( RESPONSE_WATERMARK, # Admin ENABLE_ADMIN_CHAT_ACCESS, + ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS, ENABLE_ADMIN_EXPORT, # Tasks TASK_MODEL, @@ -1321,7 +1322,7 @@ async def get_models( ) # Filter out models that the user does not have access to - if user.role == "user" and not BYPASS_MODEL_ACCESS_CONTROL: + if (user.role == "user" or (user.role == "admin" and not ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS)) and not BYPASS_MODEL_ACCESS_CONTROL: models = get_filtered_models(models, user) log.debug( From df314fda1d1d7768e4a0a48b571b303d84773626 Mon Sep 17 00:00:00 2001 From: Classic298 <27028174+Classic298@users.noreply.github.com> Date: Mon, 11 Aug 2025 23:41:49 +0200 Subject: [PATCH 4/4] Update main.py --- backend/open_webui/main.py | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/backend/open_webui/main.py b/backend/open_webui/main.py index c2cd587c8e..8d008dafcc 100644 --- a/backend/open_webui/main.py +++ b/backend/open_webui/main.py @@ -1279,14 +1279,16 @@ async def get_models( ): filtered_models.append(model) continue - + model_info = Models.get_model_by_id(model["id"]) if model_info: - if user.id == model_info.user_id or has_access( - user.id, type="read", access_control=model_info.access_control + if ( + (user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS) + or user.id == model_info.user_id + or has_access(user.id, type="read", access_control=model_info.access_control) ): filtered_models.append(model) - + return filtered_models all_models = await get_all_models(request, refresh=refresh, user=user)