From 55ad48d1c3e8a608193f8d1cf2943f25852d4603 Mon Sep 17 00:00:00 2001 From: Timothy Jaeryang Baek Date: Wed, 6 Aug 2025 01:44:52 +0400 Subject: [PATCH] feat: ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS Co-Authored-By: Classic298 <27028174+Classic298@users.noreply.github.com> --- backend/open_webui/config.py | 18 +++++++++++++----- backend/open_webui/routers/knowledge.py | 5 +++-- backend/open_webui/routers/models.py | 4 ++-- backend/open_webui/routers/prompts.py | 7 ++++--- backend/open_webui/routers/tools.py | 21 ++++++++++++--------- 5 files changed, 34 insertions(+), 21 deletions(-) diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py index ff1c01daa9..9f699d9e7c 100644 --- a/backend/open_webui/config.py +++ b/backend/open_webui/config.py @@ -690,14 +690,18 @@ def load_oauth_providers(): if GOOGLE_CLIENT_ID.value: configured_providers.append("Google") if MICROSOFT_CLIENT_ID.value: - configured_providers.append("Microsoft") + configured_providers.append("Microsoft") if GITHUB_CLIENT_ID.value: configured_providers.append("GitHub") - + if configured_providers and not OPENID_PROVIDER_URL.value: provider_list = ", ".join(configured_providers) - log.warning(f"⚠️ OAuth providers configured ({provider_list}) but OPENID_PROVIDER_URL not set - logout will not work!") - log.warning(f"Set OPENID_PROVIDER_URL to your OAuth provider's OpenID Connect discovery endpoint to fix logout functionality.") + log.warning( + f"⚠️ OAuth providers configured ({provider_list}) but OPENID_PROVIDER_URL not set - logout will not work!" + ) + log.warning( + f"Set OPENID_PROVIDER_URL to your OAuth provider's OpenID Connect discovery endpoint to fix logout functionality." + ) load_oauth_providers() @@ -1328,6 +1332,10 @@ WEBHOOK_URL = PersistentConfig( ENABLE_ADMIN_EXPORT = os.environ.get("ENABLE_ADMIN_EXPORT", "True").lower() == "true" +ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS = ( + os.environ.get("ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS", "True").lower() == "true" +) + ENABLE_ADMIN_CHAT_ACCESS = ( os.environ.get("ENABLE_ADMIN_CHAT_ACCESS", "True").lower() == "true" ) @@ -1367,7 +1375,7 @@ def validate_cors_origin(origin): parsed_url = urlparse(origin) # Check if the scheme is either http or https, or a custom scheme - schemes = ["http", "https" ] + CORS_ALLOW_CUSTOM_SCHEME + schemes = ["http", "https"] + CORS_ALLOW_CUSTOM_SCHEME if parsed_url.scheme not in schemes: raise ValueError( f"Invalid scheme in CORS_ALLOW_ORIGIN: '{origin}'. Only 'http' and 'https' and CORS_ALLOW_CUSTOM_SCHEME are allowed." diff --git a/backend/open_webui/routers/knowledge.py b/backend/open_webui/routers/knowledge.py index e6e55f4d38..69198816b3 100644 --- a/backend/open_webui/routers/knowledge.py +++ b/backend/open_webui/routers/knowledge.py @@ -25,6 +25,7 @@ from open_webui.utils.access_control import has_access, has_permission from open_webui.env import SRC_LOG_LEVELS +from open_webui.config import ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS from open_webui.models.models import Models, ModelForm @@ -42,7 +43,7 @@ router = APIRouter() async def get_knowledge(user=Depends(get_verified_user)): knowledge_bases = [] - if user.role == "admin": + if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS: knowledge_bases = Knowledges.get_knowledge_bases() else: knowledge_bases = Knowledges.get_knowledge_bases_by_user_id(user.id, "read") @@ -90,7 +91,7 @@ async def get_knowledge(user=Depends(get_verified_user)): async def get_knowledge_list(user=Depends(get_verified_user)): knowledge_bases = [] - if user.role == "admin": + if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS: knowledge_bases = Knowledges.get_knowledge_bases() else: knowledge_bases = Knowledges.get_knowledge_bases_by_user_id(user.id, "write") diff --git a/backend/open_webui/routers/models.py b/backend/open_webui/routers/models.py index 3959623b5b..3d5f6ccf96 100644 --- a/backend/open_webui/routers/models.py +++ b/backend/open_webui/routers/models.py @@ -15,7 +15,7 @@ from fastapi import APIRouter, Depends, HTTPException, Request, status from open_webui.utils.auth import get_admin_user, get_verified_user from open_webui.utils.access_control import has_access, has_permission - +from open_webui.config import ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS router = APIRouter() @@ -27,7 +27,7 @@ router = APIRouter() @router.get("/", response_model=list[ModelUserResponse]) async def get_models(id: Optional[str] = None, user=Depends(get_verified_user)): - if user.role == "admin": + if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS: return Models.get_models() else: return Models.get_models_by_user_id(user.id) diff --git a/backend/open_webui/routers/prompts.py b/backend/open_webui/routers/prompts.py index 9fb946c6e7..afc00951fd 100644 --- a/backend/open_webui/routers/prompts.py +++ b/backend/open_webui/routers/prompts.py @@ -1,4 +1,5 @@ from typing import Optional +from fastapi import APIRouter, Depends, HTTPException, status, Request from open_webui.models.prompts import ( PromptForm, @@ -7,9 +8,9 @@ from open_webui.models.prompts import ( Prompts, ) from open_webui.constants import ERROR_MESSAGES -from fastapi import APIRouter, Depends, HTTPException, status, Request from open_webui.utils.auth import get_admin_user, get_verified_user from open_webui.utils.access_control import has_access, has_permission +from open_webui.config import ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS router = APIRouter() @@ -20,7 +21,7 @@ router = APIRouter() @router.get("/", response_model=list[PromptModel]) async def get_prompts(user=Depends(get_verified_user)): - if user.role == "admin": + if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS: prompts = Prompts.get_prompts() else: prompts = Prompts.get_prompts_by_user_id(user.id, "read") @@ -30,7 +31,7 @@ async def get_prompts(user=Depends(get_verified_user)): @router.get("/list", response_model=list[PromptUserResponse]) async def get_prompt_list(user=Depends(get_verified_user)): - if user.role == "admin": + if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS: prompts = Prompts.get_prompts() else: prompts = Prompts.get_prompts_by_user_id(user.id, "write") diff --git a/backend/open_webui/routers/tools.py b/backend/open_webui/routers/tools.py index 41415bff04..3c3e06a985 100644 --- a/backend/open_webui/routers/tools.py +++ b/backend/open_webui/routers/tools.py @@ -5,6 +5,8 @@ import time import re import aiohttp from pydantic import BaseModel, HttpUrl +from fastapi import APIRouter, Depends, HTTPException, Request, status + from open_webui.models.tools import ( ToolForm, @@ -14,16 +16,15 @@ from open_webui.models.tools import ( Tools, ) from open_webui.utils.plugin import load_tool_module_by_id, replace_imports -from open_webui.config import CACHE_DIR -from open_webui.constants import ERROR_MESSAGES -from fastapi import APIRouter, Depends, HTTPException, Request, status from open_webui.utils.tools import get_tool_specs from open_webui.utils.auth import get_admin_user, get_verified_user from open_webui.utils.access_control import has_access, has_permission -from open_webui.env import SRC_LOG_LEVELS - from open_webui.utils.tools import get_tool_servers_data +from open_webui.env import SRC_LOG_LEVELS +from open_webui.config import CACHE_DIR, ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS +from open_webui.constants import ERROR_MESSAGES + log = logging.getLogger(__name__) log.setLevel(SRC_LOG_LEVELS["MAIN"]) @@ -74,15 +75,17 @@ async def get_tools(request: Request, user=Depends(get_verified_user)): ) ) - if user.role != "admin": + if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS: + # Admin can see all tools + return tools + else: tools = [ tool for tool in tools if tool.user_id == user.id or has_access(user.id, "read", tool.access_control) ] - - return tools + return tools ############################ @@ -92,7 +95,7 @@ async def get_tools(request: Request, user=Depends(get_verified_user)): @router.get("/list", response_model=list[ToolUserResponse]) async def get_tool_list(user=Depends(get_verified_user)): - if user.role == "admin": + if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS: tools = Tools.get_tools() else: tools = Tools.get_tools_by_user_id(user.id, "write")