ti.sil/open-webui
1
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2025-12-12 04:15:25 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 4

fix: Default Group ID assignment on SSO/OAUTH and LDAP (#19685)

Browse source 
* fix (#99)

Co-authored-by: Tim Baek <tim@openwebui.com>
Co-authored-by: Claude <noreply@anthropic.com>

* Update auths.py

* unified logic

* PUSH

* remove getattr

* rem getattr

* whitespace

* Update oauth.py

* trusted header group sync

Added default group re-application after trusted header group sync

* not apply after syncs

* .

* rem

---------

Co-authored-by: Tim Baek <tim@openwebui.com>
Co-authored-by: Claude <noreply@anthropic.com>
This commit is contained in:
Classic298 2025-12-02 22:48:00 +01:00 committed by GitHub
parent 9a65ed2260
commit a49e1d87ad
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 49 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

23
backend/open_webui/routers/auths.py
View file

@ -65,6 +65,7 @@ from open_webui.utils.auth import (
) )
from open_webui.utils.webhook import post_webhook from open_webui.utils.webhook import post_webhook
from open_webui.utils.access_control import get_permissions, has_permission from open_webui.utils.access_control import get_permissions, has_permission
from open_webui.utils.groups import apply_default_group_assignment
from open_webui.utils.redis import get_redis_client from open_webui.utils.redis import get_redis_client
from open_webui.utils.rate_limit import RateLimiter from open_webui.utils.rate_limit import RateLimiter
@ -417,6 +418,11 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
500, detail=ERROR_MESSAGES.CREATE_USER_ERROR 500, detail=ERROR_MESSAGES.CREATE_USER_ERROR
) )
apply_default_group_assignment(
request.app.state.config.DEFAULT_GROUP_ID,
user.id,
)
except HTTPException: except HTTPException:
raise raise
except Exception as err: except Exception as err:
@ -465,7 +471,6 @@ async def ldap_auth(request: Request, response: Response, form_data: LdapForm):
): ):
if ENABLE_LDAP_GROUP_CREATION: if ENABLE_LDAP_GROUP_CREATION:
Groups.create_groups_by_group_names(user.id, user_groups) Groups.create_groups_by_group_names(user.id, user_groups)
try: try:
Groups.sync_groups_by_group_names(user.id, user_groups) Groups.sync_groups_by_group_names(user.id, user_groups)
log.info( log.info(
@ -722,9 +727,10 @@ async def signup(request: Request, response: Response, form_data: SignupForm):
# Disable signup after the first user is created # Disable signup after the first user is created
request.app.state.config.ENABLE_SIGNUP = False request.app.state.config.ENABLE_SIGNUP = False
default_group_id = getattr(request.app.state.config, "DEFAULT_GROUP_ID", "") apply_default_group_assignment(
if default_group_id and default_group_id: request.app.state.config.DEFAULT_GROUP_ID,
Groups.add_users_to_group(default_group_id, [user.id]) user.id,
)
return { return {
"token": token, "token": token,
@ -829,7 +835,9 @@ async def signout(request: Request, response: Response):
@router.post("/add", response_model=SigninResponse) @router.post("/add", response_model=SigninResponse)
async def add_user(form_data: AddUserForm, user=Depends(get_admin_user)): async def add_user(
request: Request, form_data: AddUserForm, user=Depends(get_admin_user)
):
if not validate_email_format(form_data.email.lower()): if not validate_email_format(form_data.email.lower()):
raise HTTPException( raise HTTPException(
status.HTTP_400_BAD_REQUEST, detail=ERROR_MESSAGES.INVALID_EMAIL_FORMAT status.HTTP_400_BAD_REQUEST, detail=ERROR_MESSAGES.INVALID_EMAIL_FORMAT
@ -854,6 +862,11 @@ async def add_user(form_data: AddUserForm, user=Depends(get_admin_user)):
) )
if user: if user:
apply_default_group_assignment(
request.app.state.config.DEFAULT_GROUP_ID,
user.id,
)
token = create_token(data={"id": user.id}) token = create_token(data={"id": user.id})
return { return {
"token": token, "token": token,

24
backend/open_webui/utils/groups.py Normal file
View file

@ -0,0 +1,24 @@
import logging
from open_webui.models.groups import Groups
log = logging.getLogger(__name__)
def apply_default_group_assignment(
default_group_id: str,
user_id: str,
) -> None:
"""
Apply default group assignment to a user if default_group_id is provided.
Args:
default_group_id: ID of the default group to add the user to
user_id: ID of the user to add to the default group
"""
if default_group_id:
try:
Groups.add_users_to_group(default_group_id, [user_id])
except Exception as e:
log.error(
f"Failed to add user {user_id} to default group {default_group_id}: {e}"
)

8
backend/open_webui/utils/oauth.py
View file

@ -72,6 +72,7 @@ from open_webui.env import (
from open_webui.utils.misc import parse_duration from open_webui.utils.misc import parse_duration
from open_webui.utils.auth import get_password_hash, create_token from open_webui.utils.auth import get_password_hash, create_token
from open_webui.utils.webhook import post_webhook from open_webui.utils.webhook import post_webhook
from open_webui.utils.groups import apply_default_group_assignment
from mcp.shared.auth import ( from mcp.shared.auth import (
OAuthClientMetadata as MCPOAuthClientMetadata, OAuthClientMetadata as MCPOAuthClientMetadata,
@ -1167,7 +1168,6 @@ class OAuthManager:
log.debug( log.debug(
f"Removing user from group {group_model.name} as it is no longer in their oauth groups" f"Removing user from group {group_model.name} as it is no longer in their oauth groups"
) )
Groups.remove_users_from_group(group_model.id, [user.id]) Groups.remove_users_from_group(group_model.id, [user.id])
# In case a group is created, but perms are never assigned to the group by hitting "save" # In case a group is created, but perms are never assigned to the group by hitting "save"
@ -1478,6 +1478,12 @@ class OAuthManager:
"user": user.model_dump_json(exclude_none=True), "user": user.model_dump_json(exclude_none=True),
}, },
) )
apply_default_group_assignment(
request.app.state.config.DEFAULT_GROUP_ID,
user.id,
)
else: else:
raise HTTPException( raise HTTPException(
status.HTTP_403_FORBIDDEN, status.HTTP_403_FORBIDDEN,