feat: add granular import/export permissions for workspace items (#19242)

* feat: add granular import/export permissions for workspace items (#55) Co-authored-by: Claude <noreply@anthropic.com> * Fix permissions toggles not saving in EditGroupModal (#58) Co-authored-by: Claude <noreply@anthropic.com> * Fix permissions toggles not saving in EditGroupModal (#59) Co-authored-by: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
2025-12-11 20:05:19 +00:00 · 2025-11-18 00:25:23 +01:00 · 2025-11-18 00:25:23 +01:00 · b4bc71d1bd
commit b4bc71d1bd
parent 0ed174f6a1
13 changed files with 242 additions and 95 deletions
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@ -1231,6 +1231,30 @@ USER_PERMISSIONS_WORKSPACE_TOOLS_ACCESS = (
    os.environ.get("USER_PERMISSIONS_WORKSPACE_TOOLS_ACCESS", "False").lower() == "true"
 )

+USER_PERMISSIONS_WORKSPACE_MODELS_IMPORT = (
+    os.environ.get("USER_PERMISSIONS_WORKSPACE_MODELS_IMPORT", "False").lower() == "true"
+)
+
+USER_PERMISSIONS_WORKSPACE_MODELS_EXPORT = (
+    os.environ.get("USER_PERMISSIONS_WORKSPACE_MODELS_EXPORT", "False").lower() == "true"
+)
+
+USER_PERMISSIONS_WORKSPACE_PROMPTS_IMPORT = (
+    os.environ.get("USER_PERMISSIONS_WORKSPACE_PROMPTS_IMPORT", "False").lower() == "true"
+)
+
+USER_PERMISSIONS_WORKSPACE_PROMPTS_EXPORT = (
+    os.environ.get("USER_PERMISSIONS_WORKSPACE_PROMPTS_EXPORT", "False").lower() == "true"
+)
+
+USER_PERMISSIONS_WORKSPACE_TOOLS_IMPORT = (
+    os.environ.get("USER_PERMISSIONS_WORKSPACE_TOOLS_IMPORT", "False").lower() == "true"
+)
+
+USER_PERMISSIONS_WORKSPACE_TOOLS_EXPORT = (
+    os.environ.get("USER_PERMISSIONS_WORKSPACE_TOOLS_EXPORT", "False").lower() == "true"
+)
+
 USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_PUBLIC_SHARING = (
    os.environ.get(
        "USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_PUBLIC_SHARING", "False"
@ -1374,6 +1398,12 @@ DEFAULT_USER_PERMISSIONS = {
        "knowledge": USER_PERMISSIONS_WORKSPACE_KNOWLEDGE_ACCESS,
        "prompts": USER_PERMISSIONS_WORKSPACE_PROMPTS_ACCESS,
        "tools": USER_PERMISSIONS_WORKSPACE_TOOLS_ACCESS,
+        "models_import": USER_PERMISSIONS_WORKSPACE_MODELS_IMPORT,
+        "models_export": USER_PERMISSIONS_WORKSPACE_MODELS_EXPORT,
+        "prompts_import": USER_PERMISSIONS_WORKSPACE_PROMPTS_IMPORT,
+        "prompts_export": USER_PERMISSIONS_WORKSPACE_PROMPTS_EXPORT,
+        "tools_import": USER_PERMISSIONS_WORKSPACE_TOOLS_IMPORT,
+        "tools_export": USER_PERMISSIONS_WORKSPACE_TOOLS_EXPORT,
    },
    "sharing": {
        "public_models": USER_PERMISSIONS_WORKSPACE_MODELS_ALLOW_PUBLIC_SHARING,
--- a/backend/open_webui/routers/models.py
+++ b/backend/open_webui/routers/models.py
@ -113,8 +113,19 @@ async def create_new_model(


@router.get("/export", response_model=list[ModelModel])
-async def export_models(user=Depends(get_admin_user)):
+async def export_models(request: Request, user=Depends(get_verified_user)):
+    if user.role != "admin" and not has_permission(
+        user.id, "workspace.models_export", request.app.state.config.USER_PERMISSIONS
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=ERROR_MESSAGES.UNAUTHORIZED,
+        )
+
+    if user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL:
        return Models.get_models()
+    else:
+        return Models.get_models_by_user_id(user.id)


 ############################
@ -128,8 +139,17 @@ class ModelsImportForm(BaseModel):

@router.post("/import", response_model=bool)
 async def import_models(
-    user: str = Depends(get_admin_user), form_data: ModelsImportForm = (...)
+    request: Request,
+    user=Depends(get_verified_user),
+    form_data: ModelsImportForm = (...),
 ):
+    if user.role != "admin" and not has_permission(
+        user.id, "workspace.models_import", request.app.state.config.USER_PERMISSIONS
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=ERROR_MESSAGES.UNAUTHORIZED,
+        )
    try:
        data = form_data.models
        if isinstance(data, list):
--- a/backend/open_webui/routers/prompts.py
+++ b/backend/open_webui/routers/prompts.py
@ -48,8 +48,13 @@ async def get_prompt_list(user=Depends(get_verified_user)):
 async def create_new_prompt(
    request: Request, form_data: PromptForm, user=Depends(get_verified_user)
 ):
-    if user.role != "admin" and not has_permission(
+    if user.role != "admin" and not (
+        has_permission(
            user.id, "workspace.prompts", request.app.state.config.USER_PERMISSIONS
+        )
+        or has_permission(
+            user.id, "workspace.prompts_import", request.app.state.config.USER_PERMISSIONS
+        )
    ):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
--- a/backend/open_webui/routers/tools.py
+++ b/backend/open_webui/routers/tools.py
@ -247,9 +247,19 @@ async def load_tool_from_url(


@router.get("/export", response_model=list[ToolModel])
-async def export_tools(user=Depends(get_admin_user)):
-    tools = Tools.get_tools()
-    return tools
+async def export_tools(request: Request, user=Depends(get_verified_user)):
+    if user.role != "admin" and not has_permission(
+        user.id, "workspace.tools_export", request.app.state.config.USER_PERMISSIONS
+    ):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail=ERROR_MESSAGES.UNAUTHORIZED,
+        )
+
+    if user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL:
+        return Tools.get_tools()
+    else:
+        return Tools.get_tools_by_user_id(user.id, "read")


 ############################
@ -263,8 +273,13 @@ async def create_new_tools(
    form_data: ToolForm,
    user=Depends(get_verified_user),
 ):
-    if user.role != "admin" and not has_permission(
+    if user.role != "admin" and not (
+        has_permission(
            user.id, "workspace.tools", request.app.state.config.USER_PERMISSIONS
+        )
+        or has_permission(
+            user.id, "workspace.tools_import", request.app.state.config.USER_PERMISSIONS
+        )
    ):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
--- a/backend/open_webui/routers/users.py
+++ b/backend/open_webui/routers/users.py
@ -150,6 +150,12 @@ class WorkspacePermissions(BaseModel):
    knowledge: bool = False
    prompts: bool = False
    tools: bool = False
+    models_import: bool = False
+    models_export: bool = False
+    prompts_import: bool = False
+    prompts_export: bool = False
+    tools_import: bool = False
+    tools_export: bool = False


 class SharingPermissions(BaseModel):
--- a/src/lib/components/admin/Users/Groups/EditGroupModal.svelte
+++ b/src/lib/components/admin/Users/Groups/EditGroupModal.svelte
@ -39,13 +39,20 @@
 			models: false,
 			knowledge: false,
 			prompts: false,
-			tools: false
+			tools: false,
+			models_import: false,
+			models_export: false,
+			prompts_import: false,
+			prompts_export: false,
+			tools_import: false,
+			tools_export: false
 		},
 		sharing: {
 			public_models: false,
 			public_knowledge: false,
 			public_prompts: false,
-			public_tools: false
+			public_tools: false,
+			public_notes: false
 		},
 		chat: {
 			controls: true,
@ -72,7 +79,8 @@
 			direct_tool_servers: false,
 			web_search: true,
 			image_generation: true,
-			code_interpreter: true
+			code_interpreter: true,
+			notes: true
 		}
 	};
 	export let userIds = [];
--- a/src/lib/components/admin/Users/Groups/Permissions.svelte
+++ b/src/lib/components/admin/Users/Groups/Permissions.svelte
@ -11,7 +11,13 @@
 			models: false,
 			knowledge: false,
 			prompts: false,
-			tools: false
+			tools: false,
+			models_import: false,
+			models_export: false,
+			prompts_import: false,
+			prompts_export: false,
+			tools_import: false,
+			tools_export: false
 		},
 		sharing: {
 			public_models: false,
@ -97,6 +103,23 @@
 					</div>
 				</div>
 			{/if}
+
+			{#if permissions.workspace.models}
+				<div class="ml-4 flex flex-col gap-1 mt-1">
+					<div class="flex w-full justify-between my-1">
+						<div class="self-center text-xs">
+							{$i18n.t('Import Models')}
+						</div>
+						<Switch bind:state={permissions.workspace.models_import} />
+					</div>
+					<div class="flex w-full justify-between my-1">
+						<div class="self-center text-xs">
+							{$i18n.t('Export Models')}
+						</div>
+						<Switch bind:state={permissions.workspace.models_export} />
+					</div>
+				</div>
+			{/if}
 		</div>

 		<div class="flex flex-col w-full">
@ -129,6 +152,23 @@
 					</div>
 				</div>
 			{/if}
+
+			{#if permissions.workspace.prompts}
+				<div class="ml-4 flex flex-col gap-1 mt-1">
+					<div class="flex w-full justify-between my-1">
+						<div class="self-center text-xs">
+							{$i18n.t('Import Prompts')}
+						</div>
+						<Switch bind:state={permissions.workspace.prompts_import} />
+					</div>
+					<div class="flex w-full justify-between my-1">
+						<div class="self-center text-xs">
+							{$i18n.t('Export Prompts')}
+						</div>
+						<Switch bind:state={permissions.workspace.prompts_export} />
+					</div>
+				</div>
+			{/if}
 		</div>

 		<div class="flex flex-col w-full">
@ -151,6 +191,23 @@
 					</div>
 				</div>
 			{/if}
+
+			{#if permissions.workspace.tools}
+				<div class="ml-4 flex flex-col gap-1 mt-1">
+					<div class="flex w-full justify-between my-1">
+						<div class="self-center text-xs">
+							{$i18n.t('Import Tools')}
+						</div>
+						<Switch bind:state={permissions.workspace.tools_import} />
+					</div>
+					<div class="flex w-full justify-between my-1">
+						<div class="self-center text-xs">
+							{$i18n.t('Export Tools')}
+						</div>
+						<Switch bind:state={permissions.workspace.tools_export} />
+					</div>
+				</div>
+			{/if}
 		</div>
 	</div>

--- a/src/lib/components/workspace/Models.svelte
+++ b/src/lib/components/workspace/Models.svelte
@ -308,7 +308,7 @@
 			</div>

 			<div class="flex w-full justify-end gap-1.5">
-				{#if $user?.role === 'admin'}
+				{#if $user?.role === 'admin' || $user?.permissions?.workspace?.models_import}
 					<button
 						class="flex text-xs items-center space-x-1 px-3 py-1.5 rounded-xl bg-gray-50 hover:bg-gray-100 dark:bg-gray-850 dark:hover:bg-gray-800 dark:text-gray-200 transition"
 						on:click={() => {
@ -319,8 +319,9 @@
 							{$i18n.t('Import')}
 						</div>
 					</button>
+				{/if}

-					{#if models.length}
+				{#if models.length && ($user?.role === 'admin' || $user?.permissions?.workspace?.models_export)}
 					<button
 						class="flex text-xs items-center space-x-1 px-3 py-1.5 rounded-xl bg-gray-50 hover:bg-gray-100 dark:bg-gray-850 dark:hover:bg-gray-800 dark:text-gray-200 transition"
 						on:click={async () => {
@ -332,7 +333,6 @@
 						</div>
 					</button>
 				{/if}
-				{/if}
 				<a
 					class=" px-2 py-1.5 rounded-xl bg-black text-white dark:bg-white dark:text-black transition font-medium text-sm flex items-center"
 					href="/workspace/models/create"
--- a/src/lib/components/workspace/Models/ModelMenu.svelte
+++ b/src/lib/components/workspace/Models/ModelMenu.svelte
@ -14,7 +14,7 @@
 	import Download from '$lib/components/icons/Download.svelte';
 	import ArrowUpCircle from '$lib/components/icons/ArrowUpCircle.svelte';

-	import { config } from '$lib/stores';
+	import { config, user as currentUser } from '$lib/stores';
 	import Link from '$lib/components/icons/Link.svelte';

 	const i18n = getContext('i18n');
@ -148,6 +148,7 @@
 				<div class="flex items-center">{$i18n.t('Copy Link')}</div>
 			</DropdownMenu.Item>

+			{#if $currentUser?.role === 'admin' || $currentUser?.permissions?.workspace?.models_export}
 				<DropdownMenu.Item
 					class="flex gap-2 items-center px-3 py-1.5 text-sm  cursor-pointer hover:bg-gray-50 dark:hover:bg-gray-800 rounded-xl"
 					on:click={() => {
@ -158,6 +159,7 @@

 					<div class="flex items-center">{$i18n.t('Export')}</div>
 				</DropdownMenu.Item>
+			{/if}

 			{#if $config?.features.enable_community_sharing}
 				<DropdownMenu.Item
--- a/src/lib/components/workspace/Prompts.svelte
+++ b/src/lib/components/workspace/Prompts.svelte
@ -225,7 +225,7 @@
 			</div>

 			<div class="flex w-full justify-end gap-1.5">
-				{#if $user?.role === 'admin'}
+				{#if $user?.role === 'admin' || $user?.permissions?.workspace?.prompts_import}
 					<button
 						class="flex text-xs items-center space-x-1 px-3 py-1.5 rounded-xl bg-gray-50 hover:bg-gray-100 dark:bg-gray-850 dark:hover:bg-gray-800 dark:text-gray-200 transition"
 						on:click={() => {
@ -236,8 +236,9 @@
 							{$i18n.t('Import')}
 						</div>
 					</button>
+				{/if}

-					{#if prompts.length}
+				{#if prompts.length && ($user?.role === 'admin' || $user?.permissions?.workspace?.prompts_export)}
 					<button
 						class="flex text-xs items-center space-x-1 px-3 py-1.5 rounded-xl bg-gray-50 hover:bg-gray-100 dark:bg-gray-850 dark:hover:bg-gray-800 dark:text-gray-200 transition"
 						on:click={async () => {
@ -252,7 +253,6 @@
 						</div>
 					</button>
 				{/if}
-				{/if}
 				<a
 					class=" px-2 py-1.5 rounded-xl bg-black text-white dark:bg-white dark:text-black transition font-medium text-sm flex items-center"
 					href="/workspace/prompts/create"
--- a/src/lib/components/workspace/Prompts/PromptMenu.svelte
+++ b/src/lib/components/workspace/Prompts/PromptMenu.svelte
@ -2,7 +2,7 @@
 	import { DropdownMenu } from 'bits-ui';
 	import { flyAndScale } from '$lib/utils/transitions';
 	import { getContext } from 'svelte';
-	import { config } from '$lib/stores';
+	import { config, user } from '$lib/stores';

 	import Dropdown from '$lib/components/common/Dropdown.svelte';
 	import GarbageBin from '$lib/components/icons/GarbageBin.svelte';
@ -68,6 +68,7 @@
 				<div class="flex items-center">{$i18n.t('Clone')}</div>
 			</DropdownMenu.Item>

+			{#if $user?.role === 'admin' || $user?.permissions?.workspace?.prompts_export}
 				<DropdownMenu.Item
 					class="flex gap-2 items-center px-3 py-1.5 text-sm  cursor-pointer hover:bg-gray-50 dark:hover:bg-gray-800 rounded-xl"
 					on:click={() => {
@ -78,6 +79,7 @@

 					<div class="flex items-center">{$i18n.t('Export')}</div>
 				</DropdownMenu.Item>
+			{/if}

 			<hr class="border-gray-50 dark:border-gray-850 my-1" />

--- a/src/lib/components/workspace/Tools.svelte
+++ b/src/lib/components/workspace/Tools.svelte
@ -232,7 +232,7 @@
 			</div>

 			<div class="flex w-full justify-end gap-1.5">
-				{#if $user?.role === 'admin'}
+				{#if $user?.role === 'admin' || $user?.permissions?.workspace?.tools_import}
 					<button
 						class="flex text-xs items-center space-x-1 px-3 py-1.5 rounded-xl bg-gray-50 hover:bg-gray-100 dark:bg-gray-850 dark:hover:bg-gray-800 dark:text-gray-200 transition"
 						on:click={() => {
@ -243,8 +243,9 @@
 							{$i18n.t('Import')}
 						</div>
 					</button>
+				{/if}

-					{#if tools.length}
+				{#if tools.length && ($user?.role === 'admin' || $user?.permissions?.workspace?.tools_export)}
 					<button
 						class="flex text-xs items-center space-x-1 px-3 py-1.5 rounded-xl bg-gray-50 hover:bg-gray-100 dark:bg-gray-850 dark:hover:bg-gray-800 dark:text-gray-200 transition"
 						on:click={async () => {
@ -266,7 +267,6 @@
 						</div>
 					</button>
 				{/if}
-				{/if}

 				{#if $user?.role === 'admin'}
 					<AddToolMenu
--- a/src/lib/components/workspace/Tools/ToolMenu.svelte
+++ b/src/lib/components/workspace/Tools/ToolMenu.svelte
@ -12,7 +12,7 @@
 	import ArchiveBox from '$lib/components/icons/ArchiveBox.svelte';
 	import DocumentDuplicate from '$lib/components/icons/DocumentDuplicate.svelte';
 	import Download from '$lib/components/icons/Download.svelte';
-	import { config } from '$lib/stores';
+	import { config, user } from '$lib/stores';

 	const i18n = getContext('i18n');

@ -93,6 +93,7 @@
 				<div class="flex items-center">{$i18n.t('Clone')}</div>
 			</DropdownMenu.Item>

+			{#if $user?.role === 'admin' || $user?.permissions?.workspace?.tools_export}
 				<DropdownMenu.Item
 					class="flex gap-2 items-center px-3 py-1.5 text-sm  cursor-pointer hover:bg-gray-50 dark:hover:bg-gray-800 rounded-xl"
 					on:click={() => {
@ -103,6 +104,7 @@

 					<div class="flex items-center">{$i18n.t('Export')}</div>
 				</DropdownMenu.Item>
+			{/if}

 			<hr class="border-gray-50 dark:border-gray-850 my-1" />