Fix admin model access (#17)

* Update models.py * Update models.py * Update models.py * Update ollama.py * Update openai.py * Update models.py * Update openai.py * Update ollama.py
2025-12-11 20:05:19 +00:00 · 2025-08-11 23:23:44 +02:00 · 2025-08-11 23:23:44 +02:00 · d8c4dd6f79
commit d8c4dd6f79
parent 62506b1955
2 changed files with 58 additions and 40 deletions
--- a/backend/open_webui/routers/models.py
+++ b/backend/open_webui/routers/models.py
@ -117,7 +117,7 @@ async def get_model_by_id(id: str, user=Depends(get_verified_user)):
    model = Models.get_model_by_id(id)
    if model:
        if (
-            user.role == "admin"
+            (user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS)
            or model.user_id == user.id
            or has_access(user.id, "read", model.access_control)
        ):
--- a/backend/open_webui/utils/models.py
+++ b/backend/open_webui/utils/models.py
@ -23,6 +23,7 @@ from open_webui.utils.access_control import has_access
 from open_webui.config import (
    DEFAULT_ARENA_MODEL,
    ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS,
 )
 from open_webui.env import SRC_LOG_LEVELS, GLOBAL_LOG_LEVEL
@ -181,45 +182,62 @@ async def get_all_models(request, refresh: bool = False, user: UserModel = None)
        elif custom_model.is_active and (
            custom_model.id not in [model["id"] for model in models]
        ):
-            owned_by = "openai"
+            # Check access control for custom models
-            pipe = None
+            should_include = False
-
+            
-            action_ids = []
+            if user and user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS:
-            filter_ids = []
+                # Admin with full workspace access
-
+                should_include = True
-            for model in models:
+            elif user and user.id == custom_model.user_id:
-                if (
+                # Owner always has access
-                    custom_model.base_model_id == model["id"]
+                should_include = True
-                    or custom_model.base_model_id == model["id"].split(":")[0]
+            elif user and has_access(user.id, "read", custom_model.access_control):
-                ):
+                # User has explicit read access
-                    owned_by = model.get("owned_by", "unknown owner")
+                should_include = True
-                    if "pipe" in model:
+            elif not user:
-                        pipe = model["pipe"]
+                # No user context - include for backwards compatibility
-                    break
+                should_include = True
-
+            
-            if custom_model.meta:
+            if should_include:
-                meta = custom_model.meta.model_dump()
+                owned_by = "openai"
-
+                pipe = None
-                if "actionIds" in meta:
+        
-                    action_ids.extend(meta["actionIds"])
+                action_ids = []
-
+                filter_ids = []
-                if "filterIds" in meta:
+        
-                    filter_ids.extend(meta["filterIds"])
+                for model in models:
-
+                    if (
-            models.append(
+                        custom_model.base_model_id == model["id"]
-                {
+                        or custom_model.base_model_id == model["id"].split(":")[0]
-                    "id": f"{custom_model.id}",
+                    ):
-                    "name": custom_model.name,
+                        owned_by = model.get("owned_by", "unknown owner")
-                    "object": "model",
+                        if "pipe" in model:
-                    "created": custom_model.created_at,
+                            pipe = model["pipe"]
-                    "owned_by": owned_by,
+                        break
-                    "info": custom_model.model_dump(),
+        
-                    "preset": True,
+                if custom_model.meta:
-                    **({"pipe": pipe} if pipe is not None else {}),
+                    meta = custom_model.meta.model_dump()
-                    "action_ids": action_ids,
+        
-                    "filter_ids": filter_ids,
+                    if "actionIds" in meta:
-                }
+                        action_ids.extend(meta["actionIds"])
-            )
+        
                    if "filterIds" in meta:
                        filter_ids.extend(meta["filterIds"])
                models.append(
                    {
                        "id": f"{custom_model.id}",
                        "name": custom_model.name,
                        "object": "model",
                        "created": custom_model.created_at,
                        "owned_by": owned_by,
                        "info": custom_model.model_dump(),
                        "preset": True,
                        **({"pipe": pipe} if pipe is not None else {}),
                        "action_ids": action_ids,
                        "filter_ids": filter_ids,
                    }
                )
    # Process action_ids to get the actions
    def get_action_items_from_module(function, module):