From df66e21472646648d008ebb22b0e8d5424d491df Mon Sep 17 00:00:00 2001
From: Timothy Jaeryang Baek <tim@openwebui.com>
Date: Wed, 3 Sep 2025 18:50:02 +0400
Subject: [PATCH] enh: regex pattern support for groups

---
 backend/open_webui/utils/oauth.py | 51 +++++++++++++++++++++++++++++--
 1 file changed, 49 insertions(+), 2 deletions(-)

diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py
index 9385897f4c..d38771d4c1 100644
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@@ -5,6 +5,9 @@ import sys
 import uuid
 import json
 
+import re
+import fnmatch
+
 import aiohttp
 from authlib.integrations.starlette_client import OAuth
 from authlib.oidc.core import UserInfo
@@ -79,6 +82,50 @@ auth_manager_config.JWT_EXPIRES_IN = JWT_EXPIRES_IN
 auth_manager_config.OAUTH_UPDATE_PICTURE_ON_LOGIN = OAUTH_UPDATE_PICTURE_ON_LOGIN
 
 
+def is_in_blocked_groups(group_name: str, groups: list) -> bool:
+    """
+    Check if a group name matches any blocked pattern.
+    Supports exact matches, shell-style wildcards (*, ?), and regex patterns.
+
+    Args:
+        group_name: The group name to check
+        groups: List of patterns to match against
+
+    Returns:
+        True if the group is blocked, False otherwise
+    """
+    if not groups:
+        return False
+
+    for group_pattern in groups:
+        if not group_pattern:  # Skip empty patterns
+            continue
+
+        # Exact match
+        if group_name == group_pattern:
+            return True
+
+        # Try as regex pattern first if it contains regex-specific characters
+        if any(
+            char in group_pattern
+            for char in ["^", "$", "[", "]", "(", ")", "{", "}", "+", "\\", "|"]
+        ):
+            try:
+                # Use the original pattern as-is for regex matching
+                if re.search(group_pattern, group_name):
+                    return True
+            except re.error:
+                # If regex is invalid, fall through to wildcard check
+                pass
+
+        # Shell-style wildcard match (supports * and ?)
+        if "*" in group_pattern or "?" in group_pattern:
+            if fnmatch.fnmatch(group_name, group_pattern):
+                return True
+
+    return False
+
+
 class OAuthManager:
     def __init__(self, app):
         self.oauth = OAuth()
@@ -238,7 +285,7 @@ class OAuthManager:
             if (
                 user_oauth_groups
                 and group_model.name not in user_oauth_groups
-                and group_model.name not in blocked_groups
+                and not is_in_blocked_groups(group_model.name, blocked_groups)
             ):
                 # Remove group from user
                 log.debug(
@@ -269,7 +316,7 @@ class OAuthManager:
                 user_oauth_groups
                 and group_model.name in user_oauth_groups
                 and not any(gm.name == group_model.name for gm in user_current_groups)
-                and group_model.name not in blocked_groups
+                and not is_in_blocked_groups(group_model.name, blocked_groups)
             ):
                 # Add user to group
                 log.debug(