* sequential
* zero default
* fix
* fix: preserve absolute paths in sqlite+sqlcipher URLs
Previously, the connection logic incorrectly stripped the leading slash
from `sqlite+sqlcipher` paths, forcibly converting absolute paths
(e.g., `sqlite+sqlcipher:////app/data.db`) into relative paths
(which became `app/data.db`). This caused database initialization failures
when using absolute paths, such as with Docker volume mounts.
This change removes the slash-stripping logic, ensuring that absolute
path conventions (starting with `/`) are respected while maintaining
support for relative paths (which do not start with `/`).
* fix: MCP OAuth 2.1 token exchange and multi-node propagation
Fix two MCP OAuth 2.1 bugs affecting tool server authentication:
1. Token exchange failing with duplicate credentials (#19823)
- Removed explicit client_id/client_secret passing in handle_callback()
- Authlib already has credentials configured during add_client(),
passing them again caused concatenation (e.g., "ID1,ID1") and 401 errors
- Added token validation to detect missing access_token and provide
clear error messages instead of cryptic database constraint errors
2. OAuth clients not propagating across multi-node setups (#19901)
- Updated get_client() and get_client_info() to auto-lazy-load
OAuth clients from the Redis-synced TOOL_SERVER_CONNECTIONS config
- Clients are now instantiated on-demand on any node that needs them
Fixes#19823, #19901
* Update db.py
* Update wrappers.py
* sequential
* zero default
* fix
* fix: preserve absolute paths in sqlite+sqlcipher URLs
Previously, the connection logic incorrectly stripped the leading slash
from `sqlite+sqlcipher` paths, forcibly converting absolute paths
(e.g., `sqlite+sqlcipher:////app/data.db`) into relative paths
(which became `app/data.db`). This caused database initialization failures
when using absolute paths, such as with Docker volume mounts.
This change removes the slash-stripping logic, ensuring that absolute
path conventions (starting with `/`) are respected while maintaining
support for relative paths (which do not start with `/`).
- Changed default sort order in 'Edit Group' modal to 'created_at' (newest first).
Previously it sorted by group membership, causing toggled users to invisible jump
to the top of the list (often changing pages). using a stable sort fixes this UX issue.
- Removed unnecessary `page = 1` reset in toggleMember function so admins
don't lose their place when selecting multiple users.
Bug 2 - Model Image Display Bug:
- Added `Cache-Control: no-cache, must-revalidate` headers to the model profile
image endpoint. This ensures that when a model avatar is updated, the browser
fetches the new image instead of serving a stale cached version (favicon).
Fixes#19885
* fix: prevent ExternalReranker from blocking event loop during RAG queries (#120)
Co-authored-by: Tim Baek <tim@openwebui.com>
Co-authored-by: Claude <noreply@anthropic.com>
Fixes#19900
* Merge pull request open-webui#19030 from open-webui/dev (#122)
Co-authored-by: Tim Baek <tim@openwebui.com>
Co-authored-by: Claude <noreply@anthropic.com>
Fixes#19900
---------
Co-authored-by: Tim Baek <tim@openwebui.com>
Co-authored-by: Claude <noreply@anthropic.com>
* fix: enforce global ENABLE_CHANNELS check on all channel endpoints
When channels are disabled globally (ENABLE_CHANNELS=false), users with
channel permissions could still fetch channels via API endpoints. This
fix adds a get_enabled_channels dependency to all 22 channel endpoints
that returns 403 Forbidden when channels are globally disabled.
Fixes#19914
* refac
* refac
* feat: Add Excel file viewer to FileItemModal
* feat: Add CSV file viewer to FileItemModal
* feat: Add Markdown and Code syntax highlighting to file viewer
* chore: add dependency
* fix: default to raw text view for Excel/Code/MD files
* fix: only show rows count in preview tab for excel files
* Merge pull request open-webui#19030 from open-webui/dev (#115)
Co-authored-by: Tim Baek <tim@openwebui.com>
Co-authored-by: Claude <noreply@anthropic.com>
Resolves#13026
* Claude/find active user count 1ct t1 (#116)
Co-authored-by: Tim Baek <tim@openwebui.com>
Co-authored-by: Claude <noreply@anthropic.com>
Resolves#13026
* Claude/find active user count 1ct t1 (#117)
Co-authored-by: Tim Baek <tim@openwebui.com>
Co-authored-by: Claude <noreply@anthropic.com>
Resolves#13026
---------
Co-authored-by: Tim Baek <tim@openwebui.com>
Co-authored-by: Claude <noreply@anthropic.com>
* fix: preserve access_control when cloning prompts
Cloned prompts now inherit the original prompt's access_control settings
instead of defaulting to null/public. This ensures that permission and
sharing restrictions are carried over with clones as expected.
If the original prompt doesn't have access_control set, defaults to {}
(private) which matches the behavior of newly created prompts.
Fixes#19360
* fix: clone access control
