fix: direct model access control

backend/open_webui/routers/models.py

@@ -8,7 +8,9 @@ import logging
 from open_webui.models.groups import Groups
 from open_webui.models.models import (
     ModelForm,
+    ModelMeta,
     ModelModel,
+    ModelParams,
     ModelResponse,
     ModelListResponse,
     ModelAccessListResponse,
@@ -521,11 +523,30 @@ async def update_model_access_by_id(
     db: Session = Depends(get_session),
 ):
     model = Models.get_model_by_id(form_data.id, db=db)
+
+    # Non-preset models (e.g. direct Ollama/OpenAI models) may not have a DB
+    # entry yet. Create a minimal one so access grants can be stored.
     if not model:
-        raise HTTPException(
+        if user.role != "admin":
-            status_code=status.HTTP_404_NOT_FOUND,
+            raise HTTPException(
-            detail=ERROR_MESSAGES.NOT_FOUND,
+                status_code=status.HTTP_403_FORBIDDEN,
+                detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
+            )
+        model = Models.insert_new_model(
+            ModelForm(
+                id=form_data.id,
+                name=form_data.id,
+                meta=ModelMeta(),
+                params=ModelParams(),
+            ),
+            user.id,
+            db=db,
         )
+        if not model:
+            raise HTTPException(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                detail=ERROR_MESSAGES.DEFAULT("Error creating model entry"),
+            )
 
     if (
         model.user_id != user.id

src/lib/components/workspace/Models/ModelEditor.svelte

@@ -349,7 +349,7 @@
 					await updateModelAccessGrants(localStorage.token, model.id, accessGrants);
 					toast.success($i18n.t('Saved'));
 				} catch (error) {
-					toast.error(`${error}`);
+					toast.error(error?.detail ?? `${error}`);
 				}
 			}
 		}}