Commit Graph

16604 Commits

Author SHA1 Message Date
Classic298
359590ca9d fix: wire workspace.skills into the sidebar + workspace-index gates (#24729)
Reported by bwgabrielsusai on #24719: granting a user only
`workspace.skills` doesn't show the Workspace menu, and visiting
`/workspace` directly bounces them to `/`.

The per-route guard in `/workspace/+layout.svelte` already covered
skills, but two earlier gates in the chain didn't:

* `Sidebar.svelte` case 'workspace' OR'd models/knowledge/prompts/tools
  to decide menu visibility — skills was missing, so the entry never
  rendered for skills-only users.
* `/workspace/+page.svelte` redirect chain picked the first available
  section — skills was missing, so the fallback `goto('/')` fired.

Adding skills to both.
2026-05-15 09:34:23 +09:00
G30
eba1540a95 feat(ui): add emoji picker to rich text formatting toolbar (#24704) 2026-05-15 09:32:56 +09:00
Algorithm5838
ae48838b04 fix: tag composite pk in migration (#24722) 2026-05-15 09:31:27 +09:00
Classic298
6360af36d8 Update SECURITY.md (#24726) 2026-05-15 09:30:48 +09:00
mayamsin
1ded5ce969 i18n: update Russian translations (#24728) 2026-05-15 09:30:10 +09:00
Classic298
0cd1529008 fix: default optional env vars used with bash ,, in start.sh (#24683)
start.sh runs with `set -euo pipefail`, but three call sites added in
070ab2650 (refac: reorganize scripts and ci workflows) reference
optional env vars via bash's `,,` lowercase expansion without any
default. Containers that don't set these vars — the default for every
deployment that isn't explicitly opting into Playwright / bundled
Ollama / CUDA — crash on startup with:

    start.sh: line 15: WEB_LOADER_ENGINE: unbound variable

(and the same for USE_OLLAMA_DOCKER, USE_CUDA_DOCKER once the first
were set in turn.) Reported in open-webui#24560 by urbenlegend.

The same refactor correctly defaulted every other optional env var
with `${VAR:-…}`. The three `,,` references slipped through because
bash can't combine `:-default` with `,,` in a single substitution —
`${VAR:-default,,}` makes the default literal `,,`, not what's wanted.

Fix: normalise the three vars in a one-line preamble with `${VAR:=}`,
which assigns an empty default if unset. The downstream `${VAR,,}`
expressions stay exactly as Tim wrote them, preserving the file's
visual style and matching the existing `${VAR:-…}` idiom for "this
variable is optional".
2026-05-15 09:29:25 +09:00
Timothy Jaeryang Baek
9263b7568e refac
Co-Authored-By: Classic298 <27028174+Classic298@users.noreply.github.com>
2026-05-14 14:12:42 +09:00
Timothy Jaeryang Baek
73d2065227 fix: legacy peewee tables fk 2026-05-14 14:06:46 +09:00
Timothy Jaeryang Baek
d7cfc1e46a refac 2026-05-14 14:06:32 +09:00
Timothy Jaeryang Baek
9717ada92f refac 2026-05-14 14:05:28 +09:00
Timothy Jaeryang Baek
9a8969ca93 refac 2026-05-14 13:49:50 +09:00
Timothy Jaeryang Baek
2e1b671e8d refac 2026-05-14 13:49:15 +09:00
Timothy Jaeryang Baek
db2b3d7fd8 refac 2026-05-14 13:46:54 +09:00
Timothy Jaeryang Baek
1004dad274 refac 2026-05-14 13:46:36 +09:00
Timothy Jaeryang Baek
ee3b14233a refac 2026-05-14 13:46:23 +09:00
Timothy Jaeryang Baek
dc0f8ae6f2 refac 2026-05-14 13:46:08 +09:00
Timothy Jaeryang Baek
1b9d22e324 refac 2026-05-14 13:45:59 +09:00
Timothy Jaeryang Baek
98d3b23085 refac 2026-05-14 13:45:39 +09:00
Timothy Jaeryang Baek
6b1df94bf9 refac 2026-05-14 13:45:31 +09:00
Timothy Jaeryang Baek
95840e307a refac 2026-05-14 13:45:21 +09:00
Timothy Jaeryang Baek
6df09a4039 refac 2026-05-14 13:45:12 +09:00
Timothy Jaeryang Baek
459b1c3fda refac 2026-05-14 13:45:05 +09:00
Timothy Jaeryang Baek
bd9f82d5a6 refac 2026-05-14 13:44:50 +09:00
Timothy Jaeryang Baek
e5c8f8110a refac 2026-05-14 13:19:00 +09:00
Timothy Jaeryang Baek
9c14740ffb refac 2026-05-14 13:12:59 +09:00
Timothy Jaeryang Baek
74ae177d79 refac 2026-05-14 13:10:37 +09:00
Timothy Jaeryang Baek
1ea54c3217 refac 2026-05-14 13:10:22 +09:00
Timothy Jaeryang Baek
f0e88dadc8 refac 2026-05-14 13:08:53 +09:00
Classic298
5cc1eb5170 fix: enforce features.direct_tool_servers on chat-completion tool_servers (#24693)
* fix: enforce features.direct_tool_servers on chat-completion tool_servers

The features.direct_tool_servers per-user permission was correctly
enforced on the storage path (routers/users.py user/settings/update,
which strips toolServers from saved settings when the caller lacks the
permission), but the inference path (/api/chat/completions) popped
tool_servers straight from the request body into metadata with no
permission check. The middleware (utils/middleware.py:2799) then
consumed direct_tool_servers to inject system_prompt into the message
array and register external tool specs that get invoked during the
completion. End result: any authenticated user could bypass the
admin-set per-user feature toggle and use inline tool_servers in their
chat-completion requests, even when admin had explicitly denied the
permission.

Default for USER_PERMISSIONS_FEATURES_DIRECT_TOOL_SERVERS is False
(config.py:2750), so under default config no regular user is supposed
to be able to use direct tool servers — making this a real boundary
bypass on out-of-the-box deployments rather than a corner case.

Mirror the storage-side behaviour at the inference entry point: pop
tool_servers from the request body, then silently drop the value if
the caller is non-admin and lacks features.direct_tool_servers. Admins
always pass; users with the explicit grant always pass; everyone else
gets None propagated into metadata, which the middleware already
handles as the no-tool-servers case.

Reported by berkant-koc in GHSA-f582-c373-jjf6.

Co-authored-by: berkant-koc <berkant-koc@users.noreply.github.com>

* chore: trim verbose comment on tool_servers permission check

---------

Co-authored-by: berkant-koc <berkant-koc@users.noreply.github.com>
2026-05-14 13:08:33 +09:00
Timothy Jaeryang Baek
ae06e199d5 refac 2026-05-14 03:25:54 +09:00
Timothy Jaeryang Baek
cc16e06c32 refac 2026-05-14 03:10:48 +09:00
Timothy Jaeryang Baek
81f611fb73 refac 2026-05-14 03:06:37 +09:00
Timothy Jaeryang Baek
245e0ee029 refac 2026-05-14 03:01:48 +09:00
Classic298
ba78ebea27 fix: validate folder_id ownership on chat create + folder-update endpoints (#24588)
POST /api/v1/chats/new and POST /api/v1/chats/{id}/folder accepted a
caller-supplied folder_id with no validation — neither ownership, nor
existence, nor UUID format. The row was persisted with the supplied
value verbatim, so the DB ended up with chat rows whose folder_id
referenced another user's folder, a non-existent UUID, or even a
non-UUID string.

No read path surfaces this across users — every chat-folder read is
user_id-filtered on both sides — so this is referential-integrity
hardening rather than a security boundary fix. But there's no reason
to accept dangling references either, and the downstream consumers
shouldn't have to assume the column is clean.

Add a Folders.get_folder_by_id_and_user_id() lookup at both writers:
if a folder_id is supplied, it must match a folder owned by the
caller. None remains allowed (chat-without-folder is the default).
Non-existent and non-UUID values fall through to 404.

Reported by ShigekiTsuchiyama in GHSA-4vrg-2vcq-q7jc.

Co-authored-by: ShigekiTsuchiyama <ShigekiTsuchiyama@users.noreply.github.com>
2026-05-14 02:57:57 +09:00
Timothy Jaeryang Baek
f607337582 refac 2026-05-14 02:56:44 +09:00
Aleix Dorca
2a7524056a i18n: Update catalan translation.json (#24569) 2026-05-14 02:49:32 +09:00
Timothy Jaeryang Baek
0214c8db24 fix: korean i18n 2026-05-14 02:41:54 +09:00
Timothy Jaeryang Baek
8aa2a42dc7 refac 2026-05-14 02:40:20 +09:00
Asbjørn Dyhrberg Thegler
f6d8e1e38d Fix translation for 'Authentication' in Danish (#24645) 2026-05-14 02:36:43 +09:00
Timothy Jaeryang Baek
7dcd932ad7 refac 2026-05-14 02:34:19 +09:00
Daniel Nylander
be301c1c27 i18n: Update Swedish (sv-SE) translation — merge with latest dev (#24665)
Co-authored-by: Daniel Nylander <daniel@danielnylander.se>
2026-05-14 02:30:10 +09:00
Taey
5ab32a5086 fix: German i18n translations (#24668) 2026-05-14 02:29:33 +09:00
Timothy Jaeryang Baek
42c86e7283 refac 2026-05-14 02:25:16 +09:00
Timothy Jaeryang Baek
74f95a9b0d refac 2026-05-14 02:08:35 +09:00
Timothy Jaeryang Baek
0b81520e07 refac 2026-05-14 02:08:01 +09:00
Timothy Jaeryang Baek
4e78b355ef refac 2026-05-14 02:00:23 +09:00
Timothy Jaeryang Baek
d74ee34d91 refac 2026-05-14 01:49:34 +09:00
Timothy Jaeryang Baek
3127f1b462 refac 2026-05-14 01:43:33 +09:00
Timothy Jaeryang Baek
ab0ee858b7 refac 2026-05-14 00:07:55 +09:00
Timothy Jaeryang Baek
32a417bbf6 refac 2026-05-13 22:52:09 +09:00