github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-25 04:24:30 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

[PR #15746] [CLOSED] feat: Add admin workspace privacy control with ENABLE_ADMIN_USER_WORKSPACE_ACCESS environment variable #10731

New Issue
Closed
opened 2025-11-11 19:12:18 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-11 19:12:18 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/open-webui/open-webui/pull/15746
Author: @Classic298
Created: 7/15/2025
Status: Closed

Base: devHead: RESPECT_USER_WORKSPACE_PRIVACY

📝 Commits (9)

  • 0d46efa Admin workspace access private items (#14)
  • 0a75eb7 Update config.py
  • 33ba367 Update knowledge.py
  • 5895107 Update models.py
  • ffc14bb Update prompts.py
  • 724e97f Update tools.py
  • 2aba33b Merge branch 'open-webui:main' into RESPECT_USER_WORKSPACE_PRIVACY
  • 5fbfe2b Merge pull request #15879 from open-webui/dev
  • 47844f7 Merge branch 'open-webui:main' into RESPECT_USER_WORKSPACE_PRIVACY

📊 Changes

5 files changed (+35 additions, -15 deletions)

View changed files

📝 backend/open_webui/config.py (+6 -0)
📝 backend/open_webui/routers/knowledge.py (+3 -3)
📝 backend/open_webui/routers/models.py (+2 -2)
📝 backend/open_webui/routers/prompts.py (+3 -2)
📝 backend/open_webui/routers/tools.py (+21 -8)

📄 Description

Pull Request Description

This pull request introduces a new environment variable ENABLE_ADMIN_USER_WORKSPACE_ACCESS that allows administrators to control admin workspace access privileges. When disabled, administrators are treated exactly like regular users and only see workspace items (knowledge bases, models, prompts, and tools) that they have explicit access to through the existing access control system.

Key Features:

  • New ENABLE_ADMIN_USER_WORKSPACE_ACCESS environment variable (defaults to True for backward compatibility)
  • When disabled, admins use the same access control logic as regular users
  • Affects all workspace sections: Knowledge, Models, Prompts, and Tools
  • Leverages existing user permission functions instead of creating new logic

Use Cases:

  • Multi-tenant environments where admins should not automatically access all user content
  • Organizations requiring explicit permission grants, even for administrators
  • Compliance scenarios where data access must be explicitly controlled

How it works:
Instead of admins seeing everything by default, they now follow the same permission rules as regular users. If an admin needs access to a user's private content, that user must explicitly share it with the admin or add the admin to a group with appropriate permissions - just like sharing between any other users.

Checklist Status

  • Target branch: Targeting dev branch
  • Description: Concise description provided above
  • Changelog: Added below following Keep a Changelog format
  • Documentation: Docs PR: https://github.com/open-webui/docs/pull/625
  • Dependencies: No new dependencies added
  • Testing: Manual testing performed - admin privacy filtering works correctly in all workspace sections
  • Code review: Self-reviewed, follows existing code patterns and standards
  • Prefix: Using feat: prefix for new feature

Changelog Entry

Description

Added ENABLE_ADMIN_USER_WORKSPACE_ACCESS environment variable to enable admin workspace access control. When disabled, administrators follow the same access control rules as regular users for workspace items, requiring explicit permission grants to access user content.

Addresses

Addresses these issues/discussions:

https://github.com/open-webui/open-webui/pull/14288

https://github.com/open-webui/open-webui/discussions/14968

https://github.com/open-webui/open-webui/discussions/14083

These can be closed if this is merged.

Related Docs PR

https://github.com/open-webui/docs/pull/625

Added

  • New ENABLE_ADMIN_USER_WORKSPACE_ACCESS environment variable (defaults to True)
  • Admin access control for workspace sections (Knowledge, Models, Prompts, Tools)
  • Automatic fallback to existing user-based access control when admin access is disabled

Changed

  • Admin access logic in knowledge, models, prompts, and tools routers
  • Conditional routing based on admin access setting - admins use regular user access paths when admin access disabled

Deprecated

  • None

Removed

  • None

Fixed

  • None

Security

  • Enhanced data separation capabilities for multi-tenant deployments
  • Prevents administrators from accessing private user content unless explicitly granted access

Breaking Changes

  • None - feature maintains admin access by default and maintains full backward compatibility

Additional Information

Environment Variable Details:

# Enable admin workspace access (default: true)
ENABLE_ADMIN_USER_WORKSPACE_ACCESS=true # or false
# When set to false, admins get the same viewing rights as normal users

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/open-webui/open-webui/pull/15746 **Author:** [@Classic298](https://github.com/Classic298) **Created:** 7/15/2025 **Status:** ❌ Closed **Base:** `dev` ← **Head:** `RESPECT_USER_WORKSPACE_PRIVACY` --- ### 📝 Commits (9) - [`0d46efa`](https://github.com/open-webui/open-webui/commit/0d46efa5daf3ab84f150d6364adf88c15ad0c2be) Admin workspace access private items (#14) - [`0a75eb7`](https://github.com/open-webui/open-webui/commit/0a75eb7b400755cba549ffca71b3fb3733592a9a) Update config.py - [`33ba367`](https://github.com/open-webui/open-webui/commit/33ba3674efd055aa61485fc9f29350efbe231474) Update knowledge.py - [`5895107`](https://github.com/open-webui/open-webui/commit/5895107344a00866f8d61fb37bcb6973ec63f824) Update models.py - [`ffc14bb`](https://github.com/open-webui/open-webui/commit/ffc14bb73beadb50ce2e22e281975d832300a5f0) Update prompts.py - [`724e97f`](https://github.com/open-webui/open-webui/commit/724e97fc93aa0a248f506edcc5bf11d727974bac) Update tools.py - [`2aba33b`](https://github.com/open-webui/open-webui/commit/2aba33b2aa3f286fa7dc5804a8a735bcf7e16b90) Merge branch 'open-webui:main' into RESPECT_USER_WORKSPACE_PRIVACY - [`5fbfe2b`](https://github.com/open-webui/open-webui/commit/5fbfe2bdcadf5f157926f6551891e4dc0802b9f3) Merge pull request #15879 from open-webui/dev - [`47844f7`](https://github.com/open-webui/open-webui/commit/47844f72ef3c4065c883e57a21cd4bf0a7fccd74) Merge branch 'open-webui:main' into RESPECT_USER_WORKSPACE_PRIVACY ### 📊 Changes **5 files changed** (+35 additions, -15 deletions) <details> <summary>View changed files</summary> 📝 `backend/open_webui/config.py` (+6 -0) 📝 `backend/open_webui/routers/knowledge.py` (+3 -3) 📝 `backend/open_webui/routers/models.py` (+2 -2) 📝 `backend/open_webui/routers/prompts.py` (+3 -2) 📝 `backend/open_webui/routers/tools.py` (+21 -8) </details> ### 📄 Description # Pull Request Description This pull request introduces a new environment variable `ENABLE_ADMIN_USER_WORKSPACE_ACCESS` that allows administrators to control admin workspace access privileges. When disabled, administrators are treated exactly like regular users and only see workspace items (knowledge bases, models, prompts, and tools) that they have explicit access to through the existing access control system. **Key Features:** - New `ENABLE_ADMIN_USER_WORKSPACE_ACCESS` environment variable (defaults to `True` for backward compatibility) - When disabled, admins use the same access control logic as regular users - Affects all workspace sections: Knowledge, Models, Prompts, and Tools - Leverages existing user permission functions instead of creating new logic **Use Cases:** - Multi-tenant environments where admins should not automatically access all user content - Organizations requiring explicit permission grants, even for administrators - Compliance scenarios where data access must be explicitly controlled **How it works:** Instead of admins seeing everything by default, they now follow the same permission rules as regular users. If an admin needs access to a user's private content, that user must explicitly share it with the admin or add the admin to a group with appropriate permissions - just like sharing between any other users. ## Checklist Status - [x] **Target branch:** Targeting `dev` branch - [x] **Description:** Concise description provided above - [x] **Changelog:** Added below following Keep a Changelog format - [X] **Documentation:** Docs PR: https://github.com/open-webui/docs/pull/625 - [x] **Dependencies:** No new dependencies added - [x] **Testing:** Manual testing performed - admin privacy filtering works correctly in all workspace sections - [x] **Code review:** Self-reviewed, follows existing code patterns and standards - [x] **Prefix:** Using `feat:` prefix for new feature --- # Changelog Entry ### Description Added `ENABLE_ADMIN_USER_WORKSPACE_ACCESS` environment variable to enable admin workspace access control. When disabled, administrators follow the same access control rules as regular users for workspace items, requiring explicit permission grants to access user content. ### Addresses Addresses these issues/discussions: https://github.com/open-webui/open-webui/pull/14288 https://github.com/open-webui/open-webui/discussions/14968 https://github.com/open-webui/open-webui/discussions/14083 These can be closed if this is merged. ### Related Docs PR https://github.com/open-webui/docs/pull/625 ### Added - New `ENABLE_ADMIN_USER_WORKSPACE_ACCESS` environment variable (defaults to `True`) - Admin access control for workspace sections (Knowledge, Models, Prompts, Tools) - Automatic fallback to existing user-based access control when admin access is disabled ### Changed - Admin access logic in knowledge, models, prompts, and tools routers - Conditional routing based on admin access setting - admins use regular user access paths when admin access disabled ### Deprecated - None ### Removed - None ### Fixed - None ### Security - Enhanced data separation capabilities for multi-tenant deployments - Prevents administrators from accessing private user content unless explicitly granted access ### Breaking Changes - None - feature maintains admin access by default and maintains full backward compatibility --- ### Additional Information **Environment Variable Details:** ```bash # Enable admin workspace access (default: true) ENABLE_ADMIN_USER_WORKSPACE_ACCESS=true # or false # When set to false, admins get the same viewing rights as normal users ``` --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-11 19:12:18 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#10731
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?