mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-11 10:34:13 -05:00
[PR #24525] [MERGED] fix: strip model params for read-only callers on per-id endpoint #131373
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
📋 Pull Request Information
Original PR: https://github.com/open-webui/open-webui/pull/24525
Author: @Classic298
Created: 5/9/2026
Status: ✅ Merged
Merged: 5/10/2026
Merged by: @tjbck
Base:
dev← Head:fix/models-per-id-strip-params-for-read-only📝 Commits (1)
1d8c16cfix: strip model params for read-only callers on per-id endpoint📊 Changes
1 file changed (+24 additions, -14 deletions)
View changed files
📝
backend/open_webui/routers/models.py(+24 -14)📄 Description
GET /api/v1/models/model?id=<model_id> at routers/models.py:412 returned the full model.model_dump() to any caller with read access, including the params dict that holds the admin-curated system prompt and other behavior config. The user-facing /api/models endpoint already strips this via utils/models.py:170,210 with the comment "Remove params to avoid exposing sensitive info", and /api/v1/models/list gates by write permission so non-curators don't see the model in their workspace listing at all. The per-id endpoint missed the same gate, so a user with read-only access (e.g. granted access to use the model in chat) could open /workspace/models/edit?id= in the browser and read the system prompt verbatim from the network response, even though saving was correctly blocked.
Compute write_access once at the top of the handler so it can serve both the response-shape decision and the response field. When the caller lacks write access, replace params with an empty dict in the serialised response. Owners, admins under BYPASS_ADMIN_ACCESS_CONTROL, and explicit write-grant holders still get the full payload so the workspace edit UI keeps working for users who legitimately curate the model.
Read-permission users continue to receive everything else they need to chat with the model — the chat path resolves prompt/params server-side from the stored ModelModel and never echoes them back through this endpoint.
Contributor License Agreement
🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.