github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #6052] [API] /user/{user_id}/update permission problem #14222

New Issue
Closed
opened 2026-04-19 20:39:24 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-19 20:39:24 -05:00
Owner
Copy Link

Originally created by @fraciscoestar on GitHub (Oct 9, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/6052

Feature Request

Is your feature request related to a problem? Please describe.
I am using the Open WebUI API to provide a client for a VSCode extension. I was trying to let the user change its avatar from here but I have encountered a problem. The user don't have permission to update itself.

Describe the solution you'd like
Any user should have permission to update itself in [POST] /users/{user_id}/update. Any user may only be capable of updating itself and not any other user unless the user role is admin.

Describe alternatives you've considered
Another solution for my problem may be to store an admin API key in the client but that may be a high security risk.

Additional context
The API requests use the JWT session token of the users.
Request to change icon:

curl -X 'POST' \
  'http://127.0.0.1:8080/api/v1/users/USER_ID/update' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer JWT_TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "test",
  "email": "test@test.test",
  "profile_image_url": "IMAGE_BASE64"
}'

Response:

{
  "detail": "You do not have permission to access this resource. Please contact your administrator for assistance."
}
Originally created by @fraciscoestar on GitHub (Oct 9, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/6052 # Feature Request **Is your feature request related to a problem? Please describe.** I am using the Open WebUI API to provide a client for a VSCode extension. I was trying to let the user change its avatar from here but I have encountered a problem. The user don't have permission to update itself. **Describe the solution you'd like** Any user should have permission to update **itself** in *[POST] /users/{user_id}/update*. Any user may only be capable of updating itself and not any other user unless the user role is admin. **Describe alternatives you've considered** Another solution for my problem may be to store an admin API key in the client but that may be a high security risk. **Additional context** The API requests use the JWT session token of the users. **Request to change icon:** ``` curl -X 'POST' \ 'http://127.0.0.1:8080/api/v1/users/USER_ID/update' \ -H 'accept: application/json' \ -H 'Authorization: Bearer JWT_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "name": "test", "email": "test@test.test", "profile_image_url": "IMAGE_BASE64" }' ``` **Response:** ``` { "detail": "You do not have permission to access this resource. Please contact your administrator for assistance." } ```
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#14222
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?