github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #14507] feat: Between private and public. #17281

New Issue
Closed
opened 2026-04-19 22:59:50 -05:00 by GiteaMirror · 0 comments
GiteaMirror commented 2026-04-19 22:59:50 -05:00
Owner
Copy Link

Originally created by @kfsone on GitHub (May 29, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/14507

Check Existing Issues

  • I have searched the existing issues and discussions.

Problem Description

This is not privacy bypass or default public: I want group-based restriction but in a secure way. I'm filing this as a bug because the current approach does not follow best practices, and is unwieldy. For contrast, imagine if every time you created a new directory you had to assign it a group, and if you didn't, you would have to open settings/control panel to configure finder/explorer to allow you to see it?

Image

This is especially tedious in small scenarios (a self-contained docker container that only hosts one image at a time, but you always have to use two UIs to make it usable) and large or dynamic installations.

Desired Solution you'd like

Approach 1: Discriminate between admin and user roles:

  • Admin accounts see ALL models in model drop-downs.
    -- add a separator line at the bottom of the list, followed by unusable models,
    -- grey-out/disable models the admin can't "use",
    -- italicize private models with no group/user,
  • Admin account sees a widget to the right of each model that opens the model settings,

Approach 2: "Unassigned" Group

  • A group, default membership = admins, to which all models are assigned by default,

Approach 3: Endpoint <-> group associations

  • Allow (and emphasize) group<->tag association, so that tagging a connection ("#admins") would automatically add its models to that group or,
  • Provide a per-connection endpoint that sets a single default group, models are still private but visible to that group,

Approach 4: #@trust tag

  • Allow automatic publicity of models on a connection by assigning it the "#@trust" tag,

Alternatives Considered

No response

Additional Context

No response

Originally created by @kfsone on GitHub (May 29, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/14507 ### Check Existing Issues - [x] I have searched the existing issues and discussions. ### Problem Description This is not privacy bypass or default public: I *want* group-based restriction but in a secure way. I'm filing this as a bug because the current approach does not follow best practices, and is unwieldy. For contrast, imagine if every time you created a new directory you *had* to assign it a group, and if you didn't, you would have to open settings/control panel to configure finder/explorer to allow you to see it? ![Image](https://github.com/user-attachments/assets/d1682d5e-3c46-49f8-81b1-5f1d15585548) This is especially tedious in small scenarios (a self-contained docker container that only hosts one image at a time, but you always have to use *two* UIs to make it usable) and large or dynamic installations. ### Desired Solution you'd like Approach 1: Discriminate between admin and user roles: - Admin accounts see ALL models in model drop-downs. -- add a separator line at the bottom of the list, followed by unusable models, -- grey-out/disable models the admin can't "use", -- italicize private models with no group/user, - Admin account sees a widget to the right of each model that opens the model settings, Approach 2: "Unassigned" Group - A group, default membership = admins, to which all models are assigned by default, Approach 3: Endpoint <-> group associations - Allow (and emphasize) group<->tag association, so that tagging a connection ("#admins") would automatically add its models to that group or, - Provide a per-connection endpoint that sets a single default group, models are still private but visible to that group, Approach 4: #@trust tag - Allow automatic publicity of models on a connection by assigning it the "#@trust" tag, ### Alternatives Considered _No response_ ### Additional Context _No response_
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#17281
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?