github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-07 03:18:23 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #14906] issue: Non-Admin Users with Notes Permission Face 403 Errors in v0.6.14 #17400

New Issue
Closed
opened 2026-04-19 23:08:37 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-19 23:08:37 -05:00
Owner
Copy Link

Originally created by @snowboarder04 on GitHub (Jun 11, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/14906

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.6.14

Ollama Version (if applicable)

No response

Operating System

docker image

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Non-admin users with Notes permission enabled should be able to create, access, and delete notes without 403 errors or red UI pop-ups.

Actual Behavior

  • Non-admin users:
    • POST /api/v1/notes/create succeeds (200), but UI shows error pop-up.
    • GET /api/v1/notes/<note_id> and DELETE /api/v1/notes/<note_id>/delete return 403, causing redirects or persistent notes.
  • Admin users: All actions return 200, functioning correctly.

Steps to Reproduce

  1. Log in as admin at $URL/admin/users/groups.
  2. Create/edit a user group, enable Notes under Features Permissions.
  3. Assign a non-admin user to this group.
  4. Log in as the non-admin user.
  5. Navigate to Notes > New Note:
    • Note creation appears to fail with a red "Something went wrong :/" pop-up but succeeds after a full-page refresh.
  6. Attempt to open the created note:
    • Redirects to home/new-chat page with a brief error pop-up.
  7. Attempt to delete the note:
    • Fails with the same error pop-up; note persists after refresh.
  8. As admin, change the user’s role to Admin at $URL/admin/users/overview > User Pencil icon > Role.
  9. Log in as the user (now admin) and repeat steps 5-7:
    • All note actions (create, open, delete) work as expected.
  10. Revert user to non-admin; issues reappear.

Logs & Screenshots

Context: The logs capture HTTP requests related to the Notes feature in openwebui:main (v0.6.14). They show a non-admin user attempting to create, access, and delete a note, resulting in HTTP 403 (Forbidden) errors for access and deletion, despite successful creation. An admin user’s actions on a different note succeed, indicating a permissions issue for non-admin users.

2025-06-11 18:25:20.699 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "POST /api/v1/notes/create HTTP/1.1" 200 - {}
2025-06-11 18:25:21.446 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "GET /api/v1/notes/[REDACTED_NON_ADMIN_NOTE_ID] HTTP/1.1" 403 - {}
2025-06-11 18:26:48.397 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "DELETE /api/v1/notes/[REDACTED_NON_ADMIN_NOTE_ID]/delete HTTP/1.1" 403 - {}
2025-06-11 18:36:17.183 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "POST /api/v1/notes/create HTTP/1.1" 200 - {}
2025-06-11 18:36:17.409 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "GET /api/v1/notes/[REDACTED_ADMIN_NOTE_ID] HTTP/1.1" 200 - {}
2025-06-11 18:36:28.151 | INFO     | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "DELETE /api/v1/notes/[REDACTED_ADMIN_NOTE_ID]/delete HTTP/1.1" 200 - {}

Explanation of Circumstances:

  • Non-Admin User Actions: The logs show a non-admin user creating a note (HTTP 200), but attempts to access (GET) or delete (DELETE) it result in 403 errors, indicating a permissions issue despite the Notes feature being enabled for their group.
  • Admin User Actions: An admin user creates, accesses, and deletes a different note, all returning HTTP 200, confirming the feature works for admins.
  • Anonymization: IP addresses and note IDs are redacted to protect privacy while preserving the log structure and error context.

Additional Information

  • Admin role bypasses the issue, confirming a permissions-related bug.
  • No explicit "Notes Access" permission in docs.
  • Issue persists after toggling Notes permission in group settings.
  • No matching GitHub issues found for this specific problem in v0.6.14.
Originally created by @snowboarder04 on GitHub (Jun 11, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/14906 ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.6.14 ### Ollama Version (if applicable) _No response_ ### Operating System docker image ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Non-admin users with `Notes` permission enabled should be able to create, access, and delete notes without 403 errors or red UI pop-ups. ### Actual Behavior - Non-admin users: - `POST /api/v1/notes/create` succeeds (200), but UI shows error pop-up. - `GET /api/v1/notes/<note_id>` and `DELETE /api/v1/notes/<note_id>/delete` return 403, causing redirects or persistent notes. - Admin users: All actions return 200, functioning correctly. ### Steps to Reproduce 1. Log in as admin at `$URL/admin/users/groups`. 2. Create/edit a user group, enable `Notes` under Features Permissions. 3. Assign a non-admin user to this group. 4. Log in as the non-admin user. 5. Navigate to `Notes` > `New Note`: - Note creation appears to fail with a red "Something went wrong :/" pop-up but succeeds after a full-page refresh. 6. Attempt to open the created note: - Redirects to home/new-chat page with a brief error pop-up. 7. Attempt to delete the note: - Fails with the same error pop-up; note persists after refresh. 8. As admin, change the user’s role to `Admin` at `$URL/admin/users/overview` > User Pencil icon > Role. 9. Log in as the user (now admin) and repeat steps 5-7: - All note actions (create, open, delete) work as expected. 10. Revert user to non-admin; issues reappear. ### Logs & Screenshots **Context**: The logs capture HTTP requests related to the `Notes` feature in `openwebui:main` (v0.6.14). They show a non-admin user attempting to create, access, and delete a note, resulting in HTTP 403 (Forbidden) errors for access and deletion, despite successful creation. An admin user’s actions on a different note succeed, indicating a permissions issue for non-admin users. ``` 2025-06-11 18:25:20.699 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "POST /api/v1/notes/create HTTP/1.1" 200 - {} 2025-06-11 18:25:21.446 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "GET /api/v1/notes/[REDACTED_NON_ADMIN_NOTE_ID] HTTP/1.1" 403 - {} 2025-06-11 18:26:48.397 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "DELETE /api/v1/notes/[REDACTED_NON_ADMIN_NOTE_ID]/delete HTTP/1.1" 403 - {} 2025-06-11 18:36:17.183 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "POST /api/v1/notes/create HTTP/1.1" 200 - {} 2025-06-11 18:36:17.409 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "GET /api/v1/notes/[REDACTED_ADMIN_NOTE_ID] HTTP/1.1" 200 - {} 2025-06-11 18:36:28.151 | INFO | uvicorn.protocols.http.httptools_impl:send:476 - [REDACTED_IP]:0 - "DELETE /api/v1/notes/[REDACTED_ADMIN_NOTE_ID]/delete HTTP/1.1" 200 - {} ``` **Explanation of Circumstances**: - **Non-Admin User Actions**: The logs show a non-admin user creating a note (HTTP 200), but attempts to access (`GET`) or delete (`DELETE`) it result in 403 errors, indicating a permissions issue despite the `Notes` feature being enabled for their group. - **Admin User Actions**: An admin user creates, accesses, and deletes a different note, all returning HTTP 200, confirming the feature works for admins. - **Anonymization**: IP addresses and note IDs are redacted to protect privacy while preserving the log structure and error context. ### Additional Information - Admin role bypasses the issue, confirming a permissions-related bug. - No explicit "Notes Access" permission in [docs](https://docs.openwebui.com/features/workspace/permissions/). - Issue persists after toggling `Notes` permission in group settings. - No matching GitHub issues found for this specific problem in v0.6.14.
GiteaMirror added the bug label 2026-04-19 23:08:37 -05:00
GiteaMirror commented 2026-04-19 23:08:39 -05:00
Author
Owner
Copy Link

@ZaibanAli commented on GitHub (Jun 11, 2025):

https://github.com/open-webui/open-webui/issues/14894

<!-- gh-comment-id:2964356491 --> @ZaibanAli commented on GitHub (Jun 11, 2025): https://github.com/open-webui/open-webui/issues/14894
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#17400
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?