github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-09 05:19:20 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #19914] issue: User with channel permission can fetch channels even when channels are disabled globally #19038

New Issue
Closed
opened 2026-04-20 01:21:12 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-04-20 01:21:12 -05:00
Owner
Copy Link

Originally created by @rozatoo on GitHub (Dec 12, 2025).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/19914

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

v0.6.41

Ollama Version (if applicable)

No response

Operating System

WSL

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When channels are disabled globally users should not be able to fetch channels, no matter what channel permissions they have.

Actual Behavior

Users with channel permissions are always able to fetch channels, regardless of global channel config.

Steps to Reproduce

  1. Start a new Open WebUI instance. (default configs, dev or main)
  2. Create a public test channel
  3. Enable Channels in the default permissions.
  4. Disable Channels globally in Settings > General > Channels (Beta)
  5. Create a user with the "user" role.
  6. Log in as that user.
  7. Open the browser DevTools and filter by "channels" on Network tab

Logs & Screenshots

User has no channels permissions(as seen in sidebar) but Devtools shows channels being returned:

Image

Additional Information

No response

Originally created by @rozatoo on GitHub (Dec 12, 2025). Original GitHub issue: https://github.com/open-webui/open-webui/issues/19914 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version v0.6.41 ### Ollama Version (if applicable) _No response_ ### Operating System WSL ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior When channels are disabled globally users should not be able to fetch channels, no matter what channel permissions they have. ### Actual Behavior Users with channel permissions are always able to fetch channels, regardless of global channel config. ### Steps to Reproduce 1. Start a new Open WebUI instance. (default configs, dev or main) 2. Create a public test channel 3. Enable Channels in the default permissions. 4. Disable Channels globally in Settings > General > Channels (Beta) 5. Create a user with the "user" role. 6. Log in as that user. 7. Open the browser DevTools and filter by "channels" on Network tab ### Logs & Screenshots User has no channels permissions(as seen in sidebar) but Devtools shows channels being returned: <img width="940" height="575" alt="Image" src="https://github.com/user-attachments/assets/a32abf7a-0999-4a79-9e2a-b4f9e937588e" /> ### Additional Information _No response_
GiteaMirror added the confirmed issuebug labels 2026-04-20 01:21:13 -05:00
GiteaMirror commented 2026-04-20 01:21:16 -05:00
Author
Owner
Copy Link

@owui-terminator[bot] commented on GitHub (Dec 12, 2025):

🔍 Similar Issues Found

I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions:

  1. #19913 issue: Frontend doesn't validate permissions before fetching channels
    by rozatoo • Dec 12, 2025 • bug

  2. #19758 issue: unable to disable channels creation from regular users
    by stronk7 • Dec 04, 2025 • bug

  3. #19877 issue:
    by dotmobo • Dec 11, 2025 • bug

  4. #19861 issue:
    by QuitHub • Dec 10, 2025 • bug

  5. #19864 issue:
    by Haervwe • Dec 10, 2025 • bug

Show 5 more related issues

  1. #19777 issue:
    by Yaute7 • Dec 05, 2025 • bug

  2. #19588 issue: Model group permissions
    by apunkt • Nov 29, 2025 • bug

  3. #19103 issue: no response from the model when ask in "channels"
    by silenceroom • Nov 11, 2025 • bug

  4. #19563 issue:
    by naruto7g • Nov 28, 2025 • bug

  5. #19211 issue:
    by Byrnes9 • Nov 16, 2025 • bug

💡 Tips:

  • If this is a duplicate, please consider closing this issue and adding any additional details to the existing one
  • If you found a solution in any of these issues, please share it here to help others

This comment was generated automatically by a bot. Please react with a 👍 if this comment was helpful, or a 👎 if it was not.

<!-- gh-comment-id:3646863431 --> @owui-terminator[bot] commented on GitHub (Dec 12, 2025): 🔍 **Similar Issues Found** I found some existing issues that might be related to this one. Please check if any of these are duplicates or contain helpful solutions: 1. [#19913](https://github.com/open-webui/open-webui/issues/19913) **issue: Frontend doesn't validate permissions before fetching channels** *by rozatoo • Dec 12, 2025 • `bug`* 2. [#19758](https://github.com/open-webui/open-webui/issues/19758) **issue: unable to disable channels creation from regular users** *by stronk7 • Dec 04, 2025 • `bug`* 3. [#19877](https://github.com/open-webui/open-webui/issues/19877) **issue:** *by dotmobo • Dec 11, 2025 • `bug`* 4. [#19861](https://github.com/open-webui/open-webui/issues/19861) **issue:** *by QuitHub • Dec 10, 2025 • `bug`* 5. [#19864](https://github.com/open-webui/open-webui/issues/19864) **issue:** *by Haervwe • Dec 10, 2025 • `bug`* <details> <summary>Show 5 more related issues</summary> 6. [#19777](https://github.com/open-webui/open-webui/issues/19777) **issue:** *by Yaute7 • Dec 05, 2025 • `bug`* 7. [#19588](https://github.com/open-webui/open-webui/issues/19588) **issue: Model group permissions** *by apunkt • Nov 29, 2025 • `bug`* 8. [#19103](https://github.com/open-webui/open-webui/issues/19103) **issue: no response from the model when ask in "channels"** *by silenceroom • Nov 11, 2025 • `bug`* 9. [#19563](https://github.com/open-webui/open-webui/issues/19563) **issue:** *by naruto7g • Nov 28, 2025 • `bug`* 10. [#19211](https://github.com/open-webui/open-webui/issues/19211) **issue:** *by Byrnes9 • Nov 16, 2025 • `bug`* </details> --- 💡 **Tips:** - If this is a duplicate, please consider closing this issue and adding any additional details to the existing one - If you found a solution in any of these issues, please share it here to help others *This comment was generated automatically by a bot.* Please react with a 👍 if this comment was helpful, or a 👎 if it was not.
GiteaMirror commented 2026-04-20 01:21:17 -05:00
Author
Owner
Copy Link

@silentoplayz commented on GitHub (Dec 12, 2025):

I am able to confirm this issue with the provided reproduction steps on the latest dev branch. I've also noticed the user can still view channels and even send messages successfully in channels, as long as they know the URL to said channel(s). It's essentially like the global toggle is currently only hiding (not disabling) channels from users' chats sidebar. Users can still view channels and send messages in channels and DMs, and so can admins once they click on the notification they get on their end when a user sends a message in a channel they technically shouldn't have access to anymore.

Network requests filtered by Channels in Firefox's dev console also reveals a successful GET request made to the /api/v1/channels/ endpoint from the user account.
Image

<!-- gh-comment-id:3648208718 --> @silentoplayz commented on GitHub (Dec 12, 2025): I am able to confirm this issue with the provided reproduction steps on the latest `dev` branch. I've also noticed the user can still view channels and even send messages successfully in channels, as long as they know the URL to said channel(s). It's essentially like the global toggle is currently only hiding (not disabling) channels from users' chats sidebar. Users can still view channels and send messages in channels and DMs, and so can admins once they click on the notification they get on their end when a user sends a message in a channel they technically shouldn't have access to anymore. Network requests filtered by `Channels` in Firefox's dev console also reveals a successful `GET` request made to the `/api/v1/channels/` endpoint from the user account. <img width="2558" height="1270" alt="Image" src="https://github.com/user-attachments/assets/d7322d7f-92fe-42c9-8abe-365a465434d3" />
GiteaMirror commented 2026-04-20 01:21:19 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Dec 20, 2025):

fixed in dev

<!-- gh-comment-id:3677817058 --> @Classic298 commented on GitHub (Dec 20, 2025): fixed in dev
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug confirmed issue
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#19038
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?