github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-06 10:58:17 -05:00
Code Issues 1.2k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #21418] issue: Task model selector rejects all models — legacy access_control check not updated for access_grants (v0.8.1) #35002

New Issue
Closed
opened 2026-04-25 09:12:48 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-25 09:12:48 -05:00
Owner
Copy Link

Originally created by @ahgray on GitHub (Feb 14, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/21418

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

v0.8.1

Ollama Version (if applicable)

n/a

Operating System

Ubuntu 22.04 Docker

Browser (if applicable)

Chrome/Firefox

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When an admin selects any model in the Local Task Model or External Task Model dropdowns under Admin Panel → Settings → Interface, the model should be accepted and saved as the task model.

Actual Behavior

Selecting any model (including models confirmed to be public) displays the error toast:

"This model is not publicly available. Please select another model."

The model selection still binds (it doesn't clear), and saving via the API works correctly — only the UI validation is broken.

Steps to Reproduce

Log in as an admin user.
Navigate to Admin Panel → Settings → Interface.
In the Local Task Model dropdown, select any model — including one confirmed as public.
Observe the error toast: "This model is not publicly available. Please select another model."
Repeat with the External Task Model dropdown — same result.

Logs & Screenshots

Error doesn't appear to produce logs or web console output.

Additional Information

Root Cause
PR #21277 replaced the access_control JSON column with the new access_grant table and access_grants array in API responses. However, the task model selector in Interface.svelte was not updated and still checks the old property:
src/lib/components/admin/Settings/Interface.svelte lines 155 and 190:
javascriptif (model?.access_control !== null) {
toast.error($i18n.t('This model is not publicly available. Please select another model.'));
}
Since access_control no longer exists in the model API response, model.access_control is always undefined. In JavaScript, undefined !== null evaluates to true, so every model fails this check — the validation is effectively dead code that blocks all task model selection.
The rest of the codebase already uses the new access_grants pattern. For example, AccessControl.svelte (line 155) and Navbar.svelte (line 29) both define a hasPublicReadGrant helper:
javascriptconst hasPublicReadGrant = (grants) =>
grants.some(
(grant) => grant.principal_type === 'user' && grant.principal_id === '*' && grant.permission === 'read'
);

Workaround
Set the task model via the API directly, bypassing the broken UI validation:
bash# Read current config, set TASK_MODEL, write it back
curl -s http://:3000/api/v1/tasks/config
-H "Authorization: Bearer <API_KEY>" |
python3 -c "import sys, json; c=json.load(sys.stdin); c['TASK_MODEL']=''; print(json.dumps(c))" |
curl -s http://:3000/api/v1/tasks/config/update
-H "Authorization: Bearer <API_KEY>"
-H "Content-Type: application/json" -d @-
Suggested Fix
Replace the legacy access_control checks at lines 155 and 190 with the access_grants pattern used elsewhere in the codebase:
javascript// Before (lines 155 and 190):
if (model?.access_control !== null) {

// After:
if (!model?.access_grants?.some(g => g.principal_type === 'user' && g.principal_id === '*' && g.permission === 'read')) {
Alternatively, consider whether this client-side check is needed at all — task models execute server-side and arguably don't require public access (see also #14172). Removing the check entirely would also resolve the issue and simplify the admin experience.
Related Issues

#21377 — [object Object] error on model access control (partially fixed by commit f027a01, which addressed the 404/error display but not this task model selector issue)
#14172 — Feature request: eliminate public requirement for task models
#21277 — PR that introduced the access control refactor

Originally created by @ahgray on GitHub (Feb 14, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/21418 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version v0.8.1 ### Ollama Version (if applicable) n/a ### Operating System Ubuntu 22.04 Docker ### Browser (if applicable) Chrome/Firefox ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior When an admin selects any model in the Local Task Model or External Task Model dropdowns under Admin Panel → Settings → Interface, the model should be accepted and saved as the task model. ### Actual Behavior Selecting any model (including models confirmed to be public) displays the error toast: "This model is not publicly available. Please select another model." The model selection still binds (it doesn't clear), and saving via the API works correctly — only the UI validation is broken. ### Steps to Reproduce Log in as an admin user. Navigate to Admin Panel → Settings → Interface. In the Local Task Model dropdown, select any model — including one confirmed as public. Observe the error toast: "This model is not publicly available. Please select another model." Repeat with the External Task Model dropdown — same result. ### Logs & Screenshots Error doesn't appear to produce logs or web console output. ### Additional Information Root Cause PR #21277 replaced the access_control JSON column with the new access_grant table and access_grants array in API responses. However, the task model selector in Interface.svelte was not updated and still checks the old property: src/lib/components/admin/Settings/Interface.svelte lines 155 and 190: javascriptif (model?.access_control !== null) { toast.error($i18n.t('This model is not publicly available. Please select another model.')); } Since access_control no longer exists in the model API response, model.access_control is always undefined. In JavaScript, undefined !== null evaluates to true, so every model fails this check — the validation is effectively dead code that blocks all task model selection. The rest of the codebase already uses the new access_grants pattern. For example, AccessControl.svelte (line 155) and Navbar.svelte (line 29) both define a hasPublicReadGrant helper: javascriptconst hasPublicReadGrant = (grants) => grants.some( (grant) => grant.principal_type === 'user' && grant.principal_id === '*' && grant.permission === 'read' ); Workaround Set the task model via the API directly, bypassing the broken UI validation: bash# Read current config, set TASK_MODEL, write it back curl -s http://<host>:3000/api/v1/tasks/config \ -H "Authorization: Bearer <API_KEY>" | \ python3 -c "import sys, json; c=json.load(sys.stdin); c['TASK_MODEL']='<model-id>'; print(json.dumps(c))" | \ curl -s http://<host>:3000/api/v1/tasks/config/update \ -H "Authorization: Bearer <API_KEY>" \ -H "Content-Type: application/json" -d @- Suggested Fix Replace the legacy access_control checks at lines 155 and 190 with the access_grants pattern used elsewhere in the codebase: javascript// Before (lines 155 and 190): if (model?.access_control !== null) { // After: if (!model?.access_grants?.some(g => g.principal_type === 'user' && g.principal_id === '*' && g.permission === 'read')) { Alternatively, consider whether this client-side check is needed at all — task models execute server-side and arguably don't require public access (see also #14172). Removing the check entirely would also resolve the issue and simplify the admin experience. Related Issues #21377 — [object Object] error on model access control (partially fixed by commit f027a01, which addressed the 404/error display but not this task model selector issue) #14172 — Feature request: eliminate public requirement for task models #21277 — PR that introduced the access control refactor
GiteaMirror added the bug label 2026-04-25 09:12:48 -05:00
GiteaMirror commented 2026-04-25 09:12:50 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Feb 15, 2026):

Should be fixed in dev!

<!-- gh-comment-id:3903280826 --> @tjbck commented on GitHub (Feb 15, 2026): Should be fixed in dev!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#35002
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?