github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 04:16:03 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #23546] issue: permission checking is done wrong for cloned models #35540

New Issue
Closed
opened 2026-04-25 09:44:38 -05:00 by GiteaMirror · 4 comments
GiteaMirror commented 2026-04-25 09:44:38 -05:00
Owner
Copy Link

Originally created by @moritzderallerechte on GitHub (Apr 9, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/23546

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone

Open WebUI Version

v0.8.12

Ollama Version (if applicable)

No response

Operating System

Ubuntu

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When the underlying model is set to private (non-admins have no access to it), but the cloned model is public, then the subsequent calls to the model after a tool call seem to be blocked.
So this is not (really) a misconfiguration but a bug in Open-WebUI.

Actual Behavior

If the user has access to the cloned model and can talk to it, then the access restrictions of the underlying model should not make tool calling break.

Steps to Reproduce

clone a model and give the cloned model more restrictions

Logs & Screenshots

This issue was closed even though it described a bug and not a misconfiguration.

The real cause of this issues is described here
The issue was not opened back up again, so I am creating this ticket for it to be fixed, if that hasnt already happened

Additional Information

No response

Originally created by @moritzderallerechte on GitHub (Apr 9, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/23546 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Git Clone ### Open WebUI Version v0.8.12 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior When the underlying model is set to private (non-admins have no access to it), but the cloned model is public, then the subsequent calls to the model after a tool call seem to be blocked. So this is not (really) a misconfiguration but a bug in Open-WebUI. ### Actual Behavior If the user has access to the cloned model and can talk to it, then the access restrictions of the underlying model should not make tool calling break. ### Steps to Reproduce clone a model and give the cloned model more restrictions ### Logs & Screenshots [This issue ](https://github.com/open-webui/open-webui/issues/22851) was closed even though it described a bug and not a misconfiguration. The real cause of this issues is described [here](https://github.com/open-webui/open-webui/discussions/23038#discussioncomment-16392308) The issue was not opened back up again, so I am creating this ticket for it to be fixed, if that hasnt already happened ### Additional Information _No response_
GiteaMirror added the bug label 2026-04-25 09:44:38 -05:00
GiteaMirror commented 2026-04-25 09:44:40 -05:00
Author
Owner
Copy Link

@trevorhayes6561-maker commented on GitHub (Apr 9, 2026):

Thank you for opening this issue and providing the details regarding
permission checking for cloned models.

On Thu, Apr 9, 2026, 10:09 AM Moritz Terhechte @.***>
wrote:

moritzderallerechte created an issue (open-webui/open-webui#23546)
https://github.com/open-webui/open-webui/issues/23546
Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and
    found no related items (your issue might already be addressed on the
    development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Git Clone
Open WebUI Version

v0.8.12
Ollama Version (if applicable)

No response
Operating System

Ubuntu
Browser (if applicable)

No response
Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and
    environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting,
    environment variable, and command-line option that influences my setup
    (such as Docker Compose overrides, .env values, browser settings,
    authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are
    precise, sequential, and leave nothing to interpretation    . My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords
    if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

When the underlying model is set to private (non-admins have no access to
it), but the cloned model is public, then the subsequent calls to the model
after a tool call seem to be blocked.
So this is not (really) a misconfiguration but a bug in Open-WebUI.
Actual Behavior

If the user has access to the cloned model and can talk to it, then the
access restrictions of the underlying model should not make tool calling
break.
Steps to Reproduce

clone a model and give the cloned model more restrictions
Logs & Screenshots

This issue https://github.com/open-webui/open-webui/issues/22851 was
closed even though it described a bug and not a misconfiguration.

The real cause of this issues is described here
https://github.com/open-webui/open-webui/discussions/23038#discussioncomment-16392308
The issue was not opened back up again, so I am creating this ticket for
it to be fixed, if that hasnt already happened
Additional Information

No response


Reply to this email directly, view it on GitHub
https://github.com/open-webui/open-webui/issues/23546, or unsubscribe
https://github.com/notifications/unsubscribe-auth/B7HYZ6MDEUXMACNK4GPJUY34U6VH5AVCNFSM6AAAAACXSTOR36VHI2DSMVQWIX3LMV43ASLTON2WKOZUGIZTEOBSHE3TSMQ
.
You are receiving this because you are subscribed to this thread.Message
ID: @.***>

<!-- gh-comment-id:4215048097 --> @trevorhayes6561-maker commented on GitHub (Apr 9, 2026): Thank you for opening this issue and providing the details regarding permission checking for cloned models. On Thu, Apr 9, 2026, 10:09 AM Moritz Terhechte ***@***.***> wrote: > *moritzderallerechte* created an issue (open-webui/open-webui#23546) > <https://github.com/open-webui/open-webui/issues/23546> > Check Existing Issues > > - I have searched for any existing and/or related issues. > - I have searched for any existing and/or related discussions. > - I have also searched in the CLOSED issues AND CLOSED discussions and > found no related items (your issue might already be addressed on the > development branch!). > - I am using the latest version of Open WebUI. > > Installation Method > > Git Clone > Open WebUI Version > > v0.8.12 > Ollama Version (if applicable) > > *No response* > Operating System > > Ubuntu > Browser (if applicable) > > *No response* > Confirmation > > - I have read and followed all instructions in README.md. > - I am using the latest version of *both* Open WebUI and Ollama. > - I have included the browser console logs. > - I have included the Docker container logs. > - I have *provided every relevant configuration, setting, and > environment variable used in my setup.* > - I have clearly *listed every relevant configuration, custom setting, > environment variable, and command-line option that influences my setup* > (such as Docker Compose overrides, .env values, browser settings, > authentication configurations, etc). > - I have documented *step-by-step reproduction instructions that are > precise, sequential, and leave nothing to interpretation*. My steps: > - Start with the initial platform/version/OS and dependencies used, > - Specify exact install/launch/configure commands, > - List URLs visited, user input (incl. example values/emails/passwords > if needed), > - Describe all options and toggles enabled or changed, > - Include any files or environmental changes, > - Identify the expected and actual result at each stage, > - Ensure any reasonably skilled user can follow and hit the same issue. > > Expected Behavior > > When the underlying model is set to private (non-admins have no access to > it), but the cloned model is public, then the subsequent calls to the model > after a tool call seem to be blocked. > So this is not (really) a misconfiguration but a bug in Open-WebUI. > Actual Behavior > > If the user has access to the cloned model and can talk to it, then the > access restrictions of the underlying model should not make tool calling > break. > Steps to Reproduce > > clone a model and give the cloned model more restrictions > Logs & Screenshots > > This issue <https://github.com/open-webui/open-webui/issues/22851> was > closed even though it described a bug and not a misconfiguration. > > The real cause of this issues is described here > <https://github.com/open-webui/open-webui/discussions/23038#discussioncomment-16392308> > The issue was not opened back up again, so I am creating this ticket for > it to be fixed, if that hasnt already happened > Additional Information > > *No response* > > — > Reply to this email directly, view it on GitHub > <https://github.com/open-webui/open-webui/issues/23546>, or unsubscribe > <https://github.com/notifications/unsubscribe-auth/B7HYZ6MDEUXMACNK4GPJUY34U6VH5AVCNFSM6AAAAACXSTOR36VHI2DSMVQWIX3LMV43ASLTON2WKOZUGIZTEOBSHE3TSMQ> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.***> >
GiteaMirror commented 2026-04-25 09:44:40 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Apr 9, 2026):

I am confused by the report

You say

When the underlying model is set to private (non-admins have no access to it), but the cloned model is public, then the subsequent calls to the model after a tool call seem to be blocked.

But then in your steps to reproduce you say

clone a model and give the cloned model more restrictions

This is contradicting.

  1. how could you give a cloned model more restrictions than private. Private is already the most restrictive that's possible
  2. who is cloning the model? In your scenario, either an admin or the user who created the model himself.
  3. what am i then supposed to try? Who is cloning it, after cloning what do i do - and then - what do i do after cloning? Does the user who cloned the model attempt to message the cloned model?
<!-- gh-comment-id:4215226940 --> @Classic298 commented on GitHub (Apr 9, 2026): I am confused by the report You say > When the underlying model is set to private (non-admins have no access to it), but the cloned model is public, then the subsequent calls to the model after a tool call seem to be blocked. But then in your steps to reproduce you say > clone a model and give the cloned model more restrictions This is contradicting. 1) how could you give a cloned model more restrictions than private. Private is already the most restrictive that's possible 2) who is cloning the model? In your scenario, either an admin or the user who created the model himself. 3) what am i then supposed to try? Who is cloning it, after cloning what do i do - and then - what do i do after cloning? Does the user who cloned the model attempt to message the cloned model?
GiteaMirror commented 2026-04-25 09:44:40 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Apr 9, 2026):

@trevorhayes6561-maker please stop spamming meaningless comments on most of the new issues. This is not helpful

<!-- gh-comment-id:4215230107 --> @Classic298 commented on GitHub (Apr 9, 2026): @trevorhayes6561-maker please stop spamming meaningless comments on most of the new issues. This is not helpful
GiteaMirror commented 2026-04-25 09:44:41 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Apr 11, 2026):

Unable to reproduce.

<!-- gh-comment-id:4230213045 --> @tjbck commented on GitHub (Apr 11, 2026): Unable to reproduce.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#35540
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?