github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 04:16:03 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #24311] issue: Bug get_shared_chat_by_id uses get_chat_by_id(share_id) for admin, causing 401 Unauthorized #58926

New Issue
Closed
opened 2026-05-06 00:28:56 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-05-06 00:28:56 -05:00
Owner
Copy Link

Originally created by @Kyncc on GitHub (May 2, 2026).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/24311

Check Existing Issues

  • I have searched for any existing and/or related issues.
  • I have searched for any existing and/or related discussions.
  • I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!).
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.9.2

Ollama Version (if applicable)

No response

Operating System

macos

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Admin users should be able to access shared chat links just like non-admin users. When an admin clicks "Share" on a chat and then opens the share link (or refreshes the shared chat page), the shared chat content should be displayed successfully.

Actual Behavior

Admin users receive a 401 Unauthorized error when accessing shared chat links via GET /api/v1/chats/share/{share_id}. The browser Network tab shows:

GET /api/v1/chats/share/8c99ccca-83bd-4d8b-b54e-b09ca2c0671e 401 (Unauthorized)

Important: Non-admin users are NOT affected by this bug. They can access shared chat links normally.

Steps to Reproduce

  1. Start Open WebUI with default configuration (ENABLE_ADMIN_CHAT_ACCESS=true is the default).
  2. Log in as an admin user (role = admin).
  3. Create any chat conversation.
  4. Click the "Share" button in the chat toolbar.
  5. In the share dialog, click "Get shareable link" to generate the link.
  6. Copy the link and open it in a new tab, or simply refresh the shared chat page.
  7. Observe the 401 Unauthorized error in the browser's Network tab.

Logs & Screenshots

GET /api/v1/chats/share/8c99ccca-83bd-4d8b-b54e-b09ca2c0671e HTTP/1.1 401 Unauthorized

Additional Information

  1. Log out and log back in as a non-admin user (role = user).
  2. Repeat steps 3-6 with this non-admin user.
  3. The shared chat loads successfully (no 401 error).
Originally created by @Kyncc on GitHub (May 2, 2026). Original GitHub issue: https://github.com/open-webui/open-webui/issues/24311 ### Check Existing Issues - [x] I have searched for any existing and/or related issues. - [x] I have searched for any existing and/or related discussions. - [x] I have also searched in the CLOSED issues AND CLOSED discussions and found no related items (your issue might already be addressed on the development branch!). - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.9.2 ### Ollama Version (if applicable) _No response_ ### Operating System macos ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Admin users should be able to access shared chat links just like non-admin users. When an admin clicks "Share" on a chat and then opens the share link (or refreshes the shared chat page), the shared chat content should be displayed successfully. ### Actual Behavior Admin users receive a `401 Unauthorized` error when accessing shared chat links via `GET /api/v1/chats/share/{share_id}`. The browser Network tab shows: ``` GET /api/v1/chats/share/8c99ccca-83bd-4d8b-b54e-b09ca2c0671e 401 (Unauthorized) ``` **Important:** Non-admin users are NOT affected by this bug. They can access shared chat links normally. ### Steps to Reproduce 1. Start Open WebUI with default configuration (`ENABLE_ADMIN_CHAT_ACCESS=true` is the default). 2. Log in as an **admin** user (role = `admin`). 3. Create any chat conversation. 4. Click the "Share" button in the chat toolbar. 5. In the share dialog, click "Get shareable link" to generate the link. 6. Copy the link and open it in a new tab, or simply refresh the shared chat page. 7. Observe the 401 Unauthorized error in the browser's Network tab. ### Logs & Screenshots GET /api/v1/chats/share/8c99ccca-83bd-4d8b-b54e-b09ca2c0671e HTTP/1.1 401 Unauthorized ### Additional Information 1. Log out and log back in as a **non-admin** user (role = `user`). 2. Repeat steps 3-6 with this non-admin user. 3. The shared chat loads successfully (no 401 error).
GiteaMirror added the bug label 2026-05-06 00:28:57 -05:00
GiteaMirror commented 2026-05-06 00:29:00 -05:00
Author
Owner
Copy Link

@MukundaKatta commented on GitHub (May 3, 2026):

The fix is simple but worth scanning the rest of the share-id endpoints for the same pattern. Admin paths often get the standard "by_id" helper plugged in by mistake when they should be hitting a "by_share_id" helper that doesn't enforce per-user ownership. Renaming the helpers to get_chat_by_owner_or_id vs get_chat_by_share_token would make the intent obvious at the call site and prevent future drift.

<!-- gh-comment-id:4366288435 --> @MukundaKatta commented on GitHub (May 3, 2026): The fix is simple but worth scanning the rest of the share-id endpoints for the same pattern. Admin paths often get the standard "by_id" helper plugged in by mistake when they should be hitting a "by_share_id" helper that doesn't enforce per-user ownership. Renaming the helpers to `get_chat_by_owner_or_id` vs `get_chat_by_share_token` would make the intent obvious at the call site and prevent future drift.
GiteaMirror commented 2026-05-06 00:29:00 -05:00
Author
Owner
Copy Link

@FelHell commented on GitHub (May 4, 2026):

I can confirm that this bug exists in Open WebUI version 0.9.2. As an admin, I cannot share a link with another admin user.

<!-- gh-comment-id:4371087974 --> @FelHell commented on GitHub (May 4, 2026): I can confirm that this bug exists in Open WebUI version 0.9.2. As an admin, I cannot share a link with another admin user.
GiteaMirror commented 2026-05-06 00:29:02 -05:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (May 4, 2026):

should be fixed by cde21b9f6d

testing wanted

<!-- gh-comment-id:4374897876 --> @Classic298 commented on GitHub (May 4, 2026): should be fixed by https://github.com/open-webui/open-webui/commit/cde21b9f6dc11575a668484f42440824ec5a4fae testing wanted
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#58926
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?