github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-03-10 07:43:10 -05:00
Code Issues 308 Packages Projects Releases 100 Wiki Activity

issue: Public Sharing Still Possible When Disabled in Admin Panel #5989

New Issue
Closed
opened 2025-11-11 16:41:39 -06:00 by GiteaMirror · 8 comments
GiteaMirror commented 2025-11-11 16:41:39 -06:00
Owner
Copy Link

Originally created by @flefevre on GitHub (Aug 8, 2025).

Check Existing Issues

  • I have searched the existing issues and discussions.
  • I am using the latest version of Open WebUI.

Installation Method

Docker

Open WebUI Version

0.6.18

Ollama Version (if applicable)

No response

Operating System

Ubuntu

Browser (if applicable)

No response

Confirmation

  • I have read and followed all instructions in README.md.
  • I am using the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.
  • I have provided every relevant configuration, setting, and environment variable used in my setup.
  • I have clearly listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc).
  • I have documented step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation. My steps:
  • Start with the initial platform/version/OS and dependencies used,
  • Specify exact install/launch/configure commands,
  • List URLs visited, user input (incl. example values/emails/passwords if needed),
  • Describe all options and toggles enabled or changed,
  • Include any files or environmental changes,
  • Identify the expected and actual result at each stage,
  • Ensure any reasonably skilled user can follow and hit the same issue.

Expected Behavior

Even when the "Sharing Permissions" options in the Admin Panel are disabled (unchecked), regular users can still publicly share their resources — including Models, Knowledge, Prompts, and Tools.
This behavior allows unintended public visibility of resources despite explicit configuration to restrict sharing.

When sharing permissions are disabled in the Admin Panel, regular users should not be able to make their resources public.

Actual Behavior

Regular users can still share their resources publicly, ignoring the admin’s configuration.

Steps to Reproduce

  1. Log in as an Admin.
  2. Go to Admin PanelSharing Permissions.
  3. Disable (uncheck) all the following:
    • Models Public Sharing
    • Knowledge Public Sharing
    • Prompts Public Sharing
    • Tools Public Sharing
  4. Log in as a regular (non-admin) user.
  5. Create or open a resource (e.g., a model, knowledge base, prompt, or tool).
  6. Attempt to share the resource publicly.

Logs & Screenshots

Image

Additional Information

No response

Originally created by @flefevre on GitHub (Aug 8, 2025). ### Check Existing Issues - [x] I have searched the existing issues and discussions. - [x] I am using the latest version of Open WebUI. ### Installation Method Docker ### Open WebUI Version 0.6.18 ### Ollama Version (if applicable) _No response_ ### Operating System Ubuntu ### Browser (if applicable) _No response_ ### Confirmation - [x] I have read and followed all instructions in `README.md`. - [x] I am using the latest version of **both** Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. - [x] I have **provided every relevant configuration, setting, and environment variable used in my setup.** - [x] I have clearly **listed every relevant configuration, custom setting, environment variable, and command-line option that influences my setup** (such as Docker Compose overrides, .env values, browser settings, authentication configurations, etc). - [x] I have documented **step-by-step reproduction instructions that are precise, sequential, and leave nothing to interpretation**. My steps: - Start with the initial platform/version/OS and dependencies used, - Specify exact install/launch/configure commands, - List URLs visited, user input (incl. example values/emails/passwords if needed), - Describe all options and toggles enabled or changed, - Include any files or environmental changes, - Identify the expected and actual result at each stage, - Ensure any reasonably skilled user can follow and hit the same issue. ### Expected Behavior Even when the **"Sharing Permissions"** options in the Admin Panel are disabled (unchecked), regular users can still publicly share their resources — including **Models**, **Knowledge**, **Prompts**, and **Tools**. This behavior allows unintended public visibility of resources despite explicit configuration to restrict sharing. When sharing permissions are disabled in the Admin Panel, regular users **should not** be able to make their resources public. ### Actual Behavior Regular users **can still** share their resources publicly, ignoring the admin’s configuration. ### Steps to Reproduce 1. Log in as an **Admin**. 2. Go to **Admin Panel** → **Sharing Permissions**. 3. Disable (uncheck) all the following: - **Models Public Sharing** - **Knowledge Public Sharing** - **Prompts Public Sharing** - **Tools Public Sharing** 4. Log in as a regular (non-admin) user. 5. Create or open a resource (e.g., a model, knowledge base, prompt, or tool). 6. Attempt to share the resource publicly. ### Logs & Screenshots <img width="1556" height="816" alt="Image" src="https://github.com/user-attachments/assets/274eb783-2e39-4e55-a1ed-6e7732679d44" /> ### Additional Information _No response_
GiteaMirror added the bug label 2025-11-11 16:41:39 -06:00
GiteaMirror commented 2025-11-11 16:41:41 -06:00
Author
Owner
Copy Link

@rgaricano commented on GitHub (Aug 8, 2025):

I supose that the user that can share in this way isn't in any group with sharing permission. ¿?

@rgaricano commented on GitHub (Aug 8, 2025): I supose that the user that can share in this way isn't in any group with sharing permission. ¿?
GiteaMirror commented 2025-11-11 16:41:41 -06:00
Author
Owner
Copy Link

@flefevre commented on GitHub (Aug 8, 2025):

Normally if public sharing rights are not enable, all basic user should not be able to share any public ressources.
Could anyone confirm the behaviour with 0.18 version and perhaps identify the code bug
Thanks

@flefevre commented on GitHub (Aug 8, 2025): Normally if public sharing rights are not enable, all basic user should not be able to share any public ressources. Could anyone confirm the behaviour with 0.18 version and perhaps identify the code bug Thanks
GiteaMirror commented 2025-11-11 16:41:41 -06:00
Author
Owner
Copy Link

@rgaricano commented on GitHub (Aug 8, 2025):

I'm going to check, but just a clarification: Default Permissions are the default permissions settings for new users or users that haven't assigned permissions, it isn't a global configuration that override other users/group permissions.

@rgaricano commented on GitHub (Aug 8, 2025): I'm going to check, but just a clarification: _Default Permissions_ are the default permissions settings for new users or users that haven't assigned permissions, it isn't a global configuration that override other users/group permissions.
GiteaMirror commented 2025-11-11 16:41:41 -06:00
Author
Owner
Copy Link

@Classic298 commented on GitHub (Aug 8, 2025):

@flefevre is the "basic user" you are testing this with in NO other group?

If yes, you've found a bug.

If no, check the permissions of the group he is in. Perhaps this group has public sharing enabled.

Anyways, with the provided steps to reproduce, i cannot reproduce this bug.

@Classic298 commented on GitHub (Aug 8, 2025): @flefevre is the "basic user" you are testing this with in NO other group? If yes, you've found a bug. If no, check the permissions of the group he is in. Perhaps this group has public sharing enabled. Anyways, with the provided steps to reproduce, i cannot reproduce this bug.
GiteaMirror commented 2025-11-11 16:41:41 -06:00
Author
Owner
Copy Link

@joni-graham commented on GitHub (Aug 8, 2025):

We do not see the Workspace Permissions in the Admin UI in either v0.6.16 or v0.6.18. We were changing the permissions in our .yaml config file and doing a restart. We can toggle off the permission that gives Tools access to users, but when we toggle the public sharing permissions, they don't change after a restart.

Should we see the Workspace Permissions in the the Admin UI? If so, in both versions we have installed?

@joni-graham commented on GitHub (Aug 8, 2025): We do not see the Workspace Permissions in the Admin UI in either v0.6.16 or v0.6.18. We were changing the permissions in our .yaml config file and doing a restart. We can toggle off the permission that gives Tools access to users, but when we toggle the public sharing permissions, they don't change after a restart. Should we see the Workspace Permissions in the the Admin UI? If so, in both versions we have installed?
GiteaMirror commented 2025-11-11 16:41:42 -06:00
Author
Owner
Copy Link

@rgaricano commented on GitHub (Aug 8, 2025):

in adminSettings/Users/Groups

@rgaricano commented on GitHub (Aug 8, 2025): in adminSettings/Users/Groups
GiteaMirror commented 2025-11-11 16:41:42 -06:00
Author
Owner
Copy Link

@joni-graham commented on GitHub (Aug 8, 2025):

thank you @rgaricano, I had found it. I turned off public sharing for all groups and users in our staging environment installed with v0.6.18 and it tested well as a USER. I also tested as my ADMIN account and I can still set to Public. So, I think the feature is working as expected. What confused us is we changed in the .yaml file and restarted, but the behavior did not change. We understand now that is how PersistentConfig variables are designed to behave. We just needed to find it on the Admin UI.

@joni-graham commented on GitHub (Aug 8, 2025): thank you @rgaricano, I had found it. I turned off public sharing for all groups and users in our staging environment installed with v0.6.18 and it tested well as a USER. I also tested as my ADMIN account and I can still set to Public. So, I think the feature is working as expected. What confused us is we changed in the .yaml file and restarted, but the behavior did not change. We understand now that is how PersistentConfig variables are designed to behave. We just needed to find it on the Admin UI.
GiteaMirror commented 2025-11-11 16:41:42 -06:00
Author
Owner
Copy Link

@flefevre commented on GitHub (Aug 9, 2025):

Hey,

I have checked
You are right: the user was belonging to a group with sharing rights.
As an admin, I have removed those rights then i do confirm the user is not able to share the knowledgebase.

It will be very usefull to develop a panel for user to see to which groups they belongs and the rights they have.

Feature Request: Display user group memberships and permissions #16416

Image
@flefevre commented on GitHub (Aug 9, 2025): Hey, I have checked You are right: the user was belonging to a group with sharing rights. As an admin, I have removed those rights then i do confirm the user is not able to share the knowledgebase. It will be very usefull to develop a panel for user to see to which groups they belongs and the rights they have. Feature Request: Display user group memberships and permissions #16416 <img width="1256" height="760" alt="Image" src="https://github.com/user-attachments/assets/fb965c27-a928-4798-a005-8878710a3541" />
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#5989
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?