open-webui: no need anymore for custom patch for roles
This commit is contained in:
parent
9b27449c85
commit
1c14c9251d
2 changed files with 0 additions and 49 deletions
|
|
@ -230,7 +230,6 @@ in
|
|||
package = pkgs.open-webui.overrideAttrs (finalAttrs: {
|
||||
patches = [
|
||||
../../patches/0001-selfhostblocks-never-onboard.patch
|
||||
../../patches/0002-selfhostblocks-do-not-allow-unauthorized-roles.patch
|
||||
];
|
||||
});
|
||||
environment = {
|
||||
|
|
|
|||
|
|
@ -1,48 +0,0 @@
|
|||
From fed4cfab1f66e6a2a46dbdd20ad52aee664f06b1 Mon Sep 17 00:00:00 2001
|
||||
From: ibizaman <ibizaman@tiserbox.com>
|
||||
Date: Thu, 9 Oct 2025 01:37:43 +0200
|
||||
Subject: [PATCH] selfhostblocks: do not allow unauthorized roles
|
||||
|
||||
---
|
||||
backend/open_webui/constants.py | 2 +-
|
||||
backend/open_webui/utils/oauth.py | 5 +++--
|
||||
2 files changed, 4 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/backend/open_webui/constants.py b/backend/open_webui/constants.py
|
||||
index 59ee6aaac..5a42f1805 100644
|
||||
--- a/backend/open_webui/constants.py
|
||||
+++ b/backend/open_webui/constants.py
|
||||
@@ -51,7 +51,7 @@ class ERROR_MESSAGES(str, Enum):
|
||||
|
||||
EXISTING_USERS = "You can't turn off authentication because there are existing users. If you want to disable WEBUI_AUTH, make sure your web interface doesn't have any existing users and is a fresh installation."
|
||||
|
||||
- UNAUTHORIZED = "401 Unauthorized"
|
||||
+ UNAUTHORIZED = "Unauthorized"
|
||||
ACCESS_PROHIBITED = "You do not have permission to access this resource. Please contact your administrator for assistance."
|
||||
ACTION_PROHIBITED = (
|
||||
"The requested action has been restricted as a security measure."
|
||||
diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py
|
||||
index 9090c38ce..3c68dead4 100644
|
||||
--- a/backend/open_webui/utils/oauth.py
|
||||
+++ b/backend/open_webui/utils/oauth.py
|
||||
@@ -336,8 +336,7 @@ class OAuthManager:
|
||||
oauth_allowed_roles = auth_manager_config.OAUTH_ALLOWED_ROLES
|
||||
oauth_admin_roles = auth_manager_config.OAUTH_ADMIN_ROLES
|
||||
oauth_roles = []
|
||||
- # Default/fallback role if no matching roles are found
|
||||
- role = auth_manager_config.DEFAULT_USER_ROLE
|
||||
+ role = None
|
||||
|
||||
# Next block extracts the roles from the user data, accepting nested claims of any depth
|
||||
if oauth_claim and oauth_allowed_roles and oauth_admin_roles:
|
||||
@@ -373,6 +372,8 @@ class OAuthManager:
|
||||
log.debug("Assigned user the admin role")
|
||||
role = "admin"
|
||||
break
|
||||
+ if role is None:
|
||||
+ raise HTTPException(403, detail=ERROR_MESSAGES.UNAUTHORIZED)
|
||||
else:
|
||||
if not user:
|
||||
# If role management is disabled, use the default role for new users
|
||||
--
|
||||
2.50.1
|
||||
Loading…
Reference in a new issue