From 7d0c97e7d379b0393066beee680afd6b2cbdbba5 Mon Sep 17 00:00:00 2001 From: ibizaman Date: Tue, 31 Mar 2026 22:23:27 +0200 Subject: [PATCH] open-webui: no need anymore for custom patch for roles --- modules/services/open-webui.nix | 1 - ...ocks-do-not-allow-unauthorized-roles.patch | 48 ------------------- 2 files changed, 49 deletions(-) delete mode 100644 patches/0002-selfhostblocks-do-not-allow-unauthorized-roles.patch diff --git a/modules/services/open-webui.nix b/modules/services/open-webui.nix index 233f496..4b26a87 100644 --- a/modules/services/open-webui.nix +++ b/modules/services/open-webui.nix @@ -230,7 +230,6 @@ in package = pkgs.open-webui.overrideAttrs (finalAttrs: { patches = [ ../../patches/0001-selfhostblocks-never-onboard.patch - ../../patches/0002-selfhostblocks-do-not-allow-unauthorized-roles.patch ]; }); environment = { diff --git a/patches/0002-selfhostblocks-do-not-allow-unauthorized-roles.patch b/patches/0002-selfhostblocks-do-not-allow-unauthorized-roles.patch deleted file mode 100644 index 84c473d..0000000 --- a/patches/0002-selfhostblocks-do-not-allow-unauthorized-roles.patch +++ /dev/null @@ -1,48 +0,0 @@ -From fed4cfab1f66e6a2a46dbdd20ad52aee664f06b1 Mon Sep 17 00:00:00 2001 -From: ibizaman -Date: Thu, 9 Oct 2025 01:37:43 +0200 -Subject: [PATCH] selfhostblocks: do not allow unauthorized roles - ---- - backend/open_webui/constants.py | 2 +- - backend/open_webui/utils/oauth.py | 5 +++-- - 2 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/backend/open_webui/constants.py b/backend/open_webui/constants.py -index 59ee6aaac..5a42f1805 100644 ---- a/backend/open_webui/constants.py -+++ b/backend/open_webui/constants.py -@@ -51,7 +51,7 @@ class ERROR_MESSAGES(str, Enum): - - EXISTING_USERS = "You can't turn off authentication because there are existing users. If you want to disable WEBUI_AUTH, make sure your web interface doesn't have any existing users and is a fresh installation." - -- UNAUTHORIZED = "401 Unauthorized" -+ UNAUTHORIZED = "Unauthorized" - ACCESS_PROHIBITED = "You do not have permission to access this resource. Please contact your administrator for assistance." - ACTION_PROHIBITED = ( - "The requested action has been restricted as a security measure." -diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py -index 9090c38ce..3c68dead4 100644 ---- a/backend/open_webui/utils/oauth.py -+++ b/backend/open_webui/utils/oauth.py -@@ -336,8 +336,7 @@ class OAuthManager: - oauth_allowed_roles = auth_manager_config.OAUTH_ALLOWED_ROLES - oauth_admin_roles = auth_manager_config.OAUTH_ADMIN_ROLES - oauth_roles = [] -- # Default/fallback role if no matching roles are found -- role = auth_manager_config.DEFAULT_USER_ROLE -+ role = None - - # Next block extracts the roles from the user data, accepting nested claims of any depth - if oauth_claim and oauth_allowed_roles and oauth_admin_roles: -@@ -373,6 +372,8 @@ class OAuthManager: - log.debug("Assigned user the admin role") - role = "admin" - break -+ if role is None: -+ raise HTTPException(403, detail=ERROR_MESSAGES.UNAUTHORIZED) - else: - if not user: - # If role management is disabled, use the default role for new users --- -2.50.1