Merge pull request #21277 from open-webui/acl

refac: acl
2026-02-09 13:34:36 -06:00
parent 65904b867e 68c77295bd
commit 48a0abb40f
57 changed files with 2994 additions and 879 deletions
--- a/backend/open_webui/utils/models.py
+++ b/backend/open_webui/utils/models.py
@@ -13,6 +13,7 @@ from open_webui.functions import get_function_models

 from open_webui.models.functions import Functions
 from open_webui.models.models import Models
+from open_webui.models.access_grants import AccessGrants
 from open_webui.models.groups import Groups


@@ -354,8 +355,12 @@ def check_model_access(user, model, db=None):
            raise Exception("Model not found")
        elif not (
            user.id == model_info.user_id
-            or has_access(
-                user.id, type="read", access_control=model_info.access_control, db=db
+            or AccessGrants.has_access(
+                user_id=user.id,
+                resource_type="model",
+                resource_id=model_info.id,
+                permission="read",
+                db=db,
            )
        ):
            raise Exception("Model not found")
@@ -395,11 +400,13 @@ def get_filtered_models(models, user, db=None):
                if (
                    (user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL)
                    or user.id == model_info.user_id
-                    or has_access(
-                        user.id,
-                        type="read",
-                        access_control=model_info.access_control,
+                    or AccessGrants.has_access(
+                        user_id=user.id,
+                        resource_type="model",
+                        resource_id=model_info.id,
+                        permission="read",
                        user_group_ids=user_group_ids,
+                        db=db,
                    )
                ):
                    filtered_models.append(model)
--- a/backend/open_webui/utils/tools.py
+++ b/backend/open_webui/utils/tools.py
@@ -38,6 +38,7 @@ from open_webui.utils.misc import is_string_allowed
 from open_webui.models.tools import Tools
 from open_webui.models.users import UserModel
 from open_webui.models.groups import Groups
+from open_webui.models.access_grants import AccessGrants
 from open_webui.utils.plugin import load_tool_module_by_id
 from open_webui.utils.access_control import has_access
 from open_webui.config import BYPASS_ADMIN_ACCESS_CONTROL
@@ -168,7 +169,13 @@ async def get_tools(
            if (
                not (user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL)
                and tool.user_id != user.id
-                and not has_access(user.id, "read", tool.access_control, user_group_ids)
+                and not AccessGrants.has_access(
+                    user_id=user.id,
+                    resource_type="tool",
+                    resource_id=tool.id,
+                    permission="read",
+                    user_group_ids=user_group_ids,
+                )
            ):
                log.warning(f"Access denied to tool {tool_id} for user {user.id}")
                continue