refac: role update ui

2025-06-26 18:26:48 +00:00 · 2025-05-31 15:00:27 +04:00
parent 343dac91c9
commit e41e375aab
5 changed files with 38 additions and 58 deletions
--- a/backend/open_webui/models/users.py
+++ b/backend/open_webui/models/users.py
@@ -95,6 +95,7 @@ class UserRoleUpdateForm(BaseModel):


 class UserUpdateForm(BaseModel):
+    role: str
    name: str
    email: str
    profile_image_url: str
--- a/backend/open_webui/routers/users.py
+++ b/backend/open_webui/routers/users.py
@@ -165,22 +165,6 @@ async def update_default_user_permissions(
    return request.app.state.config.USER_PERMISSIONS


-############################
-# UpdateUserRole
-############################
-
-
-@router.post("/update/role", response_model=Optional[UserModel])
-async def update_user_role(form_data: UserRoleUpdateForm, user=Depends(get_admin_user)):
-    if user.id != form_data.id and form_data.id != Users.get_first_user().id:
-        return Users.update_user_role_by_id(form_data.id, form_data.role)
-
-    raise HTTPException(
-        status_code=status.HTTP_403_FORBIDDEN,
-        detail=ERROR_MESSAGES.ACTION_PROHIBITED,
-    )
-
-
 ############################
 # GetUserSettingsBySessionUser
 ############################
@@ -333,11 +317,22 @@ async def update_user_by_id(
    # Prevent modification of the primary admin user by other admins
    try:
        first_user = Users.get_first_user()
-        if first_user and user_id == first_user.id and session_user.id != user_id:
-            raise HTTPException(
-                status_code=status.HTTP_403_FORBIDDEN,
-                detail=ERROR_MESSAGES.ACTION_PROHIBITED,
-            )
+        if first_user:
+            if user_id == first_user.id:
+                if session_user.id != user_id:
+                    # If the user trying to update is the primary admin, and they are not the primary admin themselves
+                    raise HTTPException(
+                        status_code=status.HTTP_403_FORBIDDEN,
+                        detail=ERROR_MESSAGES.ACTION_PROHIBITED,
+                    )
+
+                if form_data.role != "admin":
+                    # If the primary admin is trying to change their own role, prevent it
+                    raise HTTPException(
+                        status_code=status.HTTP_403_FORBIDDEN,
+                        detail=ERROR_MESSAGES.ACTION_PROHIBITED,
+                    )
+
    except Exception as e:
        log.error(f"Error checking primary admin status: {e}")
        raise HTTPException(
@@ -365,6 +360,7 @@ async def update_user_by_id(
        updated_user = Users.update_user_by_id(
            user_id,
            {
+                "role": form_data.role,
                "name": form_data.name,
                "email": form_data.email.lower(),
                "profile_image_url": form_data.profile_image_url,