open-webui/backend/apps/webui/routers/users.py

from fastapi import Response, Request
from fastapi import Depends, FastAPI, HTTPException, status
from datetime import datetime, timedelta
from typing import List, Union, Optional

from fastapi import APIRouter
from pydantic import BaseModel
import time
import uuid
import logging

from apps.webui.models.users import (
    UserModel,
    UserUpdateForm,
    UserRoleUpdateForm,
    UserSettings,
    Users,
)
from apps.webui.models.auths import Auths
from apps.webui.models.chats import Chats

from utils.utils import get_verified_user, get_password_hash, get_admin_user
from constants import ERROR_MESSAGES

from config import SRC_LOG_LEVELS

log = logging.getLogger(__name__)
log.setLevel(SRC_LOG_LEVELS["MODELS"])

router = APIRouter()

############################
# GetUsers
############################


@router.get("/", response_model=List[UserModel])
async def get_users(skip: int = 0, limit: int = 50, user=Depends(get_admin_user)):
    return Users.get_users(skip, limit)


############################
# User Permissions
############################


@router.get("/permissions/user")
async def get_user_permissions(request: Request, user=Depends(get_admin_user)):
    return request.app.state.config.USER_PERMISSIONS


@router.post("/permissions/user")
async def update_user_permissions(
    request: Request, form_data: dict, user=Depends(get_admin_user)
):
    request.app.state.config.USER_PERMISSIONS = form_data
    return request.app.state.config.USER_PERMISSIONS


############################
# UpdateUserRole
############################


@router.post("/update/role", response_model=Optional[UserModel])
async def update_user_role(form_data: UserRoleUpdateForm, user=Depends(get_admin_user)):

    if user.id != form_data.id and form_data.id != Users.get_first_user().id:
        return Users.update_user_role_by_id(form_data.id, form_data.role)

    raise HTTPException(
        status_code=status.HTTP_403_FORBIDDEN,
        detail=ERROR_MESSAGES.ACTION_PROHIBITED,
    )


############################
# GetUserSettingsBySessionUser
############################


@router.get("/user/settings", response_model=Optional[UserSettings])
async def get_user_settings_by_session_user(user=Depends(get_verified_user)):
    user = Users.get_user_by_id(user.id)
    if user:
        return user.settings
    else:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.USER_NOT_FOUND,
        )


############################
# UpdateUserSettingsBySessionUser
############################


@router.post("/user/settings/update", response_model=UserSettings)
async def update_user_settings_by_session_user(
    form_data: UserSettings, user=Depends(get_verified_user)
):
    user = Users.update_user_by_id(user.id, {"settings": form_data.model_dump()})
    if user:
        return user.settings
    else:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.USER_NOT_FOUND,
        )


############################
# GetUserById
############################


class UserResponse(BaseModel):
    name: str
    profile_image_url: str


@router.get("/{user_id}", response_model=UserResponse)
async def get_user_by_id(user_id: str, user=Depends(get_verified_user)):

    # Check if user_id is a shared chat
    # If it is, get the user_id from the chat
    if user_id.startswith("shared-"):
        chat_id = user_id.replace("shared-", "")
        chat = Chats.get_chat_by_id(chat_id)
        if chat:
            user_id = chat.user_id
        else:
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
                detail=ERROR_MESSAGES.USER_NOT_FOUND,
            )

    user = Users.get_user_by_id(user_id)

    if user:
        return UserResponse(name=user.name, profile_image_url=user.profile_image_url)
    else:
        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.USER_NOT_FOUND,
        )


############################
# UpdateUserById
############################


@router.post("/{user_id}/update", response_model=Optional[UserModel])
async def update_user_by_id(
    user_id: str, form_data: UserUpdateForm, session_user=Depends(get_admin_user)
):
    user = Users.get_user_by_id(user_id)

    if user:
        if form_data.email.lower() != user.email:
            email_user = Users.get_user_by_email(form_data.email.lower())
            if email_user:
                raise HTTPException(
                    status_code=status.HTTP_400_BAD_REQUEST,
                    detail=ERROR_MESSAGES.EMAIL_TAKEN,
                )

        if form_data.password:
            hashed = get_password_hash(form_data.password)
            log.debug(f"hashed: {hashed}")
            Auths.update_user_password_by_id(user_id, hashed)

        Auths.update_email_by_id(user_id, form_data.email.lower())
        updated_user = Users.update_user_by_id(
            user_id,
            {
                "name": form_data.name,
                "email": form_data.email.lower(),
                "profile_image_url": form_data.profile_image_url,
            },
        )

        if updated_user:
            return updated_user

        raise HTTPException(
            status_code=status.HTTP_400_BAD_REQUEST,
            detail=ERROR_MESSAGES.DEFAULT(),
        )

    raise HTTPException(
        status_code=status.HTTP_400_BAD_REQUEST,
        detail=ERROR_MESSAGES.USER_NOT_FOUND,
    )


############################
# DeleteUserById
############################


@router.delete("/{user_id}", response_model=bool)
async def delete_user_by_id(user_id: str, user=Depends(get_admin_user)):
    if user.id != user_id:
        result = Auths.delete_auth_by_id(user_id)

        if result:
            return True

        raise HTTPException(
            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
            detail=ERROR_MESSAGES.DELETE_USER_ERROR,
        )

    raise HTTPException(
        status_code=status.HTTP_403_FORBIDDEN,
        detail=ERROR_MESSAGES.ACTION_PROHIBITED,
    )
feat: admin settings 2024-02-14 09:17:43 +00:00			`from fastapi import Response, Request`
feat: admin panel added 2023-11-19 08:13:59 +00:00			`from fastapi import Depends, FastAPI, HTTPException, status`
			`from datetime import datetime, timedelta`
			`from typing import List, Union, Optional`

			`from fastapi import APIRouter`
			`from pydantic import BaseModel`
			`import time`
			`import uuid`
Migrate to python logging module with env var control. 2024-03-20 23:11:36 +00:00			`import logging`
feat: admin panel added 2023-11-19 08:13:59 +00:00
feat: save user settings to db 2024-05-27 05:47:42 +00:00			`from apps.webui.models.users import (`
			`UserModel,`
			`UserUpdateForm,`
			`UserRoleUpdateForm,`
			`UserSettings,`
			`Users,`
			`)`
refac: folder rename web -> webui 2024-05-26 08:15:48 +00:00			`from apps.webui.models.auths import Auths`
			`from apps.webui.models.chats import Chats`
fix: delete auth with user 2023-12-29 07:24:51 +00:00
fix: display username in shared chats 2024-05-18 21:19:48 +00:00			`from utils.utils import get_verified_user, get_password_hash, get_admin_user`
feat: admin panel added 2023-11-19 08:13:59 +00:00			`from constants import ERROR_MESSAGES`

feat: switch to config proxy, remove config_get/set 2024-05-10 07:03:24 +00:00			`from config import SRC_LOG_LEVELS`
chore: py formatting 2024-03-31 08:13:39 +00:00
Migrate to python logging module with env var control. 2024-03-20 23:11:36 +00:00			`log = logging.getLogger(__name__)`
			`log.setLevel(SRC_LOG_LEVELS["MODELS"])`

feat: admin panel added 2023-11-19 08:13:59 +00:00			`router = APIRouter()`

			`############################`
			`# GetUsers`
			`############################`


			`@router.get("/", response_model=List[UserModel])`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00			`async def get_users(skip: int = 0, limit: int = 50, user=Depends(get_admin_user)):`
refac: use dependencies to verify token - feat: added new util to get the current user when needed. Middleware was adding authentication logic to all the routes. let's revisit if we can move the non-auth endpoints to a separate route. - refac: update the routes to use new helpers for verification and retrieving user - chore: added black for local formatting of py code 2023-12-30 10:53:33 +00:00			`return Users.get_users(skip, limit)`
feat: admin panel added 2023-11-19 08:13:59 +00:00

feat: admin settings 2024-02-14 09:17:43 +00:00			`############################`
			`# User Permissions`
			`############################`


			`@router.get("/permissions/user")`
			`async def get_user_permissions(request: Request, user=Depends(get_admin_user)):`
feat: switch to config proxy, remove config_get/set 2024-05-10 07:03:24 +00:00			`return request.app.state.config.USER_PERMISSIONS`
feat: admin settings 2024-02-14 09:17:43 +00:00

			`@router.post("/permissions/user")`
			`async def update_user_permissions(`
			`request: Request, form_data: dict, user=Depends(get_admin_user)`
			`):`
feat: switch to config proxy, remove config_get/set 2024-05-10 07:03:24 +00:00			`request.app.state.config.USER_PERMISSIONS = form_data`
			`return request.app.state.config.USER_PERMISSIONS`
feat: admin settings 2024-02-14 09:17:43 +00:00

fix: update role 2024-01-06 05:02:49 +00:00			`############################`
			`# UpdateUserRole`
			`############################`


			`@router.post("/update/role", response_model=Optional[UserModel])`
fix: admin issue 2024-02-11 01:54:33 +00:00			`async def update_user_role(form_data: UserRoleUpdateForm, user=Depends(get_admin_user)):`

feat: super-admin (first one to signup) 2024-05-02 02:59:05 +00:00			`if user.id != form_data.id and form_data.id != Users.get_first_user().id:`
fix: update role 2024-01-06 05:02:49 +00:00			`return Users.update_user_role_by_id(form_data.id, form_data.role)`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00
			`raise HTTPException(`
			`status_code=status.HTTP_403_FORBIDDEN,`
			`detail=ERROR_MESSAGES.ACTION_PROHIBITED,`
			`)`
fix: update role 2024-01-06 05:02:49 +00:00

feat: save user settings to db 2024-05-27 05:47:42 +00:00			`############################`
			`# GetUserSettingsBySessionUser`
			`############################`


			`@router.get("/user/settings", response_model=Optional[UserSettings])`
			`async def get_user_settings_by_session_user(user=Depends(get_verified_user)):`
			`user = Users.get_user_by_id(user.id)`
			`if user:`
			`return user.settings`
			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail=ERROR_MESSAGES.USER_NOT_FOUND,`
			`)`


			`############################`
			`# UpdateUserSettingsBySessionUser`
			`############################`


			`@router.post("/user/settings/update", response_model=UserSettings)`
			`async def update_user_settings_by_session_user(`
			`form_data: UserSettings, user=Depends(get_verified_user)`
			`):`
			`user = Users.update_user_by_id(user.id, {"settings": form_data.model_dump()})`
			`if user:`
			`return user.settings`
			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail=ERROR_MESSAGES.USER_NOT_FOUND,`
			`)`


fix: display username in shared chats 2024-05-18 21:19:48 +00:00			`############################`
			`# GetUserById`
			`############################`


			`class UserResponse(BaseModel):`
			`name: str`
			`profile_image_url: str`


			`@router.get("/{user_id}", response_model=UserResponse)`
			`async def get_user_by_id(user_id: str, user=Depends(get_verified_user)):`

feat: save user settings to db 2024-05-27 05:47:42 +00:00			`# Check if user_id is a shared chat`
			`# If it is, get the user_id from the chat`
fix: share chat issue 2024-05-18 22:23:36 +00:00			`if user_id.startswith("shared-"):`
			`chat_id = user_id.replace("shared-", "")`
			`chat = Chats.get_chat_by_id(chat_id)`
			`if chat:`
			`user_id = chat.user_id`
			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail=ERROR_MESSAGES.USER_NOT_FOUND,`
			`)`

fix: display username in shared chats 2024-05-18 21:19:48 +00:00			`user = Users.get_user_by_id(user_id)`

			`if user:`
			`return UserResponse(name=user.name, profile_image_url=user.profile_image_url)`
			`else:`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail=ERROR_MESSAGES.USER_NOT_FOUND,`
			`)`


feat: admin panel added 2023-11-19 08:13:59 +00:00			`############################`
feat: edit user support 2024-01-06 04:59:56 +00:00			`# UpdateUserById`
feat: admin panel added 2023-11-19 08:13:59 +00:00			`############################`


feat: edit user support 2024-01-06 04:59:56 +00:00			`@router.post("/{user_id}/update", response_model=Optional[UserModel])`
			`async def update_user_by_id(`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00			`user_id: str, form_data: UserUpdateForm, session_user=Depends(get_admin_user)`
feat: edit user support 2024-01-06 04:59:56 +00:00			`):`
			`user = Users.get_user_by_id(user_id)`

			`if user:`
fix: update user email issue 2024-01-06 10:51:57 +00:00			`if form_data.email.lower() != user.email:`
			`email_user = Users.get_user_by_email(form_data.email.lower())`
feat: edit user support 2024-01-06 04:59:56 +00:00			`if email_user:`
			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail=ERROR_MESSAGES.EMAIL_TAKEN,`
			`)`

			`if form_data.password:`
			`hashed = get_password_hash(form_data.password)`
Migrate to python logging module with env var control. 2024-03-20 23:11:36 +00:00			`log.debug(f"hashed: {hashed}")`
feat: edit user support 2024-01-06 04:59:56 +00:00			`Auths.update_user_password_by_id(user_id, hashed)`

fix: update user email issue 2024-01-06 10:51:57 +00:00			`Auths.update_email_by_id(user_id, form_data.email.lower())`
feat: edit user support 2024-01-06 04:59:56 +00:00			`updated_user = Users.update_user_by_id(`
			`user_id,`
			`{`
			`"name": form_data.name,`
fix: update user email issue 2024-01-06 10:51:57 +00:00			`"email": form_data.email.lower(),`
feat: edit user support 2024-01-06 04:59:56 +00:00			`"profile_image_url": form_data.profile_image_url,`
			`},`
			`)`

			`if updated_user:`
			`return updated_user`

feat: admin panel added 2023-11-19 08:13:59 +00:00			`raise HTTPException(`
feat: edit user support 2024-01-06 04:59:56 +00:00			`status_code=status.HTTP_400_BAD_REQUEST,`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00			`detail=ERROR_MESSAGES.DEFAULT(),`
feat: admin panel added 2023-11-19 08:13:59 +00:00			`)`
feat: delete user backend support 2023-12-29 07:02:49 +00:00
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00			`raise HTTPException(`
			`status_code=status.HTTP_400_BAD_REQUEST,`
			`detail=ERROR_MESSAGES.USER_NOT_FOUND,`
			`)`

feat: delete user backend support 2023-12-29 07:02:49 +00:00
			`############################`
fix: delete auth with user 2023-12-29 07:24:51 +00:00			`# DeleteUserById`
feat: delete user backend support 2023-12-29 07:02:49 +00:00			`############################`


			`@router.delete("/{user_id}", response_model=bool)`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00			`async def delete_user_by_id(user_id: str, user=Depends(get_admin_user)):`
			`if user.id != user_id:`
			`result = Auths.delete_auth_by_id(user_id)`

			`if result:`
			`return True`

feat: delete user backend support 2023-12-29 07:02:49 +00:00			`raise HTTPException(`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00			`status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,`
			`detail=ERROR_MESSAGES.DELETE_USER_ERROR,`
feat: delete user backend support 2023-12-29 07:02:49 +00:00			`)`
Endpoint role-checking was redundantly applied but FastAPI provides a nice abstraction mechanic...so I applied it. There should be no logical changes in this code; only simpler, cleaner ways for doing the same thing. 2024-02-09 00:05:01 +00:00
			`raise HTTPException(`
			`status_code=status.HTTP_403_FORBIDDEN,`
			`detail=ERROR_MESSAGES.ACTION_PROHIBITED,`
			`)`