itk-dev · cableman · Apr 14, 2025 · Apr 14, 2025 · Apr 15, 2025 · Apr 15, 2025
diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py
@@ -31,6 +31,7 @@
 )
 from open_webui.internal.db import Base, get_db
 from open_webui.utils.redis import get_redis_connection
+from open_webui.models.permissions import Permissions
 
 
 class EndpointFilter(logging.Filter):
@@ -1130,7 +1131,6 @@ def oidc_oauth_register(client):
     os.environ.get("USER_PERMISSIONS_FEATURES_NOTES", "True").lower() == "true"
 )
 
-
 DEFAULT_USER_PERMISSIONS = {
     "workspace": {
         "models": USER_PERMISSIONS_WORKSPACE_MODELS_ACCESS,
@@ -1167,10 +1167,44 @@ def oidc_oauth_register(client):
     },
 }
 
-USER_PERMISSIONS = PersistentConfig(
-    "USER_PERMISSIONS",
-    "user.permissions",
-    DEFAULT_USER_PERMISSIONS,
+DEFAULT_USER_PERMISSIONS_LABELS = {
+    "workspace": {
+        "models": "Models Access",
+        "knowledge": "Knowledge Access",
+        "prompts": "Prompts Access",
+        "tools": "Tools Access",
+    },
+    "sharing": {
+        "public_models": "Models Public Sharing",
+        "public_knowledge": "Knowledge Public Sharing",
+        "public_prompts": "Prompts Public Sharing",
+        "public_tools": "Tools Public Sharing",
+    },
+    "chat": {
+        "controls": "Allow Chat Controls",
+        "file_upload": "Allow File Upload",
+        "delete": "Allow Chat Delete",
+        "edit": "Allow Chat Edit",
+        "share": "Allow Chat Share",
+        "export": "Allow Chat Export",
+        "stt": "Allow Speech to Text",
+        "tts": "Allow Text to Speech",
+        "call": "Allow Call",
+        "multiple_models": "Allow Multiple Models in Chat",
+        "temporary": "Allow Temporary Chat",
+        "temporary_enforced": "Enforce Temporary Chat",
+    },
+    "features": {
+        "direct_tool_servers": "Direct Tool Servers",
+        "web_search": "Web Search",
+        "image_generation": "Image Generation",
+        "code_interpreter": "Code Interpreter",
+        "notes": "Notes",
+    },
+}
+
+USER_PERMISSIONS = Permissions.set_initial_permissions(
+    DEFAULT_USER_PERMISSIONS, DEFAULT_USER_PERMISSIONS_LABELS
 )
 
 ENABLE_CHANNELS = PersistentConfig(

diff --git a/backend/open_webui/constants.py b/backend/open_webui/constants.py
@@ -104,6 +104,22 @@ def __str__(self) -> str:
     )
     FILE_NOT_PROCESSED = "Extracted content is not available for this file. Please ensure that the file is processed before proceeding."
 
+    PERMISSION_FETCH_FAILED = "Permissions fetch failed. Please try again later."
+    PERMISSION_NOT_FOUND = (
+        lambda name="", category="": f"Permission '{name}' with category '{category}' was not found"
+    )
+
+    ROLE_ALREADY_EXISTS = (
+        lambda role="": f"A role with the name '{role}' already exists"
+    )
+    ROLE_DO_NOT_EXISTS = "A role does not exist."
+    ROLE_ALREADY_ASSIGNED_TO_GROUP = ()
+    ROLE_DELETE_ERROR = "Oops! Something went wrong. We encountered an issue while trying to delete the role. Please give it another shot."
+    ROLE_NOT_FOUND = (
+        "This role does not exist.  Please check the role name and try again."
+    )
+    ROLE_ERROR = "Oops! Something went wrong. Please try again later."
+
 
 class TASKS(str, Enum):
     def __str__(self) -> str:

diff --git a/backend/open_webui/main.py b/backend/open_webui/main.py
@@ -78,6 +78,8 @@
     tools,
     users,
     utils,
+    roles,
+    permissions,
 )
 
 from open_webui.routers.retrieval import (
@@ -588,6 +590,7 @@ async def lifespan(app: FastAPI):
 app.state.config.RESPONSE_WATERMARK = RESPONSE_WATERMARK
 
 app.state.config.USER_PERMISSIONS = USER_PERMISSIONS
+
 app.state.config.WEBHOOK_URL = WEBHOOK_URL
 app.state.config.BANNERS = WEBUI_BANNERS
 app.state.config.MODEL_ORDER_LIST = MODEL_ORDER_LIST
@@ -1052,6 +1055,11 @@ async def inspect_websocket(request: Request, call_next):
 )
 app.include_router(utils.router, prefix="/api/v1/utils", tags=["utils"])
 
+app.include_router(roles.router, prefix="/api/v1/roles", tags=["roles"])
+app.include_router(
+    permissions.router, prefix="/api/v1/permissions", tags=["permissions"]
+)
+
 
 try:
     audit_level = AuditLevel(AUDIT_LOG_LEVEL)
@@ -1405,7 +1413,7 @@ async def get_app_config(request: Request):
                     "max_size": app.state.config.FILE_MAX_SIZE,
                     "max_count": app.state.config.FILE_MAX_COUNT,
                 },
-                "permissions": {**app.state.config.USER_PERMISSIONS},
+                "permissions": USER_PERMISSIONS,
                 "google_drive": {
                     "client_id": GOOGLE_DRIVE_CLIENT_ID.value,
                     "api_key": GOOGLE_DRIVE_API_KEY.value,

diff --git a/backend/open_webui/migrations/versions/04c6df61a317_added_permissions_to_database.py b/backend/open_webui/migrations/versions/04c6df61a317_added_permissions_to_database.py
@@ -0,0 +1,55 @@
+"""Added permissions to the database
+
+Revision ID: 04c6df61a317
+Revises: 262aff902ca3
+Create Date: 2025-04-22 14:55:58.948054
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy import Enum
+
+
+# revision identifiers, used by Alembic.
+revision: str = "04c6df61a317"
+down_revision: Union[str, None] = "262aff902ca3"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade():
+    # Create a permissions table.
+    op.create_table(
+        "permissions",
+        sa.Column("id", sa.Integer(), primary_key=True, autoincrement=True),
+        sa.Column("name", sa.String(), nullable=False),
+        sa.Column("label", sa.String(), nullable=False),
+        sa.Column(
+            "category",
+            Enum("workspace", "sharing", "chat", "features", name="permissioncategory"),
+            nullable=False,
+        ),
+        sa.Column("description", sa.String()),
+    )
+
+    # Create a role_permissions join table to allow many-to-many relationships between roles and permissions.
+    op.create_table(
+        "role_permissions",
+        sa.Column("role_id", sa.Integer(), nullable=False),
+        sa.Column("permission_id", sa.Integer(), nullable=False),
+        sa.Column("value", sa.Boolean(), default=False),  # Added value column here
+        sa.ForeignKeyConstraint(["role_id"], ["roles.id"], ondelete="CASCADE"),
+        sa.ForeignKeyConstraint(
+            ["permission_id"], ["permissions.id"], ondelete="CASCADE"
+        ),
+        sa.PrimaryKeyConstraint("role_id", "permission_id"),
+    )
+
+
+def downgrade():
+    op.drop_table("role_permissions")
+    op.drop_table("permissions")
+    op.execute("DROP TYPE permissioncategory")
diff --git a/backend/open_webui/migrations/versions/262aff902ca3_added_roles_tabel.py b/backend/open_webui/migrations/versions/262aff902ca3_added_roles_tabel.py
@@ -0,0 +1,49 @@
+"""Added roles tabel
+
+Revision ID: 262aff902ca3
+Revises: 9f0c9cd09105
+Create Date: 2025-04-14 14:25:33.528446
+
+"""
+
+import time
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+# revision identifiers, used by Alembic.
+revision: str = "262aff902ca3"
+down_revision: Union[str, None] = "9f0c9cd09105"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade():
+    op.create_table(
+        "roles",
+        sa.Column("id", sa.Integer, primary_key=True),
+        sa.Column("name", sa.String()),
+        sa.Column("created_at", sa.BigInteger(), nullable=True),
+        sa.Column("updated_at", sa.BigInteger(), nullable=True),
+    )
+
+    # Insert default roles into the database.
+    current_time = int(time.time())
+
+    connection = op.get_bind()
+    connection.execute(
+        sa.text(
+            f"""
+            INSERT INTO roles (name, created_at, updated_at) VALUES
+            ('pending', {current_time}, {current_time}),
+            ('admin', {current_time}, {current_time}),
+            ('user', {current_time}, {current_time})
+            """
+        )
+    )
+
+
+def downgrade():
+    op.drop_table("roles")