4856: Ensured that role names from OIDC is kept

cableman · cableman · commit e25963bc8454 · 2025-09-10T13:25:52.000+02:00
diff --git a/backend/open_webui/utils/auth.py b/backend/open_webui/utils/auth.py
@@ -347,7 +347,7 @@ def get_current_user_by_api_key(api_key: str):
 
 
 def get_verified_user(user=Depends(get_current_user)):
-    if user.role not in {"user", "admin"}:
+    if user.role not in {"user", "admin", "builder", "local-admin"}:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py
@@ -364,8 +364,12 @@ def get_user_role(self, user, user_data):
                 for allowed_role in oauth_allowed_roles:
                     # If the user has any of the allowed roles, assign the role "user"
                     if allowed_role in oauth_roles:
-                        log.debug("Assigned user the user role")
-                        role = "user"
+                        log.debug(f"Using first role from OAuth: {oauth_roles[0]}")
+                        first_role = oauth_roles[0]
+                        if first_role == "end-user":
+                            role = "user"
+                        else:
+                            role = first_role
                         break
                 for admin_role in oauth_admin_roles:
                     # If the user has any of the admin roles, assign the role "admin"
diff --git a/src/lib/components/admin/Users/UserList/EditUserModal.svelte b/src/lib/components/admin/Users/UserList/EditUserModal.svelte
@@ -116,6 +116,8 @@
 									>
 										<option value="admin">{$i18n.t('Admin')}</option>
 										<option value="user">{$i18n.t('User')}</option>
+										<option value="local-admin">{$i18n.t('Local admin')}</option>
+										<option value="builder">{$i18n.t('Builder')}</option>
 										<option value="pending">{$i18n.t('Pending')}</option>
 									</select>
 								</div>
diff --git a/src/routes/(app)/+layout.svelte b/src/routes/(app)/+layout.svelte
@@ -291,7 +291,7 @@
 		<div
 			class=" text-gray-700 dark:text-gray-100 bg-white dark:bg-gray-900 h-screen max-h-[100dvh] overflow-auto flex flex-row justify-end"
 		>
-			{#if !['user', 'admin'].includes($user?.role)}
+			{#if ['pending'].includes($user?.role)}
 				<AccountPending />
 			{:else}
 				{#if localDBChats.length > 0}

Original file line number	Diff line number	Diff line change
`@@ -116,6 +116,8 @@`
`116`	`116`	`>`
`117`	`117`	`<option value="admin">{$i18n.t('Admin')}</option>`
`118`	`118`	`<option value="user">{$i18n.t('User')}</option>`
	`119`	`+ <option value="local-admin">{$i18n.t('Local admin')}</option>`
	`120`	`+ <option value="builder">{$i18n.t('Builder')}</option>`
`119`	`121`	`<option value="pending">{$i18n.t('Pending')}</option>`
`120`	`122`	`</select>`
`121`	`123`	`</div>`
Original file line number	Diff line number	Diff line change
`@@ -291,7 +291,7 @@`
`291`	`291`	`<div`
`292`	`292`	`class=" text-gray-700 dark:text-gray-100 bg-white dark:bg-gray-900 h-screen max-h-[100dvh] overflow-auto flex flex-row justify-end"`
`293`	`293`	`>`
`294`		`- {#if !['user', 'admin'].includes($user?.role)}`
	`294`	`+ {#if ['pending'].includes($user?.role)}`
`295`	`295`	`<AccountPending />`
`296`	`296`	`{:else}`
`297`	`297`	`{#if localDBChats.length > 0}`