From e6da38464b0f676c671af4887bca12b4c856ad9d Mon Sep 17 00:00:00 2001
From: Timothy Jaeryang Baek <tim@openwebui.com>
Date: Thu, 21 Aug 2025 13:08:22 +0400
Subject: [PATCH] refac: ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS renamed to
 BYPASS_ADMIN_ACCESS_CONTROL

---
 backend/open_webui/config.py            |  8 ++++++++
 backend/open_webui/main.py              | 10 +++++-----
 backend/open_webui/routers/knowledge.py |  6 +++---
 backend/open_webui/routers/models.py    |  6 +++---
 backend/open_webui/routers/prompts.py   |  6 +++---
 backend/open_webui/routers/tools.py     |  6 +++---
 6 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/backend/open_webui/config.py b/backend/open_webui/config.py
index 3b564bf012..d3b7c9314c 100644
--- a/backend/open_webui/config.py
+++ b/backend/open_webui/config.py
@@ -1358,6 +1358,14 @@ ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS = (
     os.environ.get("ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS", "True").lower() == "true"
 )
 
+BYPASS_ADMIN_ACCESS_CONTROL = (
+    os.environ.get(
+        "BYPASS_ADMIN_ACCESS_CONTROL",
+        os.environ.get("ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS", "True"),
+    ).lower()
+    == "true"
+)
+
 ENABLE_ADMIN_CHAT_ACCESS = (
     os.environ.get("ENABLE_ADMIN_CHAT_ACCESS", "True").lower() == "true"
 )
diff --git a/backend/open_webui/main.py b/backend/open_webui/main.py
index d5b89c8d50..5dc8d7f2a1 100644
--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@@ -329,7 +329,7 @@ from open_webui.config import (
     ENABLE_MESSAGE_RATING,
     ENABLE_USER_WEBHOOKS,
     ENABLE_EVALUATION_ARENA_MODELS,
-    ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS,
+    BYPASS_ADMIN_ACCESS_CONTROL,
     USER_PERMISSIONS,
     DEFAULT_USER_ROLE,
     PENDING_USER_OVERLAY_CONTENT,
@@ -378,7 +378,7 @@ from open_webui.config import (
     RESPONSE_WATERMARK,
     # Admin
     ENABLE_ADMIN_CHAT_ACCESS,
-    ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS,
+    BYPASS_ADMIN_ACCESS_CONTROL,
     ENABLE_ADMIN_EXPORT,
     # Tasks
     TASK_MODEL,
@@ -1290,7 +1290,7 @@ async def get_models(
             model_info = Models.get_model_by_id(model["id"])
             if model_info:
                 if (
-                    (user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS)
+                    (user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL)
                     or user.id == model_info.user_id
                     or has_access(
                         user.id, type="read", access_control=model_info.access_control
@@ -1338,7 +1338,7 @@ async def get_models(
     # Filter out models that the user does not have access to
     if (
         user.role == "user"
-        or (user.role == "admin" and not ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS)
+        or (user.role == "admin" and not BYPASS_ADMIN_ACCESS_CONTROL)
     ) and not BYPASS_MODEL_ACCESS_CONTROL:
         models = get_filtered_models(models, user)
 
@@ -1411,7 +1411,7 @@ async def chat_completion(
 
             # Check if user has access to the model
             if not BYPASS_MODEL_ACCESS_CONTROL and (
-                user.role != "admin" or not ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS
+                user.role != "admin" or not BYPASS_ADMIN_ACCESS_CONTROL
             ):
                 try:
                     check_model_access(user, model)
diff --git a/backend/open_webui/routers/knowledge.py b/backend/open_webui/routers/knowledge.py
index 69198816b3..e9ba9c39ad 100644
--- a/backend/open_webui/routers/knowledge.py
+++ b/backend/open_webui/routers/knowledge.py
@@ -25,7 +25,7 @@ from open_webui.utils.access_control import has_access, has_permission
 
 
 from open_webui.env import SRC_LOG_LEVELS
-from open_webui.config import ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS
+from open_webui.config import BYPASS_ADMIN_ACCESS_CONTROL
 from open_webui.models.models import Models, ModelForm
 
 
@@ -43,7 +43,7 @@ router = APIRouter()
 async def get_knowledge(user=Depends(get_verified_user)):
     knowledge_bases = []
 
-    if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS:
+    if user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL:
         knowledge_bases = Knowledges.get_knowledge_bases()
     else:
         knowledge_bases = Knowledges.get_knowledge_bases_by_user_id(user.id, "read")
@@ -91,7 +91,7 @@ async def get_knowledge(user=Depends(get_verified_user)):
 async def get_knowledge_list(user=Depends(get_verified_user)):
     knowledge_bases = []
 
-    if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS:
+    if user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL:
         knowledge_bases = Knowledges.get_knowledge_bases()
     else:
         knowledge_bases = Knowledges.get_knowledge_bases_by_user_id(user.id, "write")
diff --git a/backend/open_webui/routers/models.py b/backend/open_webui/routers/models.py
index e1a5ec1937..a4d4e3668e 100644
--- a/backend/open_webui/routers/models.py
+++ b/backend/open_webui/routers/models.py
@@ -15,7 +15,7 @@ from fastapi import APIRouter, Depends, HTTPException, Request, status
 
 from open_webui.utils.auth import get_admin_user, get_verified_user
 from open_webui.utils.access_control import has_access, has_permission
-from open_webui.config import ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS
+from open_webui.config import BYPASS_ADMIN_ACCESS_CONTROL
 
 router = APIRouter()
 
@@ -27,7 +27,7 @@ router = APIRouter()
 
 @router.get("/", response_model=list[ModelUserResponse])
 async def get_models(id: Optional[str] = None, user=Depends(get_verified_user)):
-    if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS:
+    if user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL:
         return Models.get_models()
     else:
         return Models.get_models_by_user_id(user.id)
@@ -117,7 +117,7 @@ async def get_model_by_id(id: str, user=Depends(get_verified_user)):
     model = Models.get_model_by_id(id)
     if model:
         if (
-            (user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS)
+            (user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL)
             or model.user_id == user.id
             or has_access(user.id, "read", model.access_control)
         ):
diff --git a/backend/open_webui/routers/prompts.py b/backend/open_webui/routers/prompts.py
index afc00951fd..5981f99f69 100644
--- a/backend/open_webui/routers/prompts.py
+++ b/backend/open_webui/routers/prompts.py
@@ -10,7 +10,7 @@ from open_webui.models.prompts import (
 from open_webui.constants import ERROR_MESSAGES
 from open_webui.utils.auth import get_admin_user, get_verified_user
 from open_webui.utils.access_control import has_access, has_permission
-from open_webui.config import ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS
+from open_webui.config import BYPASS_ADMIN_ACCESS_CONTROL
 
 router = APIRouter()
 
@@ -21,7 +21,7 @@ router = APIRouter()
 
 @router.get("/", response_model=list[PromptModel])
 async def get_prompts(user=Depends(get_verified_user)):
-    if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS:
+    if user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL:
         prompts = Prompts.get_prompts()
     else:
         prompts = Prompts.get_prompts_by_user_id(user.id, "read")
@@ -31,7 +31,7 @@ async def get_prompts(user=Depends(get_verified_user)):
 
 @router.get("/list", response_model=list[PromptUserResponse])
 async def get_prompt_list(user=Depends(get_verified_user)):
-    if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS:
+    if user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL:
         prompts = Prompts.get_prompts()
     else:
         prompts = Prompts.get_prompts_by_user_id(user.id, "write")
diff --git a/backend/open_webui/routers/tools.py b/backend/open_webui/routers/tools.py
index 183bd28397..c017233765 100644
--- a/backend/open_webui/routers/tools.py
+++ b/backend/open_webui/routers/tools.py
@@ -22,7 +22,7 @@ from open_webui.utils.access_control import has_access, has_permission
 from open_webui.utils.tools import get_tool_servers
 
 from open_webui.env import SRC_LOG_LEVELS
-from open_webui.config import CACHE_DIR, ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS
+from open_webui.config import CACHE_DIR, BYPASS_ADMIN_ACCESS_CONTROL
 from open_webui.constants import ERROR_MESSAGES
 
 
@@ -67,7 +67,7 @@ async def get_tools(request: Request, user=Depends(get_verified_user)):
             )
         )
 
-    if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS:
+    if user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL:
         # Admin can see all tools
         return tools
     else:
@@ -87,7 +87,7 @@ async def get_tools(request: Request, user=Depends(get_verified_user)):
 
 @router.get("/list", response_model=list[ToolUserResponse])
 async def get_tool_list(user=Depends(get_verified_user)):
-    if user.role == "admin" and ENABLE_ADMIN_WORKSPACE_CONTENT_ACCESS:
+    if user.role == "admin" and BYPASS_ADMIN_ACCESS_CONTROL:
         tools = Tools.get_tools()
     else:
         tools = Tools.get_tools_by_user_id(user.id, "write")