4856: Ensured that role names from OIDC is kept

cableman · cableman · commit 7824cde5dd58 · 2025-10-08T20:03:50.000+02:00
diff --git a/backend/open_webui/utils/auth.py b/backend/open_webui/utils/auth.py
@@ -350,7 +350,7 @@ def get_current_user_by_api_key(api_key: str):
 
 
 def get_verified_user(user=Depends(get_current_user)):
-    if user.role not in {"user", "admin"}:
+    if user.role not in {"user", "admin", "builder", "local-admin"}:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py
@@ -877,8 +877,12 @@ def get_user_role(self, user, user_data):
                 for allowed_role in oauth_allowed_roles:
                     # If the user has any of the allowed roles, assign the role "user"
                     if allowed_role in oauth_roles:
-                        log.debug("Assigned user the user role")
-                        role = "user"
+                        log.debug(f"Using first role from OAuth: {oauth_roles[0]}")
+                        first_role = oauth_roles[0]
+                        if first_role == "end-user":
+                            role = "user"
+                        else:
+                            role = first_role
                         break
                 for admin_role in oauth_admin_roles:
                     # If the user has any of the admin roles, assign the role "admin"
diff --git a/src/lib/components/admin/Users/UserList/EditUserModal.svelte b/src/lib/components/admin/Users/UserList/EditUserModal.svelte
@@ -139,9 +139,11 @@
 												disabled={_user.id == sessionUser.id}
 												required
 											>
-												<option value="admin">{$i18n.t('Admin')}</option>
-												<option value="user">{$i18n.t('User')}</option>
-												<option value="pending">{$i18n.t('Pending')}</option>
+                                                <option value="admin">{$i18n.t('Admin')}</option>
+                                                <option value="user">{$i18n.t('User')}</option>
+                                                <option value="local-admin">{$i18n.t('Local admin')}</option>
+                                                <option value="builder">{$i18n.t('Builder')}</option>
+                                                <option value="pending">{$i18n.t('Pending')}</option>
 											</select>
 										</div>
 									</div>
diff --git a/src/routes/(app)/+layout.svelte b/src/routes/(app)/+layout.svelte
@@ -325,7 +325,7 @@
 		<div
 			class=" text-gray-700 dark:text-gray-100 bg-white dark:bg-gray-900 h-screen max-h-[100dvh] overflow-auto flex flex-row justify-end"
 		>
-			{#if !['user', 'admin'].includes($user?.role)}
+			{#if ['pending'].includes($user?.role)}
 				<AccountPending />
 			{:else}
 				{#if localDBChats.length > 0}

Original file line number	Diff line number	Diff line change
`@@ -325,7 +325,7 @@`
`325`	`325`	`<div`
`326`	`326`	`class=" text-gray-700 dark:text-gray-100 bg-white dark:bg-gray-900 h-screen max-h-[100dvh] overflow-auto flex flex-row justify-end"`
`327`	`327`	`>`
`328`		`- {#if !['user', 'admin'].includes($user?.role)}`
	`328`	`+ {#if ['pending'].includes($user?.role)}`
`329`	`329`	`<AccountPending />`
`330`	`330`	`{:else}`
`331`	`331`	`{#if localDBChats.length > 0}`