5511: Change API-KEY permission to allow admin users only

cableman · cableman · commit 2428b0d13e1a · 2025-09-22T11:26:37.000+02:00
diff --git a/backend/open_webui/routers/auths.py b/backend/open_webui/routers/auths.py
@@ -1035,13 +1035,7 @@ async def update_ldap_config(
 
 # create api key
 @router.post("/api_key", response_model=ApiKey)
-async def generate_api_key(request: Request, user=Depends(get_current_user)):
-    if not request.app.state.config.ENABLE_API_KEY:
-        raise HTTPException(
-            status.HTTP_403_FORBIDDEN,
-            detail=ERROR_MESSAGES.API_KEY_CREATION_NOT_ALLOWED,
-        )
-
+async def generate_api_key(request: Request, user=Depends(get_admin_user)):
     api_key = create_api_key()
     success = Users.update_user_api_key_by_id(user.id, api_key)
 
@@ -1055,14 +1049,14 @@ async def generate_api_key(request: Request, user=Depends(get_current_user)):
 
 # delete api key
 @router.delete("/api_key", response_model=bool)
-async def delete_api_key(user=Depends(get_current_user)):
+async def delete_api_key(user=Depends(get_admin_user)):
     success = Users.update_user_api_key_by_id(user.id, None)
     return success
 
 
 # get api key
 @router.get("/api_key", response_model=ApiKey)
-async def get_api_key(user=Depends(get_current_user)):
+async def get_api_key(user=Depends(get_admin_user)):
     api_key = Users.get_user_api_key_by_id(user.id)
     if api_key:
         return {
diff --git a/backend/open_webui/utils/auth.py b/backend/open_webui/utils/auth.py
@@ -225,7 +225,10 @@ def get_current_user(
 
     # auth by api key
     if token.startswith("sk-"):
-        if not request.state.enable_api_key:
+        # Load user to check for the admin role below
+        user = get_current_user_by_api_key(token)
+
+        if user.role != "admin" and not request.state.enable_api_key:
             raise HTTPException(
                 status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
             )
@@ -248,8 +251,6 @@ def get_current_user(
                     status.HTTP_403_FORBIDDEN, detail=ERROR_MESSAGES.API_KEY_NOT_ALLOWED
                 )
 
-        user = get_current_user_by_api_key(token)
-
         # Add user info to current span
         current_span = trace.get_current_span()
         if current_span:
