From 1d7ff1a192c1346d95352bcba4716d91ed8cf914 Mon Sep 17 00:00:00 2001
From: Jesper Kristensen <cableman@linuxdev.dk>
Date: Mon, 30 Jun 2025 14:11:02 +0200
Subject: [PATCH 1/3] 4856: Ensured that role names from OIDC is kept

---
 backend/open_webui/utils/auth.py                          | 2 +-
 backend/open_webui/utils/oauth.py                         | 8 ++++++--
 .../components/admin/Users/UserList/EditUserModal.svelte  | 8 +++++---
 src/routes/(app)/+layout.svelte                           | 2 +-
 4 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/backend/open_webui/utils/auth.py b/backend/open_webui/utils/auth.py
index e34803ade1b..aa2d867078d 100644
--- a/backend/open_webui/utils/auth.py
+++ b/backend/open_webui/utils/auth.py
@@ -350,7 +350,7 @@ def get_current_user_by_api_key(api_key: str):
 
 
 def get_verified_user(user=Depends(get_current_user)):
-    if user.role not in {"user", "admin"}:
+    if user.role not in {"user", "admin", "builder", "local-admin"}:
         raise HTTPException(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail=ERROR_MESSAGES.ACCESS_PROHIBITED,
diff --git a/backend/open_webui/utils/oauth.py b/backend/open_webui/utils/oauth.py
index 392f4cd4bfb..bca20257ebe 100644
--- a/backend/open_webui/utils/oauth.py
+++ b/backend/open_webui/utils/oauth.py
@@ -996,8 +996,12 @@ def get_user_role(self, user, user_data):
                 for allowed_role in oauth_allowed_roles:
                     # If the user has any of the allowed roles, assign the role "user"
                     if allowed_role in oauth_roles:
-                        log.debug("Assigned user the user role")
-                        role = "user"
+                        log.debug(f"Using first role from OAuth: {oauth_roles[0]}")
+                        first_role = oauth_roles[0]
+                        if first_role == "end-user":
+                            role = "user"
+                        else:
+                            role = first_role
                         break
                 for admin_role in oauth_admin_roles:
                     # If the user has any of the admin roles, assign the role "admin"
diff --git a/src/lib/components/admin/Users/UserList/EditUserModal.svelte b/src/lib/components/admin/Users/UserList/EditUserModal.svelte
index 9adbac0e4f6..a4d2bb58efe 100644
--- a/src/lib/components/admin/Users/UserList/EditUserModal.svelte
+++ b/src/lib/components/admin/Users/UserList/EditUserModal.svelte
@@ -143,9 +143,11 @@
 												disabled={_user.id == sessionUser.id}
 												required
 											>
-												<option value="admin">{$i18n.t('Admin')}</option>
-												<option value="user">{$i18n.t('User')}</option>
-												<option value="pending">{$i18n.t('Pending')}</option>
+                                                <option value="admin">{$i18n.t('Admin')}</option>
+                                                <option value="user">{$i18n.t('User')}</option>
+                                                <option value="local-admin">{$i18n.t('Local admin')}</option>
+                                                <option value="builder">{$i18n.t('Builder')}</option>
+                                                <option value="pending">{$i18n.t('Pending')}</option>
 											</select>
 										</div>
 									</div>
diff --git a/src/routes/(app)/+layout.svelte b/src/routes/(app)/+layout.svelte
index 1ab228c656a..99c622ff189 100644
--- a/src/routes/(app)/+layout.svelte
+++ b/src/routes/(app)/+layout.svelte
@@ -322,7 +322,7 @@
 		<div
 			class=" text-gray-700 dark:text-gray-100 bg-white dark:bg-gray-900 h-screen max-h-[100dvh] overflow-auto flex flex-row justify-end"
 		>
-			{#if !['user', 'admin'].includes($user?.role)}
+			{#if ['pending'].includes($user?.role)}
 				<AccountPending />
 			{:else}
 				{#if localDBChats.length > 0}

From 30114d603fd46e8a8d90c4a3f4d594d21cf31442 Mon Sep 17 00:00:00 2001
From: Jesper Kristensen <cableman@linuxdev.dk>
Date: Mon, 13 Oct 2025 11:13:59 +0200
Subject: [PATCH 2/3] 4856: Fixed role limitations in layout mount

---
 src/routes/(app)/+layout.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/(app)/+layout.svelte b/src/routes/(app)/+layout.svelte
index 99c622ff189..bf47bef190f 100644
--- a/src/routes/(app)/+layout.svelte
+++ b/src/routes/(app)/+layout.svelte
@@ -150,7 +150,7 @@
 			await goto('/auth');
 			return;
 		}
-		if (!['user', 'admin'].includes($user?.role)) {
+		if (['pending'].includes($user?.role)) {
 			return;
 		}
 

From afff4e7a6629218eacf895558018ffd49d978c95 Mon Sep 17 00:00:00 2001
From: Jesper Kristensen <cableman@linuxdev.dk>
Date: Mon, 13 Oct 2025 13:47:58 +0200
Subject: [PATCH 3/3] 4856: Fixed roles names in config load

---
 backend/open_webui/main.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/backend/open_webui/main.py b/backend/open_webui/main.py
index f0aeeab02a5..07bc4780f9a 100644
--- a/backend/open_webui/main.py
+++ b/backend/open_webui/main.py
@@ -1869,7 +1869,7 @@ async def get_app_config(request: Request):
                     else {}
                 ),
             }
-            if user is not None and (user.role in ["admin", "user"])
+            if user is not None and (user.role in ["admin", "user", "builder", "local-admin"])
             else {
                 **(
                     {