fix(list_models): respect API key profile filtering in full model data mode#1480
Conversation
There was a problem hiding this comment.
Code Review
This pull request refactors the ListModels endpoint in openai.go to ensure that model visibility is correctly handled by fetching enabled models through the ModelService before querying the database for extended metadata. It also adds comprehensive tests to verify that the extended mode respects API key profiles and handles missing database entries gracefully. Feedback includes suggestions to optimize the logic with an early return for empty model lists and to use the lo library for more idiomatic collection transformations.
…ta query When include=full is enabled, the ListModels endpoint was querying all enabled models from the database without filtering by API key profile visibility. This caused models the caller shouldn't see to be returned. Fix by fetching visible models first (with profile filtering), then using modelIDIn to query DB only for those IDs, merging extended data where available and falling back to basic fields for profile-excluded models.
327ab4d to
e2dd778
Compare
Refactor ListModels to add early return for empty models and simplify loops with lo.Map per code review feedback. - Add early return when visibleModels is empty - Replace manual for-append loops with lo.Map - Minor alignment fix on ent.Query
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
|
confirmed working on my instance. |
Purpose/Goal
Fix list models API key profile filtering when full model info setting is enabled.
Summary
When
include=fullorDefaultModelAPIIncludeAll=true, the list_models endpoint was querying all enabled models from the database without respecting API key profile restrictions. This change ensures that API key profile visibility filtering is applied consistently in both basic and extended (full data) modes.What Changed
Why This Matters
API key profile restrictions were being bypassed when users requested full model metadata. This fix ensures authorization boundaries are maintained regardless of the include parameter or server-side default settings.
Spirit/Intent
Purpose/Goal: Maintain security invariants while providing rich model metadata. The fix preserves the existing authorization model (API key profiles) while enabling the extended model data feature. Users with restricted API keys should only see models they're authorized to access, whether in basic or extended mode.