diff --git a/litellm/proxy/_types.py b/litellm/proxy/_types.py index b174f1fc2..a8aa759fb 100644 --- a/litellm/proxy/_types.py +++ b/litellm/proxy/_types.py @@ -284,11 +284,6 @@ class LiteLLMRoutes(enum.Enum): master_key_only_routes = ["/global/spend/reset", "/key/list"] sso_only_routes = [ - "/key/generate", - "/key/update", - "/key/delete", - "/global/spend/logs", - "/global/predict/spend/logs", "/sso/get/ui_settings", ] @@ -336,6 +331,7 @@ class LiteLLMRoutes(enum.Enum): "/global/spend/models", "/global/predict/spend/logs", "/global/spend/report", + "/global/spend/provider", ] public_routes = [ @@ -367,6 +363,10 @@ class LiteLLMRoutes(enum.Enum): + sso_only_routes ) + internal_user_view_only_routes = ( + spend_tracking_routes + global_spend_tracking_routes + sso_only_routes + ) + self_managed_routes = [ "/team/member_add", "/team/member_delete", diff --git a/litellm/proxy/auth/route_checks.py b/litellm/proxy/auth/route_checks.py index 6c48a7f35..5a370d8c8 100644 --- a/litellm/proxy/auth/route_checks.py +++ b/litellm/proxy/auth/route_checks.py @@ -55,7 +55,7 @@ def non_admin_allowed_routes_check( verbose_proxy_logger.debug( f"user_id: {user_id} & valid_token.user_id: {valid_token.user_id}" ) - if user_id != valid_token.user_id: + if user_id and user_id != valid_token.user_id: raise HTTPException( status_code=status.HTTP_403_FORBIDDEN, detail="key not allowed to access this user's info. user_id={}, key's user_id={}".format( @@ -106,6 +106,11 @@ def non_admin_allowed_routes_check( and route in LiteLLMRoutes.internal_user_routes.value ): pass + elif ( + _user_role == LitellmUserRoles.INTERNAL_USER_VIEW_ONLY.value + and route in LiteLLMRoutes.internal_user_view_only_routes.value + ): + pass elif ( route in LiteLLMRoutes.self_managed_routes.value ): # routes that manage their own allowed/disallowed logic