Gitpulse
Merged
Size
M
Change Breakdown
Feature60%
Bug Fix30%
Refactor10%
#28243fix(ai-builder): Allow non-admin users to access Instance AI preferences (no-changelog)

Non-admin users can now configure AI preferences

Non-admin users can now configure AI preferences
AA
aalises
·Apr 9, 2026

Instance AI settings are no longer admin-only — users with messaging scope can now configure their own model, gateway, and preference settings without needing manage permissions.

Non-admin users previously couldn't access the Instance AI settings page at all — the page was gated behind admin-only permissions, even though most settings are personal preferences that don't require instance-wide control.

With this change, any user with instanceAi:message scope can now access the settings page and configure their own AI setup. Model selection, gateway preferences, and user-specific options are available to all users, while admin-only controls (the enable/disable toggle, sandbox settings, permissions matrix, memory config, search credentials, and advanced options) remain hidden for non-admins.

The settings store now skips admin-only API calls for regular users, preventing confusing 403 errors. The view was also refactored with extracted section components and a save/cancel footer for handling draft changes.

In the frontend's AI settings area.

View Original GitHub Description

Summary

The Instance AI settings page was entirely gated behind instanceAi:manage scope (admin-only), preventing non-admin users from configuring their own preferences. This PR lowers the access requirement so all users with instanceAi:message scope can reach the settings page, while admin-only sections remain hidden for non-admin users.

Settings visibility by role

SettingAdminAll Users
Enable/Disable AI toggle
Model credential selection
Model name
Local gateway toggle
Sandbox (provider, image, timeout)
Memory (last messages, embedder, top-k)
Search credential
Advanced (sub-agent steps, browser MCP, MCP servers)
Permissions (18 HITL modes)

Changes

  • Route guard: lowered from instanceAi:manage to instanceAi:message so non-admin users can access the page
  • Sidebar item: visibility now checks instanceAi:message instead of instanceAi:manage
  • Settings view: conditionally renders admin-only sections (enable toggle, permissions, sandbox, memory, search, advanced) based on instanceAi:manage scope
  • Settings store: skips admin-only API calls (fetchSettings, fetchServiceCredentials) for non-admin users to avoid 403 errors
  • Section components: wires up existing but previously unused components (ModelSection, LocalGatewaySection, SandboxSection, MemorySection, SearchSection, AdvancedSection)
  • Save/Cancel footer: added for draft-based changes from section components
© 2026 · via Gitpulse