LibreChat/api/server/middleware/accessResources/canAccessPromptResource.js

const { getPrompt } = require('~/models/Prompt');
const { canAccessResource } = require('./canAccessResource');

/**
 * Prompt ID resolver function
 * Resolves prompt ID to MongoDB ObjectId
 *
 * @param {string} promptId - Prompt ID from route parameter
 * @returns {Promise<Object|null>} Prompt document with _id field, or null if not found
 */
const resolvePromptId = async (promptId) => {
  return await getPrompt({ _id: promptId });
};

/**
 * Prompt-specific middleware factory that creates middleware to check prompt access permissions.
 * This middleware extends the generic canAccessResource to handle prompt ID resolution.
 *
 * @param {Object} options - Configuration options
 * @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
 * @param {string} [options.resourceIdParam='promptId'] - The name of the route parameter containing the prompt ID
 * @returns {Function} Express middleware function
 *
 * @example
 * // Basic usage for viewing prompts
 * router.get('/prompts/:promptId',
 *   canAccessPromptResource({ requiredPermission: 1 }),
 *   getPrompt
 * );
 *
 * @example
 * // Custom resource ID parameter and edit permission
 * router.patch('/prompts/:id',
 *   canAccessPromptResource({
 *     requiredPermission: 2,
 *     resourceIdParam: 'id'
 *   }),
 *   updatePrompt
 * );
 */
const canAccessPromptResource = (options) => {
  const { requiredPermission, resourceIdParam = 'promptId' } = options;

  if (!requiredPermission || typeof requiredPermission !== 'number') {
    throw new Error('canAccessPromptResource: requiredPermission is required and must be a number');
  }

  return canAccessResource({
    resourceType: 'prompt',
    requiredPermission,
    resourceIdParam,
    idResolver: resolvePromptId,
  });
};

module.exports = {
  canAccessPromptResource,
};
🗨️ feat: Granular Prompt Permissions via ACL and Permission Bits feat: Implement prompt permissions management and access control middleware fix: agent deletion process to remove associated permissions and ACL entries fix: Import Permissions for enhanced access control in GrantAccessDialog feat: use PromptGroup for access control - Added migration script for PromptGroup permissions, categorizing groups into global view access and private groups. - Created unit tests for the migration script to ensure correct categorization and permission granting. - Introduced middleware for checking access permissions on PromptGroups and prompts via their groups. - Updated routes to utilize new access control middleware for PromptGroups. - Enhanced access role definitions to include roles specific to PromptGroups. - Modified ACL entry schema and types to accommodate PromptGroup resource type. - Updated data provider to include new access role identifiers for PromptGroups. feat: add generic access management dialogs and hooks for resource permissions fix: remove duplicate imports in FileContext component fix: remove duplicate mongoose dependency in package.json feat: add access permissions handling for dynamic resource types and add promptGroup roles feat: implement centralized role localization and update access role types refactor: simplify author handling in prompt group routes and enhance ACL checks feat: implement addPromptToGroup functionality and update PromptForm to use it feat: enhance permission handling in ChatGroupItem, DashGroupItem, and PromptForm components chore: rename migration script for prompt group permissions and update package.json scripts chore: update prompt tests 2025-07-26 12:28:31 -04:00			`const { getPrompt } = require('~/models/Prompt');`
			`const { canAccessResource } = require('./canAccessResource');`

			`/**`
			`* Prompt ID resolver function`
			`* Resolves prompt ID to MongoDB ObjectId`
			`*`
			`* @param {string} promptId - Prompt ID from route parameter`
			`* @returns {Promise<Object\|null>} Prompt document with _id field, or null if not found`
			`*/`
			`const resolvePromptId = async (promptId) => {`
			`return await getPrompt({ _id: promptId });`
			`};`

			`/**`
			`* Prompt-specific middleware factory that creates middleware to check prompt access permissions.`
			`* This middleware extends the generic canAccessResource to handle prompt ID resolution.`
			`*`
			`* @param {Object} options - Configuration options`
			`* @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)`
			`* @param {string} [options.resourceIdParam='promptId'] - The name of the route parameter containing the prompt ID`
			`* @returns {Function} Express middleware function`
			`*`
			`* @example`
			`* // Basic usage for viewing prompts`
			`* router.get('/prompts/:promptId',`
			`* canAccessPromptResource({ requiredPermission: 1 }),`
			`* getPrompt`
			`* );`
			`*`
			`* @example`
			`* // Custom resource ID parameter and edit permission`
			`* router.patch('/prompts/:id',`
			`* canAccessPromptResource({`
			`* requiredPermission: 2,`
			`* resourceIdParam: 'id'`
			`* }),`
			`* updatePrompt`
			`* );`
			`*/`
			`const canAccessPromptResource = (options) => {`
			`const { requiredPermission, resourceIdParam = 'promptId' } = options;`

			`if (!requiredPermission \|\| typeof requiredPermission !== 'number') {`
			`throw new Error('canAccessPromptResource: requiredPermission is required and must be a number');`
			`}`

			`return canAccessResource({`
			`resourceType: 'prompt',`
			`requiredPermission,`
			`resourceIdParam,`
			`idResolver: resolvePromptId,`
			`});`
			`};`

			`module.exports = {`
			`canAccessPromptResource,`
			`};`