LibreChat/api/server/routes/admin/roles.js

const express = require('express');
const { createAdminRolesHandlers } = require('@librechat/api');
const { SystemCapabilities } = require('@librechat/data-schemas');
const { requireCapability } = require('~/server/middleware/roles/capabilities');
const { requireJwtAuth } = require('~/server/middleware');
const db = require('~/models');

const router = express.Router();

const requireAdminAccess = requireCapability(SystemCapabilities.ACCESS_ADMIN);
const requireReadRoles = requireCapability(SystemCapabilities.READ_ROLES);
const requireManageRoles = requireCapability(SystemCapabilities.MANAGE_ROLES);

const handlers = createAdminRolesHandlers({
  listRoles: db.listRoles,
  countRoles: db.countRoles,
  getRoleByName: db.getRoleByName,
  createRoleByName: db.createRoleByName,
  updateRoleByName: db.updateRoleByName,
  updateAccessPermissions: db.updateAccessPermissions,
  deleteRoleByName: db.deleteRoleByName,
  findUser: db.findUser,
  updateUser: db.updateUser,
  updateUsersByRole: db.updateUsersByRole,
  listUsersByRole: db.listUsersByRole,
  countUsersByRole: db.countUsersByRole,
});

router.use(requireJwtAuth, requireAdminAccess);

router.get('/', requireReadRoles, handlers.listRoles);
router.post('/', requireManageRoles, handlers.createRole);
router.get('/:name', requireReadRoles, handlers.getRole);
router.patch('/:name', requireManageRoles, handlers.updateRole);
router.delete('/:name', requireManageRoles, handlers.deleteRole);
router.patch('/:name/permissions', requireManageRoles, handlers.updateRolePermissions);
router.get('/:name/members', requireReadRoles, handlers.getRoleMembers);
router.post('/:name/members', requireManageRoles, handlers.addRoleMember);
router.delete('/:name/members/:userId', requireManageRoles, handlers.removeRoleMember);

module.exports = router;
feat: add admin roles handler factory and Express routes 2026-03-24 23:40:12 -07:00			`const express = require('express');`
			`const { createAdminRolesHandlers } = require('@librechat/api');`
			`const { SystemCapabilities } = require('@librechat/data-schemas');`
			`const { requireCapability } = require('~/server/middleware/roles/capabilities');`
			`const { requireJwtAuth } = require('~/server/middleware');`
			`const db = require('~/models');`

			`const router = express.Router();`

			`const requireAdminAccess = requireCapability(SystemCapabilities.ACCESS_ADMIN);`
			`const requireReadRoles = requireCapability(SystemCapabilities.READ_ROLES);`
			`const requireManageRoles = requireCapability(SystemCapabilities.MANAGE_ROLES);`

			`const handlers = createAdminRolesHandlers({`
			`listRoles: db.listRoles,`
fix: paginate listRoles, null-guard permissions handler, fix export ordering - Add limit/offset/total pagination to listRoles matching the groups pattern - Add countRoles data-layer method - Omit permissions from listRoles select (getRole returns full document) - Null-guard re-fetched role in updateRolePermissionsHandler - Move interleaved export below all imports in methods/index.ts 2026-03-26 17:24:01 -07:00			`countRoles: db.countRoles,`
feat: add admin roles handler factory and Express routes 2026-03-24 23:40:12 -07:00			`getRoleByName: db.getRoleByName,`
fix: rename createRole/deleteRole to avoid AccessRole name collision The existing accessRole.ts already exports createRole/deleteRole for the AccessRole model. In createMethods index.ts, these are spread after roleMethods, overwriting them. Renamed our Role methods to createRoleByName/deleteRoleByName to match the existing pattern (getRoleByName, updateRoleByName) and avoid the collision. 2026-03-25 08:56:38 -07:00			`createRoleByName: db.createRoleByName,`
feat: add admin roles handler factory and Express routes 2026-03-24 23:40:12 -07:00			`updateRoleByName: db.updateRoleByName,`
			`updateAccessPermissions: db.updateAccessPermissions,`
fix: rename createRole/deleteRole to avoid AccessRole name collision The existing accessRole.ts already exports createRole/deleteRole for the AccessRole model. In createMethods index.ts, these are spread after roleMethods, overwriting them. Renamed our Role methods to createRoleByName/deleteRoleByName to match the existing pattern (getRoleByName, updateRoleByName) and avoid the collision. 2026-03-25 08:56:38 -07:00			`deleteRoleByName: db.deleteRoleByName,`
feat: add admin roles handler factory and Express routes 2026-03-24 23:40:12 -07:00			`findUser: db.findUser,`
			`updateUser: db.updateUser,`
fix: address external review findings for admin roles - Block renaming system roles (ADMIN/USER) and add user migration on rename - Add input validation: name max-length, trim on update, duplicate name check - Replace fragile String.includes error matching with prefix-based classification - Catch MongoDB 11000 duplicate key in createRoleByName - Add pagination (limit/offset/total) to getRoleMembersHandler - Reverse delete order in deleteRoleByName — reassign users before deletion - Add role existence check in removeRoleMember; drop unused createdAt select - Add Array.isArray guard for permissions input; use consistent ?? coalescing - Fix import ordering per AGENTS.md conventions - Type-cast mongoose.models.User as Model<IUser> for proper TS inference - Add comprehensive tests: rename guards, pagination, validation, 500 paths 2026-03-26 15:30:33 -07:00			`updateUsersByRole: db.updateUsersByRole,`
fix: address convention violations in admin roles handlers 2026-03-24 23:54:32 -07:00			`listUsersByRole: db.listUsersByRole,`
fix: address external review findings for admin roles - Block renaming system roles (ADMIN/USER) and add user migration on rename - Add input validation: name max-length, trim on update, duplicate name check - Replace fragile String.includes error matching with prefix-based classification - Catch MongoDB 11000 duplicate key in createRoleByName - Add pagination (limit/offset/total) to getRoleMembersHandler - Reverse delete order in deleteRoleByName — reassign users before deletion - Add role existence check in removeRoleMember; drop unused createdAt select - Add Array.isArray guard for permissions input; use consistent ?? coalescing - Fix import ordering per AGENTS.md conventions - Type-cast mongoose.models.User as Model<IUser> for proper TS inference - Add comprehensive tests: rename guards, pagination, validation, 500 paths 2026-03-26 15:30:33 -07:00			`countUsersByRole: db.countUsersByRole,`
feat: add admin roles handler factory and Express routes 2026-03-24 23:40:12 -07:00			`});`

			`router.use(requireJwtAuth, requireAdminAccess);`

			`router.get('/', requireReadRoles, handlers.listRoles);`
			`router.post('/', requireManageRoles, handlers.createRole);`
			`router.get('/:name', requireReadRoles, handlers.getRole);`
			`router.patch('/:name', requireManageRoles, handlers.updateRole);`
			`router.delete('/:name', requireManageRoles, handlers.deleteRole);`
			`router.patch('/:name/permissions', requireManageRoles, handlers.updateRolePermissions);`
			`router.get('/:name/members', requireReadRoles, handlers.getRoleMembers);`
			`router.post('/:name/members', requireManageRoles, handlers.addRoleMember);`
			`router.delete('/:name/members/:userId', requireManageRoles, handlers.removeRoleMember);`

			`module.exports = router;`