LibreChat/api/server/middleware/accessResources/fileAccess.js

const { logger } = require('@librechat/data-schemas');
const { PermissionBits, hasPermissions, ResourceType } = require('librechat-data-provider');
const { getEffectivePermissions } = require('~/server/services/PermissionService');
const { getAgent } = require('~/models/Agent');
const { getFiles } = require('~/models/File');

/**
 * Checks if user has access to a file through agent permissions
 * Files inherit permissions from agents - if you can view the agent, you can access its files
 */
const checkAgentBasedFileAccess = async ({ userId, role, fileId }) => {
  try {
    // Find agents that have this file in their tool_resources
    const agentsWithFile = await getAgent({
      $or: [
        { 'tool_resources.file_search.file_ids': fileId },
        { 'tool_resources.execute_code.file_ids': fileId },
        { 'tool_resources.ocr.file_ids': fileId },
      ],
    });

    if (!agentsWithFile || agentsWithFile.length === 0) {
      return false;
    }

    // Check if user has access to any of these agents
    for (const agent of Array.isArray(agentsWithFile) ? agentsWithFile : [agentsWithFile]) {
      // Check if user is the agent author
      if (agent.author && agent.author.toString() === userId) {
        logger.debug(`[fileAccess] User is author of agent ${agent.id}`);
        return true;
      }

      // Check ACL permissions for VIEW access on the agent
      try {
        const permissions = await getEffectivePermissions({
          userId,
          role,
          resourceType: ResourceType.AGENT,
          resourceId: agent._id || agent.id,
        });

        if (hasPermissions(permissions, PermissionBits.VIEW)) {
          logger.debug(`[fileAccess] User ${userId} has VIEW permissions on agent ${agent.id}`);
          return true;
        }
      } catch (permissionError) {
        logger.warn(
          `[fileAccess] Permission check failed for agent ${agent.id}:`,
          permissionError.message,
        );
        // Continue checking other agents
      }
    }

    return false;
  } catch (error) {
    logger.error('[fileAccess] Error checking agent-based access:', error);
    return false;
  }
};

/**
 * Middleware to check if user can access a file
 * Checks: 1) File ownership, 2) Agent-based access (file inherits agent permissions)
 */
const fileAccess = async (req, res, next) => {
  try {
    const fileId = req.params.file_id;
    const userId = req.user?.id;
    const userRole = req.user?.role;
    if (!fileId) {
      return res.status(400).json({
        error: 'Bad Request',
        message: 'file_id is required',
      });
    }

    if (!userId) {
      return res.status(401).json({
        error: 'Unauthorized',
        message: 'Authentication required',
      });
    }

    // Get the file
    const [file] = await getFiles({ file_id: fileId });
    if (!file) {
      return res.status(404).json({
        error: 'Not Found',
        message: 'File not found',
      });
    }

    // Check if user owns the file
    if (file.user && file.user.toString() === userId) {
      req.fileAccess = { file };
      return next();
    }

    // Check agent-based access (file inherits agent permissions)
    const hasAgentAccess = await checkAgentBasedFileAccess({ userId, role: userRole, fileId });
    if (hasAgentAccess) {
      req.fileAccess = { file };
      return next();
    }

    // No access
    logger.warn(`[fileAccess] User ${userId} denied access to file ${fileId}`);
    return res.status(403).json({
      error: 'Forbidden',
      message: 'Insufficient permissions to access this file',
    });
  } catch (error) {
    logger.error('[fileAccess] Error checking file access:', error);
    return res.status(500).json({
      error: 'Internal Server Error',
      message: 'Failed to check file access permissions',
    });
  }
};

module.exports = {
  fileAccess,
};
🔒 feat: Implement Granular File Storage Strategies and Access Control Middleware 2025-07-25 16:50:18 +02:00			`const { logger } = require('@librechat/data-schemas');`
🔧 refactor: Organize Sharing/Agent Components and Improve Type Safety refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids, rename enums to PascalCase refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids chore: move sharing related components to dedicated "Sharing" directory chore: remove PublicSharingToggle component and update index exports chore: move non-sidepanel agent components to `~/components/Agents` chore: move AgentCategoryDisplay component with tests chore: remove commented out code refactor: change PERMISSION_BITS from const to enum for better type safety refactor: reorganize imports in GenericGrantAccessDialog and update index exports for hooks refactor: update type definitions to use ACCESS_ROLE_IDS for improved type safety refactor: remove unused canAccessPromptResource middleware and related code refactor: remove unused prompt access roles from createAccessRoleMethods refactor: update resourceType in AclEntry type definition to remove unused 'prompt' value refactor: introduce ResourceType enum and update resourceType usage across data provider files for improved type safety refactor: update resourceType usage to ResourceType enum across sharing and permissions components for improved type safety refactor: standardize resourceType usage to ResourceType enum across agent and prompt models, permissions controller, and middleware for enhanced type safety refactor: update resourceType references from PROMPT_GROUP to PROMPTGROUP for consistency across models, middleware, and components refactor: standardize access role IDs and resource type usage across agent, file, and prompt models for improved type safety and consistency chore: add typedefs for TUpdateResourcePermissionsRequest and TUpdateResourcePermissionsResponse to enhance type definitions chore: move SearchPicker to PeoplePicker dir refactor: implement debouncing for query changes in SearchPicker for improved performance chore: fix typing, import order for agent admin settings fix: agent admin settings, prevent agent form submission refactor: rename `ACCESS_ROLE_IDS` to `AccessRoleIds` refactor: replace PermissionBits with PERMISSION_BITS refactor: replace PERMISSION_BITS with PermissionBits 2025-07-28 17:52:36 -04:00			`const { PermissionBits, hasPermissions, ResourceType } = require('librechat-data-provider');`
🔒 feat: Implement Granular File Storage Strategies and Access Control Middleware 2025-07-25 16:50:18 +02:00			`const { getEffectivePermissions } = require('~/server/services/PermissionService');`
			`const { getAgent } = require('~/models/Agent');`
🔧 refactor: Organize Sharing/Agent Components and Improve Type Safety refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids, rename enums to PascalCase refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids chore: move sharing related components to dedicated "Sharing" directory chore: remove PublicSharingToggle component and update index exports chore: move non-sidepanel agent components to `~/components/Agents` chore: move AgentCategoryDisplay component with tests chore: remove commented out code refactor: change PERMISSION_BITS from const to enum for better type safety refactor: reorganize imports in GenericGrantAccessDialog and update index exports for hooks refactor: update type definitions to use ACCESS_ROLE_IDS for improved type safety refactor: remove unused canAccessPromptResource middleware and related code refactor: remove unused prompt access roles from createAccessRoleMethods refactor: update resourceType in AclEntry type definition to remove unused 'prompt' value refactor: introduce ResourceType enum and update resourceType usage across data provider files for improved type safety refactor: update resourceType usage to ResourceType enum across sharing and permissions components for improved type safety refactor: standardize resourceType usage to ResourceType enum across agent and prompt models, permissions controller, and middleware for enhanced type safety refactor: update resourceType references from PROMPT_GROUP to PROMPTGROUP for consistency across models, middleware, and components refactor: standardize access role IDs and resource type usage across agent, file, and prompt models for improved type safety and consistency chore: add typedefs for TUpdateResourcePermissionsRequest and TUpdateResourcePermissionsResponse to enhance type definitions chore: move SearchPicker to PeoplePicker dir refactor: implement debouncing for query changes in SearchPicker for improved performance chore: fix typing, import order for agent admin settings fix: agent admin settings, prevent agent form submission refactor: rename `ACCESS_ROLE_IDS` to `AccessRoleIds` refactor: replace PermissionBits with PERMISSION_BITS refactor: replace PERMISSION_BITS with PermissionBits 2025-07-28 17:52:36 -04:00			`const { getFiles } = require('~/models/File');`
🔒 feat: Implement Granular File Storage Strategies and Access Control Middleware 2025-07-25 16:50:18 +02:00
			`/**`
			`* Checks if user has access to a file through agent permissions`
			`* Files inherit permissions from agents - if you can view the agent, you can access its files`
			`*/`
🛂 feat: Role as Permission Principal Type WIP: Role as Permission Principal Type WIP: add user role check optimization to user principal check, update type comparisons WIP: cover edge cases for string vs ObjectId handling in permission granting and checking chore: Update people picker access middleware to use PrincipalType constants feat: Enhance people picker access control to include roles permissions chore: add missing default role schema values for people picker perms, cleanup typing feat: Enhance PeoplePicker component with role-specific UI and localization updates chore: Add missing `VIEW_ROLES` permission to role schema 2025-08-03 19:24:40 -04:00			`const checkAgentBasedFileAccess = async ({ userId, role, fileId }) => {`
🔒 feat: Implement Granular File Storage Strategies and Access Control Middleware 2025-07-25 16:50:18 +02:00			`try {`
			`// Find agents that have this file in their tool_resources`
			`const agentsWithFile = await getAgent({`
			`$or: [`
			`{ 'tool_resources.file_search.file_ids': fileId },`
			`{ 'tool_resources.execute_code.file_ids': fileId },`
			`{ 'tool_resources.ocr.file_ids': fileId },`
			`],`
			`});`

			`if (!agentsWithFile \|\| agentsWithFile.length === 0) {`
			`return false;`
			`}`

			`// Check if user has access to any of these agents`
			`for (const agent of Array.isArray(agentsWithFile) ? agentsWithFile : [agentsWithFile]) {`
			`// Check if user is the agent author`
			`if (agent.author && agent.author.toString() === userId) {`
			logger.debug(`[fileAccess] User is author of agent ${agent.id}`);
			`return true;`
			`}`

			`// Check ACL permissions for VIEW access on the agent`
			`try {`
			`const permissions = await getEffectivePermissions({`
			`userId,`
🛂 feat: Role as Permission Principal Type WIP: Role as Permission Principal Type WIP: add user role check optimization to user principal check, update type comparisons WIP: cover edge cases for string vs ObjectId handling in permission granting and checking chore: Update people picker access middleware to use PrincipalType constants feat: Enhance people picker access control to include roles permissions chore: add missing default role schema values for people picker perms, cleanup typing feat: Enhance PeoplePicker component with role-specific UI and localization updates chore: Add missing `VIEW_ROLES` permission to role schema 2025-08-03 19:24:40 -04:00			`role,`
🔧 refactor: Organize Sharing/Agent Components and Improve Type Safety refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids, rename enums to PascalCase refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids chore: move sharing related components to dedicated "Sharing" directory chore: remove PublicSharingToggle component and update index exports chore: move non-sidepanel agent components to `~/components/Agents` chore: move AgentCategoryDisplay component with tests chore: remove commented out code refactor: change PERMISSION_BITS from const to enum for better type safety refactor: reorganize imports in GenericGrantAccessDialog and update index exports for hooks refactor: update type definitions to use ACCESS_ROLE_IDS for improved type safety refactor: remove unused canAccessPromptResource middleware and related code refactor: remove unused prompt access roles from createAccessRoleMethods refactor: update resourceType in AclEntry type definition to remove unused 'prompt' value refactor: introduce ResourceType enum and update resourceType usage across data provider files for improved type safety refactor: update resourceType usage to ResourceType enum across sharing and permissions components for improved type safety refactor: standardize resourceType usage to ResourceType enum across agent and prompt models, permissions controller, and middleware for enhanced type safety refactor: update resourceType references from PROMPT_GROUP to PROMPTGROUP for consistency across models, middleware, and components refactor: standardize access role IDs and resource type usage across agent, file, and prompt models for improved type safety and consistency chore: add typedefs for TUpdateResourcePermissionsRequest and TUpdateResourcePermissionsResponse to enhance type definitions chore: move SearchPicker to PeoplePicker dir refactor: implement debouncing for query changes in SearchPicker for improved performance chore: fix typing, import order for agent admin settings fix: agent admin settings, prevent agent form submission refactor: rename `ACCESS_ROLE_IDS` to `AccessRoleIds` refactor: replace PermissionBits with PERMISSION_BITS refactor: replace PERMISSION_BITS with PermissionBits 2025-07-28 17:52:36 -04:00			`resourceType: ResourceType.AGENT,`
🔒 feat: Implement Granular File Storage Strategies and Access Control Middleware 2025-07-25 16:50:18 +02:00			`resourceId: agent._id \|\| agent.id,`
			`});`

🔧 refactor: Organize Sharing/Agent Components and Improve Type Safety refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids, rename enums to PascalCase refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids chore: move sharing related components to dedicated "Sharing" directory chore: remove PublicSharingToggle component and update index exports chore: move non-sidepanel agent components to `~/components/Agents` chore: move AgentCategoryDisplay component with tests chore: remove commented out code refactor: change PERMISSION_BITS from const to enum for better type safety refactor: reorganize imports in GenericGrantAccessDialog and update index exports for hooks refactor: update type definitions to use ACCESS_ROLE_IDS for improved type safety refactor: remove unused canAccessPromptResource middleware and related code refactor: remove unused prompt access roles from createAccessRoleMethods refactor: update resourceType in AclEntry type definition to remove unused 'prompt' value refactor: introduce ResourceType enum and update resourceType usage across data provider files for improved type safety refactor: update resourceType usage to ResourceType enum across sharing and permissions components for improved type safety refactor: standardize resourceType usage to ResourceType enum across agent and prompt models, permissions controller, and middleware for enhanced type safety refactor: update resourceType references from PROMPT_GROUP to PROMPTGROUP for consistency across models, middleware, and components refactor: standardize access role IDs and resource type usage across agent, file, and prompt models for improved type safety and consistency chore: add typedefs for TUpdateResourcePermissionsRequest and TUpdateResourcePermissionsResponse to enhance type definitions chore: move SearchPicker to PeoplePicker dir refactor: implement debouncing for query changes in SearchPicker for improved performance chore: fix typing, import order for agent admin settings fix: agent admin settings, prevent agent form submission refactor: rename `ACCESS_ROLE_IDS` to `AccessRoleIds` refactor: replace PermissionBits with PERMISSION_BITS refactor: replace PERMISSION_BITS with PermissionBits 2025-07-28 17:52:36 -04:00			`if (hasPermissions(permissions, PermissionBits.VIEW)) {`
🔒 feat: Implement Granular File Storage Strategies and Access Control Middleware 2025-07-25 16:50:18 +02:00			logger.debug(`[fileAccess] User ${userId} has VIEW permissions on agent ${agent.id}`);
			`return true;`
			`}`
			`} catch (permissionError) {`
			`logger.warn(`
			`[fileAccess] Permission check failed for agent ${agent.id}:`,
			`permissionError.message,`
			`);`
			`// Continue checking other agents`
			`}`
			`}`

			`return false;`
			`} catch (error) {`
			`logger.error('[fileAccess] Error checking agent-based access:', error);`
			`return false;`
			`}`
			`};`

			`/**`
			`* Middleware to check if user can access a file`
			`* Checks: 1) File ownership, 2) Agent-based access (file inherits agent permissions)`
			`*/`
			`const fileAccess = async (req, res, next) => {`
			`try {`
			`const fileId = req.params.file_id;`
			`const userId = req.user?.id;`
🛂 feat: Role as Permission Principal Type WIP: Role as Permission Principal Type WIP: add user role check optimization to user principal check, update type comparisons WIP: cover edge cases for string vs ObjectId handling in permission granting and checking chore: Update people picker access middleware to use PrincipalType constants feat: Enhance people picker access control to include roles permissions chore: add missing default role schema values for people picker perms, cleanup typing feat: Enhance PeoplePicker component with role-specific UI and localization updates chore: Add missing `VIEW_ROLES` permission to role schema 2025-08-03 19:24:40 -04:00			`const userRole = req.user?.role;`
🔒 feat: Implement Granular File Storage Strategies and Access Control Middleware 2025-07-25 16:50:18 +02:00			`if (!fileId) {`
			`return res.status(400).json({`
			`error: 'Bad Request',`
			`message: 'file_id is required',`
			`});`
			`}`

			`if (!userId) {`
			`return res.status(401).json({`
			`error: 'Unauthorized',`
			`message: 'Authentication required',`
			`});`
			`}`

			`// Get the file`
			`const [file] = await getFiles({ file_id: fileId });`
			`if (!file) {`
			`return res.status(404).json({`
			`error: 'Not Found',`
			`message: 'File not found',`
			`});`
			`}`

			`// Check if user owns the file`
			`if (file.user && file.user.toString() === userId) {`
			`req.fileAccess = { file };`
			`return next();`
			`}`

			`// Check agent-based access (file inherits agent permissions)`
🛂 feat: Role as Permission Principal Type WIP: Role as Permission Principal Type WIP: add user role check optimization to user principal check, update type comparisons WIP: cover edge cases for string vs ObjectId handling in permission granting and checking chore: Update people picker access middleware to use PrincipalType constants feat: Enhance people picker access control to include roles permissions chore: add missing default role schema values for people picker perms, cleanup typing feat: Enhance PeoplePicker component with role-specific UI and localization updates chore: Add missing `VIEW_ROLES` permission to role schema 2025-08-03 19:24:40 -04:00			`const hasAgentAccess = await checkAgentBasedFileAccess({ userId, role: userRole, fileId });`
🔒 feat: Implement Granular File Storage Strategies and Access Control Middleware 2025-07-25 16:50:18 +02:00			`if (hasAgentAccess) {`
			`req.fileAccess = { file };`
			`return next();`
			`}`

			`// No access`
			logger.warn(`[fileAccess] User ${userId} denied access to file ${fileId}`);
			`return res.status(403).json({`
			`error: 'Forbidden',`
			`message: 'Insufficient permissions to access this file',`
			`});`
			`} catch (error) {`
			`logger.error('[fileAccess] Error checking file access:', error);`
			`return res.status(500).json({`
			`error: 'Internal Server Error',`
			`message: 'Failed to check file access permissions',`
			`});`
			`}`
			`};`

			`module.exports = {`
			`fileAccess,`
			`};`