2025-07-25 16:50:18 +02:00
|
|
|
const { logger } = require('@librechat/data-schemas');
|
🔧 refactor: Organize Sharing/Agent Components and Improve Type Safety
refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids, rename enums to PascalCase
refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids
chore: move sharing related components to dedicated "Sharing" directory
chore: remove PublicSharingToggle component and update index exports
chore: move non-sidepanel agent components to `~/components/Agents`
chore: move AgentCategoryDisplay component with tests
chore: remove commented out code
refactor: change PERMISSION_BITS from const to enum for better type safety
refactor: reorganize imports in GenericGrantAccessDialog and update index exports for hooks
refactor: update type definitions to use ACCESS_ROLE_IDS for improved type safety
refactor: remove unused canAccessPromptResource middleware and related code
refactor: remove unused prompt access roles from createAccessRoleMethods
refactor: update resourceType in AclEntry type definition to remove unused 'prompt' value
refactor: introduce ResourceType enum and update resourceType usage across data provider files for improved type safety
refactor: update resourceType usage to ResourceType enum across sharing and permissions components for improved type safety
refactor: standardize resourceType usage to ResourceType enum across agent and prompt models, permissions controller, and middleware for enhanced type safety
refactor: update resourceType references from PROMPT_GROUP to PROMPTGROUP for consistency across models, middleware, and components
refactor: standardize access role IDs and resource type usage across agent, file, and prompt models for improved type safety and consistency
chore: add typedefs for TUpdateResourcePermissionsRequest and TUpdateResourcePermissionsResponse to enhance type definitions
chore: move SearchPicker to PeoplePicker dir
refactor: implement debouncing for query changes in SearchPicker for improved performance
chore: fix typing, import order for agent admin settings
fix: agent admin settings, prevent agent form submission
refactor: rename `ACCESS_ROLE_IDS` to `AccessRoleIds`
refactor: replace PermissionBits with PERMISSION_BITS
refactor: replace PERMISSION_BITS with PermissionBits
2025-07-28 17:52:36 -04:00
|
|
|
const { PermissionBits, hasPermissions, ResourceType } = require('librechat-data-provider');
|
2025-07-25 16:50:18 +02:00
|
|
|
const { getEffectivePermissions } = require('~/server/services/PermissionService');
|
📦 refactor: Consolidate DB models, encapsulating Mongoose usage in `data-schemas` (#11830)
* chore: move database model methods to /packages/data-schemas
* chore: add TypeScript ESLint rule to warn on unused variables
* refactor: model imports to streamline access
- Consolidated model imports across various files to improve code organization and reduce redundancy.
- Updated imports for models such as Assistant, Message, Conversation, and others to a unified import path.
- Adjusted middleware and service files to reflect the new import structure, ensuring functionality remains intact.
- Enhanced test files to align with the new import paths, maintaining test coverage and integrity.
* chore: migrate database models to packages/data-schemas and refactor all direct Mongoose Model usage outside of data-schemas
* test: update agent model mocks in unit tests
- Added `getAgent` mock to `client.test.js` to enhance test coverage for agent-related functionality.
- Removed redundant `getAgent` and `getAgents` mocks from `openai.spec.js` and `responses.unit.spec.js` to streamline test setup and reduce duplication.
- Ensured consistency in agent mock implementations across test files.
* fix: update types in data-schemas
* refactor: enhance type definitions in transaction and spending methods
- Updated type definitions in `checkBalance.ts` to use specific request and response types.
- Refined `spendTokens.ts` to utilize a new `SpendTxData` interface for better clarity and type safety.
- Improved transaction handling in `transaction.ts` by introducing `TransactionResult` and `TxData` interfaces, ensuring consistent data structures across methods.
- Adjusted unit tests in `transaction.spec.ts` to accommodate new type definitions and enhance robustness.
* refactor: streamline model imports and enhance code organization
- Consolidated model imports across various controllers and services to a unified import path, improving code clarity and reducing redundancy.
- Updated multiple files to reflect the new import structure, ensuring all functionalities remain intact.
- Enhanced overall code organization by removing duplicate import statements and optimizing the usage of model methods.
* feat: implement loadAddedAgent and refactor agent loading logic
- Introduced `loadAddedAgent` function to handle loading agents from added conversations, supporting multi-convo parallel execution.
- Created a new `load.ts` file to encapsulate agent loading functionalities, including `loadEphemeralAgent` and `loadAgent`.
- Updated the `index.ts` file to export the new `load` module instead of the deprecated `loadAgent`.
- Enhanced type definitions and improved error handling in the agent loading process.
- Adjusted unit tests to reflect changes in the agent loading structure and ensure comprehensive coverage.
* refactor: enhance balance handling with new update interface
- Introduced `IBalanceUpdate` interface to streamline balance update operations across the codebase.
- Updated `upsertBalanceFields` method signatures in `balance.ts`, `transaction.ts`, and related tests to utilize the new interface for improved type safety.
- Adjusted type imports in `balance.spec.ts` to include `IBalanceUpdate`, ensuring consistency in balance management functionalities.
- Enhanced overall code clarity and maintainability by refining type definitions related to balance operations.
* feat: add unit tests for loadAgent functionality and enhance agent loading logic
- Introduced comprehensive unit tests for the `loadAgent` function, covering various scenarios including null and empty agent IDs, loading of ephemeral agents, and permission checks.
- Enhanced the `initializeClient` function by moving `getConvoFiles` to the correct position in the database method exports, ensuring proper functionality.
- Improved test coverage for agent loading, including handling of non-existent agents and user permissions.
* chore: reorder memory method exports for consistency
- Moved `deleteAllUserMemories` to the correct position in the exported memory methods, ensuring a consistent and logical order of method exports in `memory.ts`.
2026-02-17 18:23:44 -05:00
|
|
|
const { getAgents, getFiles } = require('~/models');
|
2025-07-25 16:50:18 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Checks if user has access to a file through agent permissions
|
|
|
|
|
* Files inherit permissions from agents - if you can view the agent, you can access its files
|
|
|
|
|
*/
|
2025-08-03 19:24:40 -04:00
|
|
|
const checkAgentBasedFileAccess = async ({ userId, role, fileId }) => {
|
2025-07-25 16:50:18 +02:00
|
|
|
try {
|
2025-09-18 20:06:59 -04:00
|
|
|
/** Agents that have this file in their tool_resources */
|
2025-09-18 15:42:05 -04:00
|
|
|
const agentsWithFile = await getAgents({
|
2025-07-25 16:50:18 +02:00
|
|
|
$or: [
|
|
|
|
|
{ 'tool_resources.execute_code.file_ids': fileId },
|
2025-09-18 20:06:59 -04:00
|
|
|
{ 'tool_resources.file_search.file_ids': fileId },
|
|
|
|
|
{ 'tool_resources.context.file_ids': fileId },
|
2025-07-25 16:50:18 +02:00
|
|
|
{ 'tool_resources.ocr.file_ids': fileId },
|
|
|
|
|
],
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (!agentsWithFile || agentsWithFile.length === 0) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check if user has access to any of these agents
|
2025-09-18 15:42:05 -04:00
|
|
|
for (const agent of agentsWithFile) {
|
2025-07-25 16:50:18 +02:00
|
|
|
// Check if user is the agent author
|
|
|
|
|
if (agent.author && agent.author.toString() === userId) {
|
|
|
|
|
logger.debug(`[fileAccess] User is author of agent ${agent.id}`);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Check ACL permissions for VIEW access on the agent
|
|
|
|
|
try {
|
|
|
|
|
const permissions = await getEffectivePermissions({
|
|
|
|
|
userId,
|
2025-08-03 19:24:40 -04:00
|
|
|
role,
|
🔧 refactor: Organize Sharing/Agent Components and Improve Type Safety
refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids, rename enums to PascalCase
refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids
chore: move sharing related components to dedicated "Sharing" directory
chore: remove PublicSharingToggle component and update index exports
chore: move non-sidepanel agent components to `~/components/Agents`
chore: move AgentCategoryDisplay component with tests
chore: remove commented out code
refactor: change PERMISSION_BITS from const to enum for better type safety
refactor: reorganize imports in GenericGrantAccessDialog and update index exports for hooks
refactor: update type definitions to use ACCESS_ROLE_IDS for improved type safety
refactor: remove unused canAccessPromptResource middleware and related code
refactor: remove unused prompt access roles from createAccessRoleMethods
refactor: update resourceType in AclEntry type definition to remove unused 'prompt' value
refactor: introduce ResourceType enum and update resourceType usage across data provider files for improved type safety
refactor: update resourceType usage to ResourceType enum across sharing and permissions components for improved type safety
refactor: standardize resourceType usage to ResourceType enum across agent and prompt models, permissions controller, and middleware for enhanced type safety
refactor: update resourceType references from PROMPT_GROUP to PROMPTGROUP for consistency across models, middleware, and components
refactor: standardize access role IDs and resource type usage across agent, file, and prompt models for improved type safety and consistency
chore: add typedefs for TUpdateResourcePermissionsRequest and TUpdateResourcePermissionsResponse to enhance type definitions
chore: move SearchPicker to PeoplePicker dir
refactor: implement debouncing for query changes in SearchPicker for improved performance
chore: fix typing, import order for agent admin settings
fix: agent admin settings, prevent agent form submission
refactor: rename `ACCESS_ROLE_IDS` to `AccessRoleIds`
refactor: replace PermissionBits with PERMISSION_BITS
refactor: replace PERMISSION_BITS with PermissionBits
2025-07-28 17:52:36 -04:00
|
|
|
resourceType: ResourceType.AGENT,
|
2025-07-25 16:50:18 +02:00
|
|
|
resourceId: agent._id || agent.id,
|
|
|
|
|
});
|
|
|
|
|
|
🔧 refactor: Organize Sharing/Agent Components and Improve Type Safety
refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids, rename enums to PascalCase
refactor: organize Sharing/Agent components, improve type safety for resource types and access role ids
chore: move sharing related components to dedicated "Sharing" directory
chore: remove PublicSharingToggle component and update index exports
chore: move non-sidepanel agent components to `~/components/Agents`
chore: move AgentCategoryDisplay component with tests
chore: remove commented out code
refactor: change PERMISSION_BITS from const to enum for better type safety
refactor: reorganize imports in GenericGrantAccessDialog and update index exports for hooks
refactor: update type definitions to use ACCESS_ROLE_IDS for improved type safety
refactor: remove unused canAccessPromptResource middleware and related code
refactor: remove unused prompt access roles from createAccessRoleMethods
refactor: update resourceType in AclEntry type definition to remove unused 'prompt' value
refactor: introduce ResourceType enum and update resourceType usage across data provider files for improved type safety
refactor: update resourceType usage to ResourceType enum across sharing and permissions components for improved type safety
refactor: standardize resourceType usage to ResourceType enum across agent and prompt models, permissions controller, and middleware for enhanced type safety
refactor: update resourceType references from PROMPT_GROUP to PROMPTGROUP for consistency across models, middleware, and components
refactor: standardize access role IDs and resource type usage across agent, file, and prompt models for improved type safety and consistency
chore: add typedefs for TUpdateResourcePermissionsRequest and TUpdateResourcePermissionsResponse to enhance type definitions
chore: move SearchPicker to PeoplePicker dir
refactor: implement debouncing for query changes in SearchPicker for improved performance
chore: fix typing, import order for agent admin settings
fix: agent admin settings, prevent agent form submission
refactor: rename `ACCESS_ROLE_IDS` to `AccessRoleIds`
refactor: replace PermissionBits with PERMISSION_BITS
refactor: replace PERMISSION_BITS with PermissionBits
2025-07-28 17:52:36 -04:00
|
|
|
if (hasPermissions(permissions, PermissionBits.VIEW)) {
|
2025-07-25 16:50:18 +02:00
|
|
|
logger.debug(`[fileAccess] User ${userId} has VIEW permissions on agent ${agent.id}`);
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
} catch (permissionError) {
|
|
|
|
|
logger.warn(
|
|
|
|
|
`[fileAccess] Permission check failed for agent ${agent.id}:`,
|
|
|
|
|
permissionError.message,
|
|
|
|
|
);
|
|
|
|
|
// Continue checking other agents
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
} catch (error) {
|
|
|
|
|
logger.error('[fileAccess] Error checking agent-based access:', error);
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Middleware to check if user can access a file
|
|
|
|
|
* Checks: 1) File ownership, 2) Agent-based access (file inherits agent permissions)
|
|
|
|
|
*/
|
|
|
|
|
const fileAccess = async (req, res, next) => {
|
|
|
|
|
try {
|
|
|
|
|
const fileId = req.params.file_id;
|
|
|
|
|
const userId = req.user?.id;
|
2025-08-03 19:24:40 -04:00
|
|
|
const userRole = req.user?.role;
|
2025-07-25 16:50:18 +02:00
|
|
|
if (!fileId) {
|
|
|
|
|
return res.status(400).json({
|
|
|
|
|
error: 'Bad Request',
|
|
|
|
|
message: 'file_id is required',
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!userId) {
|
|
|
|
|
return res.status(401).json({
|
|
|
|
|
error: 'Unauthorized',
|
|
|
|
|
message: 'Authentication required',
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const [file] = await getFiles({ file_id: fileId });
|
|
|
|
|
if (!file) {
|
|
|
|
|
return res.status(404).json({
|
|
|
|
|
error: 'Not Found',
|
|
|
|
|
message: 'File not found',
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (file.user && file.user.toString() === userId) {
|
|
|
|
|
req.fileAccess = { file };
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
2025-09-18 20:06:59 -04:00
|
|
|
/** Agent-based access (file inherits agent permissions) */
|
2025-08-03 19:24:40 -04:00
|
|
|
const hasAgentAccess = await checkAgentBasedFileAccess({ userId, role: userRole, fileId });
|
2025-07-25 16:50:18 +02:00
|
|
|
if (hasAgentAccess) {
|
|
|
|
|
req.fileAccess = { file };
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
logger.warn(`[fileAccess] User ${userId} denied access to file ${fileId}`);
|
|
|
|
|
return res.status(403).json({
|
|
|
|
|
error: 'Forbidden',
|
|
|
|
|
message: 'Insufficient permissions to access this file',
|
|
|
|
|
});
|
|
|
|
|
} catch (error) {
|
|
|
|
|
logger.error('[fileAccess] Error checking file access:', error);
|
|
|
|
|
return res.status(500).json({
|
|
|
|
|
error: 'Internal Server Error',
|
|
|
|
|
message: 'Failed to check file access permissions',
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
module.exports = {
|
|
|
|
|
fileAccess,
|
|
|
|
|
};
|