2025-06-26 18:50:15 -04:00
|
|
|
import { logger } from '@librechat/data-schemas';
|
|
|
|
|
import {
|
|
|
|
|
Permissions,
|
|
|
|
|
EndpointURLs,
|
|
|
|
|
EModelEndpoint,
|
|
|
|
|
PermissionTypes,
|
|
|
|
|
isAgentsEndpoint,
|
|
|
|
|
} from 'librechat-data-provider';
|
|
|
|
|
import type { NextFunction, Request as ServerRequest, Response as ServerResponse } from 'express';
|
|
|
|
|
import type { IRole, IUser } from '@librechat/data-schemas';
|
|
|
|
|
|
|
|
|
|
export function skipAgentCheck(req?: ServerRequest): boolean {
|
|
|
|
|
if (!req || !req?.body?.endpoint) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (req.method !== 'POST') {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!req.originalUrl?.includes(EndpointURLs[EModelEndpoint.agents])) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
return !isAgentsEndpoint(req.body.endpoint);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Core function to check if a user has one or more required permissions
|
|
|
|
|
* @param user - The user object
|
|
|
|
|
* @param permissionType - The type of permission to check
|
|
|
|
|
* @param permissions - The list of specific permissions to check
|
|
|
|
|
* @param bodyProps - An optional object where keys are permissions and values are arrays of properties to check
|
|
|
|
|
* @param checkObject - The object to check properties against
|
|
|
|
|
* @param skipCheck - An optional function that takes the checkObject and returns true to skip permission checking
|
|
|
|
|
* @returns Whether the user has the required permissions
|
|
|
|
|
*/
|
|
|
|
|
export const checkAccess = async ({
|
|
|
|
|
req,
|
|
|
|
|
user,
|
|
|
|
|
permissionType,
|
|
|
|
|
permissions,
|
|
|
|
|
getRoleByName,
|
|
|
|
|
bodyProps = {} as Record<Permissions, string[]>,
|
|
|
|
|
checkObject = {},
|
|
|
|
|
skipCheck,
|
|
|
|
|
}: {
|
|
|
|
|
user: IUser;
|
|
|
|
|
req?: ServerRequest;
|
|
|
|
|
permissionType: PermissionTypes;
|
|
|
|
|
permissions: Permissions[];
|
|
|
|
|
bodyProps?: Record<Permissions, string[]>;
|
|
|
|
|
checkObject?: object;
|
|
|
|
|
/** If skipCheck function is provided and returns true, skip permission checking */
|
|
|
|
|
skipCheck?: (req?: ServerRequest) => boolean;
|
|
|
|
|
getRoleByName: (roleName: string, fieldsToSelect?: string | string[]) => Promise<IRole | null>;
|
|
|
|
|
}): Promise<boolean> => {
|
|
|
|
|
if (skipCheck && skipCheck(req)) {
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!user || !user.role) {
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const role = await getRoleByName(user.role);
|
2025-08-03 17:11:14 -04:00
|
|
|
const permissionValue = role?.permissions?.[permissionType as keyof typeof role.permissions];
|
|
|
|
|
if (role && role.permissions && permissionValue) {
|
2025-07-05 15:53:08 -04:00
|
|
|
const hasAnyPermission = permissions.every((permission) => {
|
2025-08-03 17:11:14 -04:00
|
|
|
if (permissionValue[permission as keyof typeof permissionValue]) {
|
2025-06-26 18:50:15 -04:00
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (bodyProps[permission] && checkObject) {
|
2025-07-05 15:53:08 -04:00
|
|
|
return bodyProps[permission].every((prop) =>
|
2025-06-26 18:50:15 -04:00
|
|
|
Object.prototype.hasOwnProperty.call(checkObject, prop),
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
return hasAnyPermission;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return false;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Middleware to check if a user has one or more required permissions, optionally based on `req.body` properties.
|
|
|
|
|
* @param permissionType - The type of permission to check.
|
|
|
|
|
* @param permissions - The list of specific permissions to check.
|
|
|
|
|
* @param bodyProps - An optional object where keys are permissions and values are arrays of `req.body` properties to check.
|
|
|
|
|
* @param skipCheck - An optional function that takes req.body and returns true to skip permission checking.
|
|
|
|
|
* @param getRoleByName - A function to get the role by name.
|
|
|
|
|
* @returns Express middleware function.
|
|
|
|
|
*/
|
|
|
|
|
export const generateCheckAccess = ({
|
|
|
|
|
permissionType,
|
|
|
|
|
permissions,
|
|
|
|
|
bodyProps = {} as Record<Permissions, string[]>,
|
|
|
|
|
skipCheck,
|
|
|
|
|
getRoleByName,
|
|
|
|
|
}: {
|
|
|
|
|
permissionType: PermissionTypes;
|
|
|
|
|
permissions: Permissions[];
|
|
|
|
|
bodyProps?: Record<Permissions, string[]>;
|
|
|
|
|
skipCheck?: (req?: ServerRequest) => boolean;
|
|
|
|
|
getRoleByName: (roleName: string, fieldsToSelect?: string | string[]) => Promise<IRole | null>;
|
|
|
|
|
}): ((req: ServerRequest, res: ServerResponse, next: NextFunction) => Promise<unknown>) => {
|
|
|
|
|
return async (req, res, next) => {
|
|
|
|
|
try {
|
|
|
|
|
const hasAccess = await checkAccess({
|
|
|
|
|
req,
|
|
|
|
|
user: req.user as IUser,
|
|
|
|
|
permissionType,
|
|
|
|
|
permissions,
|
|
|
|
|
bodyProps,
|
|
|
|
|
checkObject: req.body,
|
|
|
|
|
skipCheck,
|
|
|
|
|
getRoleByName,
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
if (hasAccess) {
|
|
|
|
|
return next();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
logger.warn(
|
🏪 feat: Agent Marketplace
bugfix: Enhance Agent and AgentCategory schemas with new fields for category, support contact, and promotion status
refactored and moved agent category methods and schema to data-schema package
🔧 fix: Merge and Rebase Conflicts
- Move AgentCategory from api/models to @packages/data-schemas structure
- Add schema, types, methods, and model following codebase conventions
- Implement auto-seeding of default categories during AppService startup
- Update marketplace controller to use new data-schemas methods
- Remove old model file and standalone seed script
refactor: unify agent marketplace to single endpoint with cursor pagination
- Replace multiple marketplace routes with unified /marketplace endpoint
- Add query string controls: category, search, limit, cursor, promoted, requiredPermission
- Implement cursor-based pagination replacing page-based system
- Integrate ACL permissions for proper access control
- Fix ObjectId constructor error in Agent model
- Update React components to use unified useGetMarketplaceAgentsQuery hook
- Enhance type safety and remove deprecated useDynamicAgentQuery
- Update tests for new marketplace architecture
-Known issues:
see more button after category switching + Unit tests
feat: add icon property to ProcessedAgentCategory interface
- Add useMarketplaceAgentsInfiniteQuery and useGetAgentCategoriesQuery to client/src/data-provider/Agents/
- Replace manual pagination in AgentGrid with infinite query pattern
- Update imports to use local data provider instead of librechat-data-provider
- Add proper permission handling with PERMISSION_BITS.VIEW/EDIT constants
- Improve agent access control by adding requiredPermission validation in backend
- Remove manual cursor/state management in favor of infinite query built-ins
- Maintain existing search and category filtering functionality
refactor: consolidate agent marketplace endpoints into main agents API and improve data management consistency
- Remove dedicated marketplace controller and routes, merging functionality into main agents v1 API
- Add countPromotedAgents function to Agent model for promoted agents count
- Enhance getListAgents handler with marketplace filtering (category, search, promoted status)
- Move getAgentCategories from marketplace to v1 controller with same functionality
- Update agent mutations to invalidate marketplace queries and handle multiple permission levels
- Improve cache management by updating all agent query variants (VIEW/EDIT permissions)
- Consolidate agent data access patterns for better maintainability and consistency
- Remove duplicate marketplace route definitions and middleware
selected view only agents injected in the drop down
fix: remove minlength validation for support contact name in agent schema
feat: add validation and error messages for agent name in AgentConfig and AgentPanel
fix: update agent permission check logic in AgentPanel to simplify condition
Fix linting WIP
Fix Unit tests WIP
ESLint fixes
eslint fix
refactor: enhance isDuplicateVersion function in Agent model for improved comparison logic
- Introduced handling for undefined/null values in array and object comparisons.
- Normalized array comparisons to treat undefined/null as empty arrays.
- Added deep comparison for objects and improved handling of primitive values.
- Enhanced projectIds comparison to ensure consistent MongoDB ObjectId handling.
refactor: remove redundant properties from IAgent interface in agent schema
chore: update localization for agent detail component and clean up imports
ci: update access middleware tests
chore: remove unused PermissionTypes import from Role model
ci: update AclEntry model tests
ci: update button accessibility labels in AgentDetail tests
refactor: update exhaustive dep. lint warning
🔧 fix: Fixed agent actions access
feat: Add role-level permissions for agent sharing people picker
- Add PEOPLE_PICKER permission type with VIEW_USERS and VIEW_GROUPS permissions
- Create custom middleware for query-aware permission validation
- Implement permission-based type filtering in PeoplePicker component
- Hide people picker UI when user lacks permissions, show only public toggle
- Support granular access: users-only, groups-only, or mixed search modes
refactor: Replace marketplace interface config with permission-based system
- Add MARKETPLACE permission type to handle marketplace access control
- Update interface configuration to use role-based marketplace settings (admin/user)
- Replace direct marketplace boolean config with permission-based checks
- Modify frontend components to use marketplace permissions instead of interface config
- Update agent query hooks to use marketplace permissions for determining permission levels
- Add marketplace configuration structure similar to peoplePicker in YAML config
- Backend now sets MARKETPLACE permissions based on interface configuration
- When marketplace enabled: users get agents with EDIT permissions in dropdown lists (builder mode)
- When marketplace disabled: users get agents with VIEW permissions in dropdown lists (browse mode)
🔧 fix: Redirect to New Chat if No Marketplace Access and Required Agent Name Placeholder (#8213)
* Fix: Fix the redirect to new chat page if access to marketplace is denied
* Fixed the required agent name placeholder
---------
Co-authored-by: Atef Bellaaj <slalom.bellaaj@external.daimlertruck.com>
chore: fix tests, remove unnecessary imports
refactor: Implement permission checks for file access via agents
- Updated `hasAccessToFilesViaAgent` to utilize permission checks for VIEW and EDIT access.
- Replaced project-based access validation with permission-based checks.
- Enhanced tests to cover new permission logic and ensure proper access control for files associated with agents.
- Cleaned up imports and initialized models in test files for consistency.
refactor: Enhance test setup and cleanup for file access control
- Introduced modelsToCleanup array to track models added during tests for proper cleanup.
- Updated afterAll hooks in test files to ensure all collections are cleared and only added models are deleted.
- Improved consistency in model initialization across test files.
- Added comments for clarity on cleanup processes and test data management.
chore: Update Jest configuration and test setup for improved timeout handling
- Added a global test timeout of 30 seconds in jest.config.js.
- Configured jest.setTimeout in jestSetup.js to allow individual test overrides if needed.
- Enhanced test reliability by ensuring consistent timeout settings across all tests.
refactor: Implement file access filtering based on agent permissions
- Introduced `filterFilesByAgentAccess` function to filter files based on user access through agents.
- Updated `getFiles` and `primeFiles` functions to utilize the new filtering logic.
- Moved `hasAccessToFilesViaAgent` function from the File model to permission services, adjusting imports accordingly
- Enhanced tests to ensure proper access control and filtering behavior for files associated with agents.
fix: make support_contact field a nested object rather than a sub-document
refactor: Update support_contact field initialization in agent model
- Removed handling for empty support_contact object in createAgent function.
- Changed default value of support_contact in agent schema to undefined.
test: Add comprehensive tests for support_contact field handling and versioning
refactor: remove unused avatar upload mutation field and add informational toast for success
chore: add missing SidePanelProvider for AgentMarketplace and organize imports
fix: resolve agent selection race condition in marketplace HandleStartChat
- Set agent in localStorage before newConversation to prevent useSelectorEffects from auto-selecting previous agent
fix: resolve agent dropdown showing raw ID instead of agent info from URL
- Add proactive agent fetching when agent_id is present in URL parameters
- Inject fetched agent into agents cache so dropdowns display proper name/avatar
- Use useAgentsMap dependency to ensure proper cache initialization timing
- Prevents raw agent IDs from showing in UI when visiting shared agent links
Fix: Agents endpoint renamed to "My Agent" for less confusion with the Marketplace agents.
chore: fix ESLint issues and Test Mocks
ci: update permissions structure in loadDefaultInterface tests
- Refactored permissions for MEMORY and added new permissions for MARKETPLACE and PEOPLE_PICKER.
- Ensured consistent structure for permissions across different types.
feat: support_contact validation to allow empty email strings
2025-06-11 22:55:07 +05:30
|
|
|
`[${permissionType}] Forbidden: "${req.originalUrl}" - Insufficient permissions for User ${(req.user as IUser)?.id}: ${permissions.join(', ')}`,
|
2025-06-26 18:50:15 -04:00
|
|
|
);
|
|
|
|
|
return res.status(403).json({ message: 'Forbidden: Insufficient permissions' });
|
|
|
|
|
} catch (error) {
|
|
|
|
|
logger.error(error);
|
|
|
|
|
return res.status(500).json({
|
|
|
|
|
message: `Server error: ${error instanceof Error ? error.message : 'Unknown error'}`,
|
|
|
|
|
});
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
};
|