LibreChat/api/server/middleware/checkSharePublicAccess.js

const { logger } = require('@librechat/data-schemas');
const { ResourceType, PermissionTypes, Permissions } = require('librechat-data-provider');
const { getRoleByName } = require('~/models/Role');

/**
 * Maps resource types to their corresponding permission types
 */
const resourceToPermissionType = {
  [ResourceType.AGENT]: PermissionTypes.AGENTS,
  [ResourceType.PROMPTGROUP]: PermissionTypes.PROMPTS,
  [ResourceType.MCPSERVER]: PermissionTypes.MCP_SERVERS,
};

/**
 * Middleware to check if user has SHARE_PUBLIC permission for a resource type
 * Only enforced when request body contains `public: true`
 * @param {import('express').Request} req - Express request
 * @param {import('express').Response} res - Express response
 * @param {import('express').NextFunction} next - Express next function
 */
const checkSharePublicAccess = async (req, res, next) => {
  try {
    const { public: isPublic } = req.body;

    // Only check if trying to enable public sharing
    if (!isPublic) {
      return next();
    }

    const user = req.user;
    if (!user || !user.role) {
      return res.status(401).json({
        error: 'Unauthorized',
        message: 'Authentication required',
      });
    }

    const { resourceType } = req.params;
    const permissionType = resourceToPermissionType[resourceType];

    if (!permissionType) {
      return res.status(400).json({
        error: 'Bad Request',
        message: `Unsupported resource type for public sharing: ${resourceType}`,
      });
    }

    const role = await getRoleByName(user.role);
    if (!role || !role.permissions) {
      return res.status(403).json({
        error: 'Forbidden',
        message: 'No permissions configured for user role',
      });
    }

    const resourcePerms = role.permissions[permissionType] || {};
    const canSharePublic = resourcePerms[Permissions.SHARE_PUBLIC] === true;

    if (!canSharePublic) {
      logger.warn(
        `[checkSharePublicAccess][${user.id}] User denied SHARE_PUBLIC for ${resourceType}`,
      );
      return res.status(403).json({
        error: 'Forbidden',
        message: `You do not have permission to share ${resourceType} resources publicly`,
      });
    }

    next();
  } catch (error) {
    logger.error(
      `[checkSharePublicAccess][${req.user?.id}] Error checking SHARE_PUBLIC permission`,
      error,
    );
    return res.status(500).json({
      error: 'Internal Server Error',
      message: 'Failed to check public sharing permissions',
    });
  }
};

module.exports = {
  checkSharePublicAccess,
};
🔧 refactor: Permission handling for Resource Sharing (#11283) * 🔧 refactor: permission handling for public sharing - Updated permission keys from SHARED_GLOBAL to SHARE across various files for consistency. - Added public access configuration in librechat.example.yaml. - Adjusted related tests and components to reflect the new permission structure. * chore: Update default SHARE permission to false * fix: Update SHARE permissions in tests and implementation - Added SHARE permission handling for user and admin roles in permissions.spec.ts and permissions.ts. - Updated expected permissions in tests to reflect new SHARE permission values for various permission types. * fix: Handle undefined values in PeoplePickerAdminSettings component - Updated the checked and value props of the Switch component to handle undefined values gracefully by defaulting to false. This ensures consistent behavior when the field value is not set. * feat: Add CREATE permission handling for prompts and agents - Introduced CREATE permission for user and admin roles in permissions.spec.ts and permissions.ts. - Updated expected permissions in tests to include CREATE permission for various permission types. * 🔧 refactor: Enhance permission handling for sharing dialog usability * refactor: public sharing permissions for resources - Added middleware to check SHARE_PUBLIC permissions for agents, prompts, and MCP servers. - Updated interface configuration in librechat.example.yaml to include public sharing options. - Enhanced components and hooks to support public sharing functionality. - Adjusted tests to validate new permission handling for public sharing across various resource types. * refactor: update Share2Icon styling in GenericGrantAccessDialog * refactor: update Share2Icon size in GenericGrantAccessDialog for consistency * refactor: improve layout and styling of Share2Icon in GenericGrantAccessDialog * refactor: update Share2Icon size in GenericGrantAccessDialog for improved consistency * chore: remove redundant public sharing option from People Picker * refactor: add SHARE_PUBLIC permission handling in updateInterfacePermissions tests 2026-01-10 14:02:56 -05:00			`const { logger } = require('@librechat/data-schemas');`
			`const { ResourceType, PermissionTypes, Permissions } = require('librechat-data-provider');`
			`const { getRoleByName } = require('~/models/Role');`

			`/**`
			`* Maps resource types to their corresponding permission types`
			`*/`
			`const resourceToPermissionType = {`
			`[ResourceType.AGENT]: PermissionTypes.AGENTS,`
			`[ResourceType.PROMPTGROUP]: PermissionTypes.PROMPTS,`
			`[ResourceType.MCPSERVER]: PermissionTypes.MCP_SERVERS,`
			`};`

			`/**`
			`* Middleware to check if user has SHARE_PUBLIC permission for a resource type`
			* Only enforced when request body contains `public: true`
			`* @param {import('express').Request} req - Express request`
			`* @param {import('express').Response} res - Express response`
			`* @param {import('express').NextFunction} next - Express next function`
			`*/`
			`const checkSharePublicAccess = async (req, res, next) => {`
			`try {`
			`const { public: isPublic } = req.body;`

			`// Only check if trying to enable public sharing`
			`if (!isPublic) {`
			`return next();`
			`}`

			`const user = req.user;`
			`if (!user \|\| !user.role) {`
			`return res.status(401).json({`
			`error: 'Unauthorized',`
			`message: 'Authentication required',`
			`});`
			`}`

			`const { resourceType } = req.params;`
			`const permissionType = resourceToPermissionType[resourceType];`

			`if (!permissionType) {`
			`return res.status(400).json({`
			`error: 'Bad Request',`
			message: `Unsupported resource type for public sharing: ${resourceType}`,
			`});`
			`}`

			`const role = await getRoleByName(user.role);`
			`if (!role \|\| !role.permissions) {`
			`return res.status(403).json({`
			`error: 'Forbidden',`
			`message: 'No permissions configured for user role',`
			`});`
			`}`

			`const resourcePerms = role.permissions[permissionType] \|\| {};`
			`const canSharePublic = resourcePerms[Permissions.SHARE_PUBLIC] === true;`

			`if (!canSharePublic) {`
			`logger.warn(`
			`[checkSharePublicAccess][${user.id}] User denied SHARE_PUBLIC for ${resourceType}`,
			`);`
			`return res.status(403).json({`
			`error: 'Forbidden',`
			message: `You do not have permission to share ${resourceType} resources publicly`,
			`});`
			`}`

			`next();`
			`} catch (error) {`
			`logger.error(`
			`[checkSharePublicAccess][${req.user?.id}] Error checking SHARE_PUBLIC permission`,
			`error,`
			`);`
			`return res.status(500).json({`
			`error: 'Internal Server Error',`
			`message: 'Failed to check public sharing permissions',`
			`});`
			`}`
			`};`

			`module.exports = {`
			`checkSharePublicAccess,`
			`};`