🪺 refactor: Nest Permission fields for Roles (#6487)

* 🏗️ feat: Add Group model and schema with GroupType enum

* 🏗️ feat: Introduce Permissions module and refactor role-based access control

* 🏗️ feat: Refactor permissions handling and consolidate permission schemas

* 🏗️ feat: Refactor role permissions handling and improve role initialization logic

* 🏗️ feat: Update Role.spec.js to improve imports and enhance test structure

* 🏗️ feat: Update access control logic to ensure proper permission checks in role handling

* 🏗️ chore: Bump versions for librechat-data-provider to 0.7.75 and @librechat/data-schemas to 0.0.6

* 🏗️ feat: Improve role permissions handling by ensuring defaults are applied correctly

* 🏗️ feat: Update role permissions schema to comment out unused SHARE permission

* 🏗️ chore: Bump version of librechat-data-provider to 0.7.77 and remove unused groups field from IUser interface

* 🏗️ chore: Downgrade version of librechat-data-provider to 0.7.76

* 🔧 chore: Bump versions for librechat-data-provider to 0.7.77 and data-schemas to 0.0.6

* 🏗️ chore: Update version of librechat-data-provider to 0.7.789

---------

Co-authored-by: Danny Avila <danny@librechat.ai>

api/models/Role.js

@@ -4,13 +4,8 @@ const {
   SystemRoles,
   roleDefaults,
   PermissionTypes,
+  permissionsSchema,
   removeNullishValues,
-  agentPermissionsSchema,
-  promptPermissionsSchema,
-  runCodePermissionsSchema,
-  bookmarkPermissionsSchema,
-  multiConvoPermissionsSchema,
-  temporaryChatPermissionsSchema,
 } = require('librechat-data-provider');
 const getLogStores = require('~/cache/getLogStores');
 const { roleSchema } = require('@librechat/data-schemas');
@@ -20,15 +15,16 @@ const Role = mongoose.model('Role', roleSchema);
 
 /**
  * Retrieve a role by name and convert the found role document to a plain object.
- * If the role with the given name doesn't exist and the name is a system defined role, create it and return the lean version.
+ * If the role with the given name doesn't exist and the name is a system defined role,
+ * create it and return the lean version.
  *
  * @param {string} roleName - The name of the role to find or create.
  * @param {string|string[]} [fieldsToSelect] - The fields to include or exclude in the returned document.
  * @returns {Promise<Object>} A plain object representing the role document.
  */
 const getRoleByName = async function (roleName, fieldsToSelect = null) {
+  const cache = getLogStores(CacheKeys.ROLES);
   try {
-    const cache = getLogStores(CacheKeys.ROLES);
     const cachedRole = await cache.get(roleName);
     if (cachedRole) {
       return cachedRole;
@@ -40,8 +36,7 @@ const getRoleByName = async function (roleName, fieldsToSelect = null) {
     let role = await query.lean().exec();
 
     if (!role && SystemRoles[roleName]) {
-      role = roleDefaults[roleName];
-      role = await new Role(role).save();
+      role = await new Role(roleDefaults[roleName]).save();
       await cache.set(roleName, role);
       return role.toObject();
     }
@@ -60,8 +55,8 @@ const getRoleByName = async function (roleName, fieldsToSelect = null) {
  * @returns {Promise<TRole>} Updated role document.
  */
 const updateRoleByName = async function (roleName, updates) {
+  const cache = getLogStores(CacheKeys.ROLES);
   try {
-    const cache = getLogStores(CacheKeys.ROLES);
     const role = await Role.findOneAndUpdate(
       { name: roleName },
       { $set: updates },
@@ -77,29 +72,20 @@ const updateRoleByName = async function (roleName, updates) {
   }
 };
 
-const permissionSchemas = {
-  [PermissionTypes.AGENTS]: agentPermissionsSchema,
-  [PermissionTypes.PROMPTS]: promptPermissionsSchema,
-  [PermissionTypes.BOOKMARKS]: bookmarkPermissionsSchema,
-  [PermissionTypes.MULTI_CONVO]: multiConvoPermissionsSchema,
-  [PermissionTypes.TEMPORARY_CHAT]: temporaryChatPermissionsSchema,
-  [PermissionTypes.RUN_CODE]: runCodePermissionsSchema,
-};
-
 /**
  * Updates access permissions for a specific role and multiple permission types.
- * @param {SystemRoles} roleName - The role to update.
+ * @param {string} roleName - The role to update.
  * @param {Object.<PermissionTypes, Object.<Permissions, boolean>>} permissionsUpdate - Permissions to update and their values.
  */
 async function updateAccessPermissions(roleName, permissionsUpdate) {
+  // Filter and clean the permission updates based on our schema definition.
   const updates = {};
   for (const [permissionType, permissions] of Object.entries(permissionsUpdate)) {
-    if (permissionSchemas[permissionType]) {
+    if (permissionsSchema.shape && permissionsSchema.shape[permissionType]) {
       updates[permissionType] = removeNullishValues(permissions);
     }
   }
-
-  if (Object.keys(updates).length === 0) {
+  if (!Object.keys(updates).length) {
     return;
   }
 
@@ -109,26 +95,28 @@ async function updateAccessPermissions(roleName, permissionsUpdate) {
       return;
     }
 
-    const updatedPermissions = {};
+    const currentPermissions = role.permissions || {};
+    const updatedPermissions = { ...currentPermissions };
     let hasChanges = false;
 
     for (const [permissionType, permissions] of Object.entries(updates)) {
-      const currentPermissions = role[permissionType] || {};
-      updatedPermissions[permissionType] = { ...currentPermissions };
+      const currentTypePermissions = currentPermissions[permissionType] || {};
+      updatedPermissions[permissionType] = { ...currentTypePermissions };
 
       for (const [permission, value] of Object.entries(permissions)) {
-        if (currentPermissions[permission] !== value) {
+        if (currentTypePermissions[permission] !== value) {
           updatedPermissions[permissionType][permission] = value;
           hasChanges = true;
           logger.info(
-            `Updating '${roleName}' role ${permissionType} '${permission}' permission from ${currentPermissions[permission]} to: ${value}`,
+            `Updating '${roleName}' role permission '${permissionType}' '${permission}' from ${currentTypePermissions[permission]} to: ${value}`,
           );
         }
       }
     }
 
     if (hasChanges) {
-      await updateRoleByName(roleName, updatedPermissions);
+      // Update only the permissions field.
+      await updateRoleByName(roleName, { permissions: updatedPermissions });
       logger.info(`Updated '${roleName}' role permissions`);
     } else {
       logger.info(`No changes needed for '${roleName}' role permissions`);
@@ -146,30 +134,27 @@ async function updateAccessPermissions(roleName, permissionsUpdate) {
  * @returns {Promise<void>}
  */
 const initializeRoles = async function () {
-  const defaultRoles = [SystemRoles.ADMIN, SystemRoles.USER];
-
-  for (const roleName of defaultRoles) {
+  for (const roleName of [SystemRoles.ADMIN, SystemRoles.USER]) {
     let role = await Role.findOne({ name: roleName });
+    const defaultPerms = roleDefaults[roleName].permissions;
 
     if (!role) {
-      // Create new role if it doesn't exist
+      // Create new role if it doesn't exist.
       role = new Role(roleDefaults[roleName]);
     } else {
-      // Add missing permission types
-      let isUpdated = false;
-      for (const permType of Object.values(PermissionTypes)) {
-        if (!role[permType]) {
-          role[permType] = roleDefaults[roleName][permType];
-          isUpdated = true;
+      // Ensure role.permissions is defined.
+      role.permissions = role.permissions || {};
+      // For each permission type in defaults, add it if missing.
+      for (const permType of Object.keys(defaultPerms)) {
+        if (role.permissions[permType] == null) {
+          role.permissions[permType] = defaultPerms[permType];
         }
       }
-      if (isUpdated) {
-        await role.save();
-      }
     }
     await role.save();
   }
 };
+
 module.exports = {
   Role,
   getRoleByName,