mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-09-22 08:12:00 +02:00
🪺 refactor: Nest Permission fields for Roles (#6487)
* 🏗️ feat: Add Group model and schema with GroupType enum * 🏗️ feat: Introduce Permissions module and refactor role-based access control * 🏗️ feat: Refactor permissions handling and consolidate permission schemas * 🏗️ feat: Refactor role permissions handling and improve role initialization logic * 🏗️ feat: Update Role.spec.js to improve imports and enhance test structure * 🏗️ feat: Update access control logic to ensure proper permission checks in role handling * 🏗️ chore: Bump versions for librechat-data-provider to 0.7.75 and @librechat/data-schemas to 0.0.6 * 🏗️ feat: Improve role permissions handling by ensuring defaults are applied correctly * 🏗️ feat: Update role permissions schema to comment out unused SHARE permission * 🏗️ chore: Bump version of librechat-data-provider to 0.7.77 and remove unused groups field from IUser interface * 🏗️ chore: Downgrade version of librechat-data-provider to 0.7.76 * 🔧 chore: Bump versions for librechat-data-provider to 0.7.77 and data-schemas to 0.0.6 * 🏗️ chore: Update version of librechat-data-provider to 0.7.789 --------- Co-authored-by: Danny Avila <danny@librechat.ai>
This commit is contained in:
Ruben Talstra
GitHub
parent
710fde6a6f
commit
0551a562d8
11 changed files with 394 additions and 411 deletions
|
|
@ -4,13 +4,8 @@ const {
|
||||||
SystemRoles,
|
SystemRoles,
|
||||||
roleDefaults,
|
roleDefaults,
|
||||||
PermissionTypes,
|
PermissionTypes,
|
||||||
|
permissionsSchema,
|
||||||
removeNullishValues,
|
removeNullishValues,
|
||||||
agentPermissionsSchema,
|
|
||||||
promptPermissionsSchema,
|
|
||||||
runCodePermissionsSchema,
|
|
||||||
bookmarkPermissionsSchema,
|
|
||||||
multiConvoPermissionsSchema,
|
|
||||||
temporaryChatPermissionsSchema,
|
|
||||||
} = require('librechat-data-provider');
|
} = require('librechat-data-provider');
|
||||||
const getLogStores = require('~/cache/getLogStores');
|
const getLogStores = require('~/cache/getLogStores');
|
||||||
const { roleSchema } = require('@librechat/data-schemas');
|
const { roleSchema } = require('@librechat/data-schemas');
|
||||||
|
|
@ -20,15 +15,16 @@ const Role = mongoose.model('Role', roleSchema);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Retrieve a role by name and convert the found role document to a plain object.
|
* Retrieve a role by name and convert the found role document to a plain object.
|
||||||
* If the role with the given name doesn't exist and the name is a system defined role, create it and return the lean version.
|
* If the role with the given name doesn't exist and the name is a system defined role,
|
||||||
|
* create it and return the lean version.
|
||||||
*
|
*
|
||||||
* @param {string} roleName - The name of the role to find or create.
|
* @param {string} roleName - The name of the role to find or create.
|
||||||
* @param {string|string[]} [fieldsToSelect] - The fields to include or exclude in the returned document.
|
* @param {string|string[]} [fieldsToSelect] - The fields to include or exclude in the returned document.
|
||||||
* @returns {Promise<Object>} A plain object representing the role document.
|
* @returns {Promise<Object>} A plain object representing the role document.
|
||||||
*/
|
*/
|
||||||
const getRoleByName = async function (roleName, fieldsToSelect = null) {
|
const getRoleByName = async function (roleName, fieldsToSelect = null) {
|
||||||
|
const cache = getLogStores(CacheKeys.ROLES);
|
||||||
try {
|
try {
|
||||||
const cache = getLogStores(CacheKeys.ROLES);
|
|
||||||
const cachedRole = await cache.get(roleName);
|
const cachedRole = await cache.get(roleName);
|
||||||
if (cachedRole) {
|
if (cachedRole) {
|
||||||
return cachedRole;
|
return cachedRole;
|
||||||
|
|
@ -40,8 +36,7 @@ const getRoleByName = async function (roleName, fieldsToSelect = null) {
|
||||||
let role = await query.lean().exec();
|
let role = await query.lean().exec();
|
||||||
|
|
||||||
if (!role && SystemRoles[roleName]) {
|
if (!role && SystemRoles[roleName]) {
|
||||||
role = roleDefaults[roleName];
|
role = await new Role(roleDefaults[roleName]).save();
|
||||||
role = await new Role(role).save();
|
|
||||||
await cache.set(roleName, role);
|
await cache.set(roleName, role);
|
||||||
return role.toObject();
|
return role.toObject();
|
||||||
}
|
}
|
||||||
|
|
@ -60,8 +55,8 @@ const getRoleByName = async function (roleName, fieldsToSelect = null) {
|
||||||
* @returns {Promise<TRole>} Updated role document.
|
* @returns {Promise<TRole>} Updated role document.
|
||||||
*/
|
*/
|
||||||
const updateRoleByName = async function (roleName, updates) {
|
const updateRoleByName = async function (roleName, updates) {
|
||||||
|
const cache = getLogStores(CacheKeys.ROLES);
|
||||||
try {
|
try {
|
||||||
const cache = getLogStores(CacheKeys.ROLES);
|
|
||||||
const role = await Role.findOneAndUpdate(
|
const role = await Role.findOneAndUpdate(
|
||||||
{ name: roleName },
|
{ name: roleName },
|
||||||
{ $set: updates },
|
{ $set: updates },
|
||||||
|
|
@ -77,29 +72,20 @@ const updateRoleByName = async function (roleName, updates) {
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
const permissionSchemas = {
|
|
||||||
[PermissionTypes.AGENTS]: agentPermissionsSchema,
|
|
||||||
[PermissionTypes.PROMPTS]: promptPermissionsSchema,
|
|
||||||
[PermissionTypes.BOOKMARKS]: bookmarkPermissionsSchema,
|
|
||||||
[PermissionTypes.MULTI_CONVO]: multiConvoPermissionsSchema,
|
|
||||||
[PermissionTypes.TEMPORARY_CHAT]: temporaryChatPermissionsSchema,
|
|
||||||
[PermissionTypes.RUN_CODE]: runCodePermissionsSchema,
|
|
||||||
};
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Updates access permissions for a specific role and multiple permission types.
|
* Updates access permissions for a specific role and multiple permission types.
|
||||||
* @param {SystemRoles} roleName - The role to update.
|
* @param {string} roleName - The role to update.
|
||||||
* @param {Object.<PermissionTypes, Object.<Permissions, boolean>>} permissionsUpdate - Permissions to update and their values.
|
* @param {Object.<PermissionTypes, Object.<Permissions, boolean>>} permissionsUpdate - Permissions to update and their values.
|
||||||
*/
|
*/
|
||||||
async function updateAccessPermissions(roleName, permissionsUpdate) {
|
async function updateAccessPermissions(roleName, permissionsUpdate) {
|
||||||
|
// Filter and clean the permission updates based on our schema definition.
|
||||||
const updates = {};
|
const updates = {};
|
||||||
for (const [permissionType, permissions] of Object.entries(permissionsUpdate)) {
|
for (const [permissionType, permissions] of Object.entries(permissionsUpdate)) {
|
||||||
if (permissionSchemas[permissionType]) {
|
if (permissionsSchema.shape && permissionsSchema.shape[permissionType]) {
|
||||||
updates[permissionType] = removeNullishValues(permissions);
|
updates[permissionType] = removeNullishValues(permissions);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if (!Object.keys(updates).length) {
|
||||||
if (Object.keys(updates).length === 0) {
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -109,26 +95,28 @@ async function updateAccessPermissions(roleName, permissionsUpdate) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
const updatedPermissions = {};
|
const currentPermissions = role.permissions || {};
|
||||||
|
const updatedPermissions = { ...currentPermissions };
|
||||||
let hasChanges = false;
|
let hasChanges = false;
|
||||||
|
|
||||||
for (const [permissionType, permissions] of Object.entries(updates)) {
|
for (const [permissionType, permissions] of Object.entries(updates)) {
|
||||||
const currentPermissions = role[permissionType] || {};
|
const currentTypePermissions = currentPermissions[permissionType] || {};
|
||||||
updatedPermissions[permissionType] = { ...currentPermissions };
|
updatedPermissions[permissionType] = { ...currentTypePermissions };
|
||||||
|
|
||||||
for (const [permission, value] of Object.entries(permissions)) {
|
for (const [permission, value] of Object.entries(permissions)) {
|
||||||
if (currentPermissions[permission] !== value) {
|
if (currentTypePermissions[permission] !== value) {
|
||||||
updatedPermissions[permissionType][permission] = value;
|
updatedPermissions[permissionType][permission] = value;
|
||||||
hasChanges = true;
|
hasChanges = true;
|
||||||
logger.info(
|
logger.info(
|
||||||
`Updating '${roleName}' role ${permissionType} '${permission}' permission from ${currentPermissions[permission]} to: ${value}`,
|
`Updating '${roleName}' role permission '${permissionType}' '${permission}' from ${currentTypePermissions[permission]} to: ${value}`,
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (hasChanges) {
|
if (hasChanges) {
|
||||||
await updateRoleByName(roleName, updatedPermissions);
|
// Update only the permissions field.
|
||||||
|
await updateRoleByName(roleName, { permissions: updatedPermissions });
|
||||||
logger.info(`Updated '${roleName}' role permissions`);
|
logger.info(`Updated '${roleName}' role permissions`);
|
||||||
} else {
|
} else {
|
||||||
logger.info(`No changes needed for '${roleName}' role permissions`);
|
logger.info(`No changes needed for '${roleName}' role permissions`);
|
||||||
|
|
@ -146,30 +134,27 @@ async function updateAccessPermissions(roleName, permissionsUpdate) {
|
||||||
* @returns {Promise<void>}
|
* @returns {Promise<void>}
|
||||||
*/
|
*/
|
||||||
const initializeRoles = async function () {
|
const initializeRoles = async function () {
|
||||||
const defaultRoles = [SystemRoles.ADMIN, SystemRoles.USER];
|
for (const roleName of [SystemRoles.ADMIN, SystemRoles.USER]) {
|
||||||
|
|
||||||
for (const roleName of defaultRoles) {
|
|
||||||
let role = await Role.findOne({ name: roleName });
|
let role = await Role.findOne({ name: roleName });
|
||||||
|
const defaultPerms = roleDefaults[roleName].permissions;
|
||||||
|
|
||||||
if (!role) {
|
if (!role) {
|
||||||
// Create new role if it doesn't exist
|
// Create new role if it doesn't exist.
|
||||||
role = new Role(roleDefaults[roleName]);
|
role = new Role(roleDefaults[roleName]);
|
||||||
} else {
|
} else {
|
||||||
// Add missing permission types
|
// Ensure role.permissions is defined.
|
||||||
let isUpdated = false;
|
role.permissions = role.permissions || {};
|
||||||
for (const permType of Object.values(PermissionTypes)) {
|
// For each permission type in defaults, add it if missing.
|
||||||
if (!role[permType]) {
|
for (const permType of Object.keys(defaultPerms)) {
|
||||||
role[permType] = roleDefaults[roleName][permType];
|
if (role.permissions[permType] == null) {
|
||||||
isUpdated = true;
|
role.permissions[permType] = defaultPerms[permType];
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (isUpdated) {
|
|
||||||
await role.save();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
await role.save();
|
await role.save();
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
module.exports = {
|
module.exports = {
|
||||||
Role,
|
Role,
|
||||||
getRoleByName,
|
getRoleByName,
|
||||||
|
|
|
||||||
|
|
@ -2,22 +2,21 @@ const mongoose = require('mongoose');
|
||||||
const { MongoMemoryServer } = require('mongodb-memory-server');
|
const { MongoMemoryServer } = require('mongodb-memory-server');
|
||||||
const {
|
const {
|
||||||
SystemRoles,
|
SystemRoles,
|
||||||
PermissionTypes,
|
|
||||||
roleDefaults,
|
|
||||||
Permissions,
|
Permissions,
|
||||||
|
roleDefaults,
|
||||||
|
PermissionTypes,
|
||||||
} = require('librechat-data-provider');
|
} = require('librechat-data-provider');
|
||||||
const { updateAccessPermissions, initializeRoles } = require('~/models/Role');
|
const { Role, getRoleByName, updateAccessPermissions, initializeRoles } = require('~/models/Role');
|
||||||
const getLogStores = require('~/cache/getLogStores');
|
const getLogStores = require('~/cache/getLogStores');
|
||||||
const { Role } = require('~/models/Role');
|
|
||||||
|
|
||||||
// Mock the cache
|
// Mock the cache
|
||||||
jest.mock('~/cache/getLogStores', () => {
|
jest.mock('~/cache/getLogStores', () =>
|
||||||
return jest.fn().mockReturnValue({
|
jest.fn().mockReturnValue({
|
||||||
get: jest.fn(),
|
get: jest.fn(),
|
||||||
set: jest.fn(),
|
set: jest.fn(),
|
||||||
del: jest.fn(),
|
del: jest.fn(),
|
||||||
});
|
}),
|
||||||
});
|
);
|
||||||
|
|
||||||
let mongoServer;
|
let mongoServer;
|
||||||
|
|
||||||
|
|
@ -41,10 +40,12 @@ describe('updateAccessPermissions', () => {
|
||||||
it('should update permissions when changes are needed', async () => {
|
it('should update permissions when changes are needed', async () => {
|
||||||
await new Role({
|
await new Role({
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.PROMPTS]: {
|
permissions: {
|
||||||
CREATE: true,
|
[PermissionTypes.PROMPTS]: {
|
||||||
USE: true,
|
CREATE: true,
|
||||||
SHARED_GLOBAL: false,
|
USE: true,
|
||||||
|
SHARED_GLOBAL: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}).save();
|
}).save();
|
||||||
|
|
||||||
|
|
@ -56,8 +57,8 @@ describe('updateAccessPermissions', () => {
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
const updatedRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const updatedRole = await getRoleByName(SystemRoles.USER);
|
||||||
expect(updatedRole[PermissionTypes.PROMPTS]).toEqual({
|
expect(updatedRole.permissions[PermissionTypes.PROMPTS]).toEqual({
|
||||||
CREATE: true,
|
CREATE: true,
|
||||||
USE: true,
|
USE: true,
|
||||||
SHARED_GLOBAL: true,
|
SHARED_GLOBAL: true,
|
||||||
|
|
@ -67,10 +68,12 @@ describe('updateAccessPermissions', () => {
|
||||||
it('should not update permissions when no changes are needed', async () => {
|
it('should not update permissions when no changes are needed', async () => {
|
||||||
await new Role({
|
await new Role({
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.PROMPTS]: {
|
permissions: {
|
||||||
CREATE: true,
|
[PermissionTypes.PROMPTS]: {
|
||||||
USE: true,
|
CREATE: true,
|
||||||
SHARED_GLOBAL: false,
|
USE: true,
|
||||||
|
SHARED_GLOBAL: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}).save();
|
}).save();
|
||||||
|
|
||||||
|
|
@ -82,8 +85,8 @@ describe('updateAccessPermissions', () => {
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
const updatedRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const updatedRole = await getRoleByName(SystemRoles.USER);
|
||||||
expect(updatedRole[PermissionTypes.PROMPTS]).toEqual({
|
expect(updatedRole.permissions[PermissionTypes.PROMPTS]).toEqual({
|
||||||
CREATE: true,
|
CREATE: true,
|
||||||
USE: true,
|
USE: true,
|
||||||
SHARED_GLOBAL: false,
|
SHARED_GLOBAL: false,
|
||||||
|
|
@ -92,11 +95,8 @@ describe('updateAccessPermissions', () => {
|
||||||
|
|
||||||
it('should handle non-existent roles', async () => {
|
it('should handle non-existent roles', async () => {
|
||||||
await updateAccessPermissions('NON_EXISTENT_ROLE', {
|
await updateAccessPermissions('NON_EXISTENT_ROLE', {
|
||||||
[PermissionTypes.PROMPTS]: {
|
[PermissionTypes.PROMPTS]: { CREATE: true },
|
||||||
CREATE: true,
|
|
||||||
},
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const role = await Role.findOne({ name: 'NON_EXISTENT_ROLE' });
|
const role = await Role.findOne({ name: 'NON_EXISTENT_ROLE' });
|
||||||
expect(role).toBeNull();
|
expect(role).toBeNull();
|
||||||
});
|
});
|
||||||
|
|
@ -104,21 +104,21 @@ describe('updateAccessPermissions', () => {
|
||||||
it('should update only specified permissions', async () => {
|
it('should update only specified permissions', async () => {
|
||||||
await new Role({
|
await new Role({
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.PROMPTS]: {
|
permissions: {
|
||||||
CREATE: true,
|
[PermissionTypes.PROMPTS]: {
|
||||||
USE: true,
|
CREATE: true,
|
||||||
SHARED_GLOBAL: false,
|
USE: true,
|
||||||
|
SHARED_GLOBAL: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}).save();
|
}).save();
|
||||||
|
|
||||||
await updateAccessPermissions(SystemRoles.USER, {
|
await updateAccessPermissions(SystemRoles.USER, {
|
||||||
[PermissionTypes.PROMPTS]: {
|
[PermissionTypes.PROMPTS]: { SHARED_GLOBAL: true },
|
||||||
SHARED_GLOBAL: true,
|
|
||||||
},
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const updatedRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const updatedRole = await getRoleByName(SystemRoles.USER);
|
||||||
expect(updatedRole[PermissionTypes.PROMPTS]).toEqual({
|
expect(updatedRole.permissions[PermissionTypes.PROMPTS]).toEqual({
|
||||||
CREATE: true,
|
CREATE: true,
|
||||||
USE: true,
|
USE: true,
|
||||||
SHARED_GLOBAL: true,
|
SHARED_GLOBAL: true,
|
||||||
|
|
@ -128,21 +128,21 @@ describe('updateAccessPermissions', () => {
|
||||||
it('should handle partial updates', async () => {
|
it('should handle partial updates', async () => {
|
||||||
await new Role({
|
await new Role({
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.PROMPTS]: {
|
permissions: {
|
||||||
CREATE: true,
|
[PermissionTypes.PROMPTS]: {
|
||||||
USE: true,
|
CREATE: true,
|
||||||
SHARED_GLOBAL: false,
|
USE: true,
|
||||||
|
SHARED_GLOBAL: false,
|
||||||
|
},
|
||||||
},
|
},
|
||||||
}).save();
|
}).save();
|
||||||
|
|
||||||
await updateAccessPermissions(SystemRoles.USER, {
|
await updateAccessPermissions(SystemRoles.USER, {
|
||||||
[PermissionTypes.PROMPTS]: {
|
[PermissionTypes.PROMPTS]: { USE: false },
|
||||||
USE: false,
|
|
||||||
},
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const updatedRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const updatedRole = await getRoleByName(SystemRoles.USER);
|
||||||
expect(updatedRole[PermissionTypes.PROMPTS]).toEqual({
|
expect(updatedRole.permissions[PermissionTypes.PROMPTS]).toEqual({
|
||||||
CREATE: true,
|
CREATE: true,
|
||||||
USE: false,
|
USE: false,
|
||||||
SHARED_GLOBAL: false,
|
SHARED_GLOBAL: false,
|
||||||
|
|
@ -152,13 +152,9 @@ describe('updateAccessPermissions', () => {
|
||||||
it('should update multiple permission types at once', async () => {
|
it('should update multiple permission types at once', async () => {
|
||||||
await new Role({
|
await new Role({
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.PROMPTS]: {
|
permissions: {
|
||||||
CREATE: true,
|
[PermissionTypes.PROMPTS]: { CREATE: true, USE: true, SHARED_GLOBAL: false },
|
||||||
USE: true,
|
[PermissionTypes.BOOKMARKS]: { USE: true },
|
||||||
SHARED_GLOBAL: false,
|
|
||||||
},
|
|
||||||
[PermissionTypes.BOOKMARKS]: {
|
|
||||||
USE: true,
|
|
||||||
},
|
},
|
||||||
}).save();
|
}).save();
|
||||||
|
|
||||||
|
|
@ -167,24 +163,20 @@ describe('updateAccessPermissions', () => {
|
||||||
[PermissionTypes.BOOKMARKS]: { USE: false },
|
[PermissionTypes.BOOKMARKS]: { USE: false },
|
||||||
});
|
});
|
||||||
|
|
||||||
const updatedRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const updatedRole = await getRoleByName(SystemRoles.USER);
|
||||||
expect(updatedRole[PermissionTypes.PROMPTS]).toEqual({
|
expect(updatedRole.permissions[PermissionTypes.PROMPTS]).toEqual({
|
||||||
CREATE: true,
|
CREATE: true,
|
||||||
USE: false,
|
USE: false,
|
||||||
SHARED_GLOBAL: true,
|
SHARED_GLOBAL: true,
|
||||||
});
|
});
|
||||||
expect(updatedRole[PermissionTypes.BOOKMARKS]).toEqual({
|
expect(updatedRole.permissions[PermissionTypes.BOOKMARKS]).toEqual({ USE: false });
|
||||||
USE: false,
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should handle updates for a single permission type', async () => {
|
it('should handle updates for a single permission type', async () => {
|
||||||
await new Role({
|
await new Role({
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.PROMPTS]: {
|
permissions: {
|
||||||
CREATE: true,
|
[PermissionTypes.PROMPTS]: { CREATE: true, USE: true, SHARED_GLOBAL: false },
|
||||||
USE: true,
|
|
||||||
SHARED_GLOBAL: false,
|
|
||||||
},
|
},
|
||||||
}).save();
|
}).save();
|
||||||
|
|
||||||
|
|
@ -192,8 +184,8 @@ describe('updateAccessPermissions', () => {
|
||||||
[PermissionTypes.PROMPTS]: { USE: false, SHARED_GLOBAL: true },
|
[PermissionTypes.PROMPTS]: { USE: false, SHARED_GLOBAL: true },
|
||||||
});
|
});
|
||||||
|
|
||||||
const updatedRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const updatedRole = await getRoleByName(SystemRoles.USER);
|
||||||
expect(updatedRole[PermissionTypes.PROMPTS]).toEqual({
|
expect(updatedRole.permissions[PermissionTypes.PROMPTS]).toEqual({
|
||||||
CREATE: true,
|
CREATE: true,
|
||||||
USE: false,
|
USE: false,
|
||||||
SHARED_GLOBAL: true,
|
SHARED_GLOBAL: true,
|
||||||
|
|
@ -203,33 +195,25 @@ describe('updateAccessPermissions', () => {
|
||||||
it('should update MULTI_CONVO permissions', async () => {
|
it('should update MULTI_CONVO permissions', async () => {
|
||||||
await new Role({
|
await new Role({
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.MULTI_CONVO]: {
|
permissions: {
|
||||||
USE: false,
|
[PermissionTypes.MULTI_CONVO]: { USE: false },
|
||||||
},
|
},
|
||||||
}).save();
|
}).save();
|
||||||
|
|
||||||
await updateAccessPermissions(SystemRoles.USER, {
|
await updateAccessPermissions(SystemRoles.USER, {
|
||||||
[PermissionTypes.MULTI_CONVO]: {
|
[PermissionTypes.MULTI_CONVO]: { USE: true },
|
||||||
USE: true,
|
|
||||||
},
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const updatedRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const updatedRole = await getRoleByName(SystemRoles.USER);
|
||||||
expect(updatedRole[PermissionTypes.MULTI_CONVO]).toEqual({
|
expect(updatedRole.permissions[PermissionTypes.MULTI_CONVO]).toEqual({ USE: true });
|
||||||
USE: true,
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should update MULTI_CONVO permissions along with other permission types', async () => {
|
it('should update MULTI_CONVO permissions along with other permission types', async () => {
|
||||||
await new Role({
|
await new Role({
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.PROMPTS]: {
|
permissions: {
|
||||||
CREATE: true,
|
[PermissionTypes.PROMPTS]: { CREATE: true, USE: true, SHARED_GLOBAL: false },
|
||||||
USE: true,
|
[PermissionTypes.MULTI_CONVO]: { USE: false },
|
||||||
SHARED_GLOBAL: false,
|
|
||||||
},
|
|
||||||
[PermissionTypes.MULTI_CONVO]: {
|
|
||||||
USE: false,
|
|
||||||
},
|
},
|
||||||
}).save();
|
}).save();
|
||||||
|
|
||||||
|
|
@ -238,35 +222,29 @@ describe('updateAccessPermissions', () => {
|
||||||
[PermissionTypes.MULTI_CONVO]: { USE: true },
|
[PermissionTypes.MULTI_CONVO]: { USE: true },
|
||||||
});
|
});
|
||||||
|
|
||||||
const updatedRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const updatedRole = await getRoleByName(SystemRoles.USER);
|
||||||
expect(updatedRole[PermissionTypes.PROMPTS]).toEqual({
|
expect(updatedRole.permissions[PermissionTypes.PROMPTS]).toEqual({
|
||||||
CREATE: true,
|
CREATE: true,
|
||||||
USE: true,
|
USE: true,
|
||||||
SHARED_GLOBAL: true,
|
SHARED_GLOBAL: true,
|
||||||
});
|
});
|
||||||
expect(updatedRole[PermissionTypes.MULTI_CONVO]).toEqual({
|
expect(updatedRole.permissions[PermissionTypes.MULTI_CONVO]).toEqual({ USE: true });
|
||||||
USE: true,
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should not update MULTI_CONVO permissions when no changes are needed', async () => {
|
it('should not update MULTI_CONVO permissions when no changes are needed', async () => {
|
||||||
await new Role({
|
await new Role({
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.MULTI_CONVO]: {
|
permissions: {
|
||||||
USE: true,
|
[PermissionTypes.MULTI_CONVO]: { USE: true },
|
||||||
},
|
},
|
||||||
}).save();
|
}).save();
|
||||||
|
|
||||||
await updateAccessPermissions(SystemRoles.USER, {
|
await updateAccessPermissions(SystemRoles.USER, {
|
||||||
[PermissionTypes.MULTI_CONVO]: {
|
[PermissionTypes.MULTI_CONVO]: { USE: true },
|
||||||
USE: true,
|
|
||||||
},
|
|
||||||
});
|
});
|
||||||
|
|
||||||
const updatedRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const updatedRole = await getRoleByName(SystemRoles.USER);
|
||||||
expect(updatedRole[PermissionTypes.MULTI_CONVO]).toEqual({
|
expect(updatedRole.permissions[PermissionTypes.MULTI_CONVO]).toEqual({ USE: true });
|
||||||
USE: true,
|
|
||||||
});
|
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
@ -278,65 +256,69 @@ describe('initializeRoles', () => {
|
||||||
it('should create default roles if they do not exist', async () => {
|
it('should create default roles if they do not exist', async () => {
|
||||||
await initializeRoles();
|
await initializeRoles();
|
||||||
|
|
||||||
const adminRole = await Role.findOne({ name: SystemRoles.ADMIN }).lean();
|
const adminRole = await getRoleByName(SystemRoles.ADMIN);
|
||||||
const userRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const userRole = await getRoleByName(SystemRoles.USER);
|
||||||
|
|
||||||
expect(adminRole).toBeTruthy();
|
expect(adminRole).toBeTruthy();
|
||||||
expect(userRole).toBeTruthy();
|
expect(userRole).toBeTruthy();
|
||||||
|
|
||||||
// Check if all permission types exist
|
// Check if all permission types exist in the permissions field
|
||||||
Object.values(PermissionTypes).forEach((permType) => {
|
Object.values(PermissionTypes).forEach((permType) => {
|
||||||
expect(adminRole[permType]).toBeDefined();
|
expect(adminRole.permissions[permType]).toBeDefined();
|
||||||
expect(userRole[permType]).toBeDefined();
|
expect(userRole.permissions[permType]).toBeDefined();
|
||||||
});
|
});
|
||||||
|
|
||||||
// Check if permissions match defaults (example for ADMIN role)
|
// Example: Check default values for ADMIN role
|
||||||
expect(adminRole[PermissionTypes.PROMPTS].SHARED_GLOBAL).toBe(true);
|
expect(adminRole.permissions[PermissionTypes.PROMPTS].SHARED_GLOBAL).toBe(true);
|
||||||
expect(adminRole[PermissionTypes.BOOKMARKS].USE).toBe(true);
|
expect(adminRole.permissions[PermissionTypes.BOOKMARKS].USE).toBe(true);
|
||||||
expect(adminRole[PermissionTypes.AGENTS].CREATE).toBe(true);
|
expect(adminRole.permissions[PermissionTypes.AGENTS].CREATE).toBe(true);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should not modify existing permissions for existing roles', async () => {
|
it('should not modify existing permissions for existing roles', async () => {
|
||||||
const customUserRole = {
|
const customUserRole = {
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.PROMPTS]: {
|
permissions: {
|
||||||
[Permissions.USE]: false,
|
[PermissionTypes.PROMPTS]: {
|
||||||
[Permissions.CREATE]: true,
|
[Permissions.USE]: false,
|
||||||
[Permissions.SHARED_GLOBAL]: true,
|
[Permissions.CREATE]: true,
|
||||||
},
|
[Permissions.SHARED_GLOBAL]: true,
|
||||||
[PermissionTypes.BOOKMARKS]: {
|
},
|
||||||
[Permissions.USE]: false,
|
[PermissionTypes.BOOKMARKS]: { [Permissions.USE]: false },
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
await new Role(customUserRole).save();
|
await new Role(customUserRole).save();
|
||||||
|
|
||||||
await initializeRoles();
|
await initializeRoles();
|
||||||
|
|
||||||
const userRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const userRole = await getRoleByName(SystemRoles.USER);
|
||||||
|
expect(userRole.permissions[PermissionTypes.PROMPTS]).toEqual(
|
||||||
expect(userRole[PermissionTypes.PROMPTS]).toEqual(customUserRole[PermissionTypes.PROMPTS]);
|
customUserRole.permissions[PermissionTypes.PROMPTS],
|
||||||
expect(userRole[PermissionTypes.BOOKMARKS]).toEqual(customUserRole[PermissionTypes.BOOKMARKS]);
|
);
|
||||||
expect(userRole[PermissionTypes.AGENTS]).toBeDefined();
|
expect(userRole.permissions[PermissionTypes.BOOKMARKS]).toEqual(
|
||||||
|
customUserRole.permissions[PermissionTypes.BOOKMARKS],
|
||||||
|
);
|
||||||
|
expect(userRole.permissions[PermissionTypes.AGENTS]).toBeDefined();
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should add new permission types to existing roles', async () => {
|
it('should add new permission types to existing roles', async () => {
|
||||||
const partialUserRole = {
|
const partialUserRole = {
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.PROMPTS]: roleDefaults[SystemRoles.USER][PermissionTypes.PROMPTS],
|
permissions: {
|
||||||
[PermissionTypes.BOOKMARKS]: roleDefaults[SystemRoles.USER][PermissionTypes.BOOKMARKS],
|
[PermissionTypes.PROMPTS]:
|
||||||
|
roleDefaults[SystemRoles.USER].permissions[PermissionTypes.PROMPTS],
|
||||||
|
[PermissionTypes.BOOKMARKS]:
|
||||||
|
roleDefaults[SystemRoles.USER].permissions[PermissionTypes.BOOKMARKS],
|
||||||
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
await new Role(partialUserRole).save();
|
await new Role(partialUserRole).save();
|
||||||
|
|
||||||
await initializeRoles();
|
await initializeRoles();
|
||||||
|
|
||||||
const userRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const userRole = await getRoleByName(SystemRoles.USER);
|
||||||
|
expect(userRole.permissions[PermissionTypes.AGENTS]).toBeDefined();
|
||||||
expect(userRole[PermissionTypes.AGENTS]).toBeDefined();
|
expect(userRole.permissions[PermissionTypes.AGENTS].CREATE).toBeDefined();
|
||||||
expect(userRole[PermissionTypes.AGENTS].CREATE).toBeDefined();
|
expect(userRole.permissions[PermissionTypes.AGENTS].USE).toBeDefined();
|
||||||
expect(userRole[PermissionTypes.AGENTS].USE).toBeDefined();
|
expect(userRole.permissions[PermissionTypes.AGENTS].SHARED_GLOBAL).toBeDefined();
|
||||||
expect(userRole[PermissionTypes.AGENTS].SHARED_GLOBAL).toBeDefined();
|
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should handle multiple runs without duplicating or modifying data', async () => {
|
it('should handle multiple runs without duplicating or modifying data', async () => {
|
||||||
|
|
@ -349,72 +331,73 @@ describe('initializeRoles', () => {
|
||||||
expect(adminRoles).toHaveLength(1);
|
expect(adminRoles).toHaveLength(1);
|
||||||
expect(userRoles).toHaveLength(1);
|
expect(userRoles).toHaveLength(1);
|
||||||
|
|
||||||
const adminRole = adminRoles[0].toObject();
|
const adminPerms = adminRoles[0].toObject().permissions;
|
||||||
const userRole = userRoles[0].toObject();
|
const userPerms = userRoles[0].toObject().permissions;
|
||||||
|
|
||||||
// Check if all permission types exist
|
|
||||||
Object.values(PermissionTypes).forEach((permType) => {
|
Object.values(PermissionTypes).forEach((permType) => {
|
||||||
expect(adminRole[permType]).toBeDefined();
|
expect(adminPerms[permType]).toBeDefined();
|
||||||
expect(userRole[permType]).toBeDefined();
|
expect(userPerms[permType]).toBeDefined();
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should update roles with missing permission types from roleDefaults', async () => {
|
it('should update roles with missing permission types from roleDefaults', async () => {
|
||||||
const partialAdminRole = {
|
const partialAdminRole = {
|
||||||
name: SystemRoles.ADMIN,
|
name: SystemRoles.ADMIN,
|
||||||
[PermissionTypes.PROMPTS]: {
|
permissions: {
|
||||||
[Permissions.USE]: false,
|
[PermissionTypes.PROMPTS]: {
|
||||||
[Permissions.CREATE]: false,
|
[Permissions.USE]: false,
|
||||||
[Permissions.SHARED_GLOBAL]: false,
|
[Permissions.CREATE]: false,
|
||||||
|
[Permissions.SHARED_GLOBAL]: false,
|
||||||
|
},
|
||||||
|
[PermissionTypes.BOOKMARKS]:
|
||||||
|
roleDefaults[SystemRoles.ADMIN].permissions[PermissionTypes.BOOKMARKS],
|
||||||
},
|
},
|
||||||
[PermissionTypes.BOOKMARKS]: roleDefaults[SystemRoles.ADMIN][PermissionTypes.BOOKMARKS],
|
|
||||||
};
|
};
|
||||||
|
|
||||||
await new Role(partialAdminRole).save();
|
await new Role(partialAdminRole).save();
|
||||||
|
|
||||||
await initializeRoles();
|
await initializeRoles();
|
||||||
|
|
||||||
const adminRole = await Role.findOne({ name: SystemRoles.ADMIN }).lean();
|
const adminRole = await getRoleByName(SystemRoles.ADMIN);
|
||||||
|
expect(adminRole.permissions[PermissionTypes.PROMPTS]).toEqual(
|
||||||
expect(adminRole[PermissionTypes.PROMPTS]).toEqual(partialAdminRole[PermissionTypes.PROMPTS]);
|
partialAdminRole.permissions[PermissionTypes.PROMPTS],
|
||||||
expect(adminRole[PermissionTypes.AGENTS]).toBeDefined();
|
);
|
||||||
expect(adminRole[PermissionTypes.AGENTS].CREATE).toBeDefined();
|
expect(adminRole.permissions[PermissionTypes.AGENTS]).toBeDefined();
|
||||||
expect(adminRole[PermissionTypes.AGENTS].USE).toBeDefined();
|
expect(adminRole.permissions[PermissionTypes.AGENTS].CREATE).toBeDefined();
|
||||||
expect(adminRole[PermissionTypes.AGENTS].SHARED_GLOBAL).toBeDefined();
|
expect(adminRole.permissions[PermissionTypes.AGENTS].USE).toBeDefined();
|
||||||
|
expect(adminRole.permissions[PermissionTypes.AGENTS].SHARED_GLOBAL).toBeDefined();
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should include MULTI_CONVO permissions when creating default roles', async () => {
|
it('should include MULTI_CONVO permissions when creating default roles', async () => {
|
||||||
await initializeRoles();
|
await initializeRoles();
|
||||||
|
|
||||||
const adminRole = await Role.findOne({ name: SystemRoles.ADMIN }).lean();
|
const adminRole = await getRoleByName(SystemRoles.ADMIN);
|
||||||
const userRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const userRole = await getRoleByName(SystemRoles.USER);
|
||||||
|
|
||||||
expect(adminRole[PermissionTypes.MULTI_CONVO]).toBeDefined();
|
expect(adminRole.permissions[PermissionTypes.MULTI_CONVO]).toBeDefined();
|
||||||
expect(userRole[PermissionTypes.MULTI_CONVO]).toBeDefined();
|
expect(userRole.permissions[PermissionTypes.MULTI_CONVO]).toBeDefined();
|
||||||
|
expect(adminRole.permissions[PermissionTypes.MULTI_CONVO].USE).toBe(
|
||||||
// Check if MULTI_CONVO permissions match defaults
|
roleDefaults[SystemRoles.ADMIN].permissions[PermissionTypes.MULTI_CONVO].USE,
|
||||||
expect(adminRole[PermissionTypes.MULTI_CONVO].USE).toBe(
|
|
||||||
roleDefaults[SystemRoles.ADMIN][PermissionTypes.MULTI_CONVO].USE,
|
|
||||||
);
|
);
|
||||||
expect(userRole[PermissionTypes.MULTI_CONVO].USE).toBe(
|
expect(userRole.permissions[PermissionTypes.MULTI_CONVO].USE).toBe(
|
||||||
roleDefaults[SystemRoles.USER][PermissionTypes.MULTI_CONVO].USE,
|
roleDefaults[SystemRoles.USER].permissions[PermissionTypes.MULTI_CONVO].USE,
|
||||||
);
|
);
|
||||||
});
|
});
|
||||||
|
|
||||||
it('should add MULTI_CONVO permissions to existing roles without them', async () => {
|
it('should add MULTI_CONVO permissions to existing roles without them', async () => {
|
||||||
const partialUserRole = {
|
const partialUserRole = {
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.PROMPTS]: roleDefaults[SystemRoles.USER][PermissionTypes.PROMPTS],
|
permissions: {
|
||||||
[PermissionTypes.BOOKMARKS]: roleDefaults[SystemRoles.USER][PermissionTypes.BOOKMARKS],
|
[PermissionTypes.PROMPTS]:
|
||||||
|
roleDefaults[SystemRoles.USER].permissions[PermissionTypes.PROMPTS],
|
||||||
|
[PermissionTypes.BOOKMARKS]:
|
||||||
|
roleDefaults[SystemRoles.USER].permissions[PermissionTypes.BOOKMARKS],
|
||||||
|
},
|
||||||
};
|
};
|
||||||
|
|
||||||
await new Role(partialUserRole).save();
|
await new Role(partialUserRole).save();
|
||||||
|
|
||||||
await initializeRoles();
|
await initializeRoles();
|
||||||
|
|
||||||
const userRole = await Role.findOne({ name: SystemRoles.USER }).lean();
|
const userRole = await getRoleByName(SystemRoles.USER);
|
||||||
|
expect(userRole.permissions[PermissionTypes.MULTI_CONVO]).toBeDefined();
|
||||||
expect(userRole[PermissionTypes.MULTI_CONVO]).toBeDefined();
|
expect(userRole.permissions[PermissionTypes.MULTI_CONVO].USE).toBeDefined();
|
||||||
expect(userRole[PermissionTypes.MULTI_CONVO].USE).toBeDefined();
|
|
||||||
});
|
});
|
||||||
});
|
});
|
||||||
|
|
|
||||||
|
|
@ -17,9 +17,9 @@ const checkAccess = async (user, permissionType, permissions, bodyProps = {}, ch
|
||||||
}
|
}
|
||||||
|
|
||||||
const role = await getRoleByName(user.role);
|
const role = await getRoleByName(user.role);
|
||||||
if (role && role[permissionType]) {
|
if (role && role.permissions && role.permissions[permissionType]) {
|
||||||
const hasAnyPermission = permissions.some((permission) => {
|
const hasAnyPermission = permissions.some((permission) => {
|
||||||
if (role[permissionType][permission]) {
|
if (role.permissions[permissionType][permission]) {
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -29,7 +29,7 @@ const useHasAccess = ({
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isAuthenticated && user?.role != null && roles && roles[user.role]) {
|
if (isAuthenticated && user?.role != null && roles && roles[user.role]) {
|
||||||
return roles[user.role]?.[permissionType]?.[permission] === true;
|
return roles[user.role]?.permissions?.[permissionType]?.[permission] === true;
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
},
|
},
|
||||||
|
|
|
||||||
2
package-lock.json
generated
2
package-lock.json
generated
|
|
@ -43845,7 +43845,7 @@
|
||||||
},
|
},
|
||||||
"packages/data-schemas": {
|
"packages/data-schemas": {
|
||||||
"name": "@librechat/data-schemas",
|
"name": "@librechat/data-schemas",
|
||||||
"version": "0.0.5",
|
"version": "0.0.6",
|
||||||
"license": "MIT",
|
"license": "MIT",
|
||||||
"dependencies": {
|
"dependencies": {
|
||||||
"mongoose": "^8.12.1"
|
"mongoose": "^8.12.1"
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ export * from './models';
|
||||||
/* mcp */
|
/* mcp */
|
||||||
export * from './mcp';
|
export * from './mcp';
|
||||||
/* RBAC */
|
/* RBAC */
|
||||||
|
export * from './permissions';
|
||||||
export * from './roles';
|
export * from './roles';
|
||||||
/* types (exports schemas from `./types` as they contain needed in other defs) */
|
/* types (exports schemas from `./types` as they contain needed in other defs) */
|
||||||
export * from './types';
|
export * from './types';
|
||||||
|
|
|
||||||
90
packages/data-provider/src/permissions.ts
Normal file
90
packages/data-provider/src/permissions.ts
Normal file
|
|
@ -0,0 +1,90 @@
|
||||||
|
import { z } from 'zod';
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enum for Permission Types
|
||||||
|
*/
|
||||||
|
export enum PermissionTypes {
|
||||||
|
/**
|
||||||
|
* Type for Prompt Permissions
|
||||||
|
*/
|
||||||
|
PROMPTS = 'PROMPTS',
|
||||||
|
/**
|
||||||
|
* Type for Bookmark Permissions
|
||||||
|
*/
|
||||||
|
BOOKMARKS = 'BOOKMARKS',
|
||||||
|
/**
|
||||||
|
* Type for Agent Permissions
|
||||||
|
*/
|
||||||
|
AGENTS = 'AGENTS',
|
||||||
|
/**
|
||||||
|
* Type for Multi-Conversation Permissions
|
||||||
|
*/
|
||||||
|
MULTI_CONVO = 'MULTI_CONVO',
|
||||||
|
/**
|
||||||
|
* Type for Temporary Chat
|
||||||
|
*/
|
||||||
|
TEMPORARY_CHAT = 'TEMPORARY_CHAT',
|
||||||
|
/**
|
||||||
|
* Type for using the "Run Code" LC Code Interpreter API feature
|
||||||
|
*/
|
||||||
|
RUN_CODE = 'RUN_CODE',
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Enum for Role-Based Access Control Constants
|
||||||
|
*/
|
||||||
|
export enum Permissions {
|
||||||
|
SHARED_GLOBAL = 'SHARED_GLOBAL',
|
||||||
|
USE = 'USE',
|
||||||
|
CREATE = 'CREATE',
|
||||||
|
UPDATE = 'UPDATE',
|
||||||
|
READ = 'READ',
|
||||||
|
READ_AUTHOR = 'READ_AUTHOR',
|
||||||
|
SHARE = 'SHARE',
|
||||||
|
}
|
||||||
|
|
||||||
|
export const promptPermissionsSchema = z.object({
|
||||||
|
[Permissions.SHARED_GLOBAL]: z.boolean().default(false),
|
||||||
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
|
[Permissions.CREATE]: z.boolean().default(true),
|
||||||
|
// [Permissions.SHARE]: z.boolean().default(false),
|
||||||
|
});
|
||||||
|
export type TPromptPermissions = z.infer<typeof promptPermissionsSchema>;
|
||||||
|
|
||||||
|
export const bookmarkPermissionsSchema = z.object({
|
||||||
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
|
});
|
||||||
|
export type TBookmarkPermissions = z.infer<typeof bookmarkPermissionsSchema>;
|
||||||
|
|
||||||
|
export const agentPermissionsSchema = z.object({
|
||||||
|
[Permissions.SHARED_GLOBAL]: z.boolean().default(false),
|
||||||
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
|
[Permissions.CREATE]: z.boolean().default(true),
|
||||||
|
// [Permissions.SHARE]: z.boolean().default(false),
|
||||||
|
});
|
||||||
|
export type TAgentPermissions = z.infer<typeof agentPermissionsSchema>;
|
||||||
|
|
||||||
|
export const multiConvoPermissionsSchema = z.object({
|
||||||
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
|
});
|
||||||
|
export type TMultiConvoPermissions = z.infer<typeof multiConvoPermissionsSchema>;
|
||||||
|
|
||||||
|
export const temporaryChatPermissionsSchema = z.object({
|
||||||
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
|
});
|
||||||
|
export type TTemporaryChatPermissions = z.infer<typeof temporaryChatPermissionsSchema>;
|
||||||
|
|
||||||
|
export const runCodePermissionsSchema = z.object({
|
||||||
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
|
});
|
||||||
|
export type TRunCodePermissions = z.infer<typeof runCodePermissionsSchema>;
|
||||||
|
|
||||||
|
// Define a single permissions schema that holds all permission types.
|
||||||
|
export const permissionsSchema = z.object({
|
||||||
|
[PermissionTypes.PROMPTS]: promptPermissionsSchema,
|
||||||
|
[PermissionTypes.BOOKMARKS]: bookmarkPermissionsSchema,
|
||||||
|
[PermissionTypes.AGENTS]: agentPermissionsSchema,
|
||||||
|
[PermissionTypes.MULTI_CONVO]: multiConvoPermissionsSchema,
|
||||||
|
[PermissionTypes.TEMPORARY_CHAT]: temporaryChatPermissionsSchema,
|
||||||
|
[PermissionTypes.RUN_CODE]: runCodePermissionsSchema,
|
||||||
|
});
|
||||||
|
|
@ -1,4 +1,15 @@
|
||||||
import { z } from 'zod';
|
import { z } from 'zod';
|
||||||
|
import {
|
||||||
|
Permissions,
|
||||||
|
PermissionTypes,
|
||||||
|
permissionsSchema,
|
||||||
|
agentPermissionsSchema,
|
||||||
|
promptPermissionsSchema,
|
||||||
|
runCodePermissionsSchema,
|
||||||
|
bookmarkPermissionsSchema,
|
||||||
|
multiConvoPermissionsSchema,
|
||||||
|
temporaryChatPermissionsSchema,
|
||||||
|
} from './permissions';
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Enum for System Defined Roles
|
* Enum for System Defined Roles
|
||||||
|
|
@ -14,153 +25,72 @@ export enum SystemRoles {
|
||||||
USER = 'USER',
|
USER = 'USER',
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
// The role schema now only needs to reference the permissions schema.
|
||||||
* Enum for Permission Types
|
|
||||||
*/
|
|
||||||
export enum PermissionTypes {
|
|
||||||
/**
|
|
||||||
* Type for Prompt Permissions
|
|
||||||
*/
|
|
||||||
PROMPTS = 'PROMPTS',
|
|
||||||
/**
|
|
||||||
* Type for Bookmark Permissions
|
|
||||||
*/
|
|
||||||
BOOKMARKS = 'BOOKMARKS',
|
|
||||||
/**
|
|
||||||
* Type for Agent Permissions
|
|
||||||
*/
|
|
||||||
AGENTS = 'AGENTS',
|
|
||||||
/**
|
|
||||||
* Type for Multi-Conversation Permissions
|
|
||||||
*/
|
|
||||||
MULTI_CONVO = 'MULTI_CONVO',
|
|
||||||
/**
|
|
||||||
* Type for Temporary Chat
|
|
||||||
*/
|
|
||||||
TEMPORARY_CHAT = 'TEMPORARY_CHAT',
|
|
||||||
/**
|
|
||||||
* Type for using the "Run Code" LC Code Interpreter API feature
|
|
||||||
*/
|
|
||||||
RUN_CODE = 'RUN_CODE',
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
* Enum for Role-Based Access Control Constants
|
|
||||||
*/
|
|
||||||
export enum Permissions {
|
|
||||||
SHARED_GLOBAL = 'SHARED_GLOBAL',
|
|
||||||
USE = 'USE',
|
|
||||||
CREATE = 'CREATE',
|
|
||||||
UPDATE = 'UPDATE',
|
|
||||||
READ = 'READ',
|
|
||||||
READ_AUTHOR = 'READ_AUTHOR',
|
|
||||||
SHARE = 'SHARE',
|
|
||||||
}
|
|
||||||
|
|
||||||
export const promptPermissionsSchema = z.object({
|
|
||||||
[Permissions.SHARED_GLOBAL]: z.boolean().default(false),
|
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
|
||||||
[Permissions.CREATE]: z.boolean().default(true),
|
|
||||||
// [Permissions.SHARE]: z.boolean().default(false),
|
|
||||||
});
|
|
||||||
|
|
||||||
export const bookmarkPermissionsSchema = z.object({
|
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
|
||||||
});
|
|
||||||
|
|
||||||
export const agentPermissionsSchema = z.object({
|
|
||||||
[Permissions.SHARED_GLOBAL]: z.boolean().default(false),
|
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
|
||||||
[Permissions.CREATE]: z.boolean().default(true),
|
|
||||||
// [Permissions.SHARE]: z.boolean().default(false),
|
|
||||||
});
|
|
||||||
|
|
||||||
export const multiConvoPermissionsSchema = z.object({
|
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
|
||||||
});
|
|
||||||
|
|
||||||
export const temporaryChatPermissionsSchema = z.object({
|
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
|
||||||
});
|
|
||||||
|
|
||||||
export const runCodePermissionsSchema = z.object({
|
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
|
||||||
});
|
|
||||||
|
|
||||||
export const roleSchema = z.object({
|
export const roleSchema = z.object({
|
||||||
name: z.string(),
|
name: z.string(),
|
||||||
[PermissionTypes.PROMPTS]: promptPermissionsSchema,
|
permissions: permissionsSchema,
|
||||||
[PermissionTypes.BOOKMARKS]: bookmarkPermissionsSchema,
|
|
||||||
[PermissionTypes.AGENTS]: agentPermissionsSchema,
|
|
||||||
[PermissionTypes.MULTI_CONVO]: multiConvoPermissionsSchema,
|
|
||||||
[PermissionTypes.TEMPORARY_CHAT]: temporaryChatPermissionsSchema,
|
|
||||||
[PermissionTypes.RUN_CODE]: runCodePermissionsSchema,
|
|
||||||
});
|
});
|
||||||
|
|
||||||
export type TRole = z.infer<typeof roleSchema>;
|
export type TRole = z.infer<typeof roleSchema>;
|
||||||
export type TAgentPermissions = z.infer<typeof agentPermissionsSchema>;
|
|
||||||
export type TPromptPermissions = z.infer<typeof promptPermissionsSchema>;
|
|
||||||
export type TBookmarkPermissions = z.infer<typeof bookmarkPermissionsSchema>;
|
|
||||||
export type TMultiConvoPermissions = z.infer<typeof multiConvoPermissionsSchema>;
|
|
||||||
export type TTemporaryChatPermissions = z.infer<typeof temporaryChatPermissionsSchema>;
|
|
||||||
export type TRunCodePermissions = z.infer<typeof runCodePermissionsSchema>;
|
|
||||||
|
|
||||||
|
// Define default roles using the new structure.
|
||||||
const defaultRolesSchema = z.object({
|
const defaultRolesSchema = z.object({
|
||||||
[SystemRoles.ADMIN]: roleSchema.extend({
|
[SystemRoles.ADMIN]: roleSchema.extend({
|
||||||
name: z.literal(SystemRoles.ADMIN),
|
name: z.literal(SystemRoles.ADMIN),
|
||||||
[PermissionTypes.PROMPTS]: promptPermissionsSchema.extend({
|
permissions: permissionsSchema.extend({
|
||||||
[Permissions.SHARED_GLOBAL]: z.boolean().default(true),
|
[PermissionTypes.PROMPTS]: promptPermissionsSchema.extend({
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
[Permissions.SHARED_GLOBAL]: z.boolean().default(true),
|
||||||
[Permissions.CREATE]: z.boolean().default(true),
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
// [Permissions.SHARE]: z.boolean().default(true),
|
[Permissions.CREATE]: z.boolean().default(true),
|
||||||
}),
|
// [Permissions.SHARE]: z.boolean().default(true),
|
||||||
[PermissionTypes.BOOKMARKS]: bookmarkPermissionsSchema.extend({
|
}),
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
[PermissionTypes.BOOKMARKS]: bookmarkPermissionsSchema.extend({
|
||||||
}),
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
[PermissionTypes.AGENTS]: agentPermissionsSchema.extend({
|
}),
|
||||||
[Permissions.SHARED_GLOBAL]: z.boolean().default(true),
|
[PermissionTypes.AGENTS]: agentPermissionsSchema.extend({
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
[Permissions.SHARED_GLOBAL]: z.boolean().default(true),
|
||||||
[Permissions.CREATE]: z.boolean().default(true),
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
// [Permissions.SHARE]: z.boolean().default(true),
|
[Permissions.CREATE]: z.boolean().default(true),
|
||||||
}),
|
// [Permissions.SHARE]: z.boolean().default(true),
|
||||||
[PermissionTypes.MULTI_CONVO]: multiConvoPermissionsSchema.extend({
|
}),
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
[PermissionTypes.MULTI_CONVO]: multiConvoPermissionsSchema.extend({
|
||||||
}),
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
[PermissionTypes.TEMPORARY_CHAT]: temporaryChatPermissionsSchema.extend({
|
}),
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
[PermissionTypes.TEMPORARY_CHAT]: temporaryChatPermissionsSchema.extend({
|
||||||
}),
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
[PermissionTypes.RUN_CODE]: runCodePermissionsSchema.extend({
|
}),
|
||||||
[Permissions.USE]: z.boolean().default(true),
|
[PermissionTypes.RUN_CODE]: runCodePermissionsSchema.extend({
|
||||||
|
[Permissions.USE]: z.boolean().default(true),
|
||||||
|
}),
|
||||||
}),
|
}),
|
||||||
}),
|
}),
|
||||||
[SystemRoles.USER]: roleSchema.extend({
|
[SystemRoles.USER]: roleSchema.extend({
|
||||||
name: z.literal(SystemRoles.USER),
|
name: z.literal(SystemRoles.USER),
|
||||||
[PermissionTypes.PROMPTS]: promptPermissionsSchema,
|
permissions: permissionsSchema,
|
||||||
[PermissionTypes.BOOKMARKS]: bookmarkPermissionsSchema,
|
|
||||||
[PermissionTypes.AGENTS]: agentPermissionsSchema,
|
|
||||||
[PermissionTypes.MULTI_CONVO]: multiConvoPermissionsSchema,
|
|
||||||
[PermissionTypes.TEMPORARY_CHAT]: temporaryChatPermissionsSchema,
|
|
||||||
[PermissionTypes.RUN_CODE]: runCodePermissionsSchema,
|
|
||||||
}),
|
}),
|
||||||
});
|
});
|
||||||
|
|
||||||
export const roleDefaults = defaultRolesSchema.parse({
|
export const roleDefaults = defaultRolesSchema.parse({
|
||||||
[SystemRoles.ADMIN]: {
|
[SystemRoles.ADMIN]: {
|
||||||
name: SystemRoles.ADMIN,
|
name: SystemRoles.ADMIN,
|
||||||
[PermissionTypes.PROMPTS]: {},
|
permissions: {
|
||||||
[PermissionTypes.BOOKMARKS]: {},
|
[PermissionTypes.PROMPTS]: {},
|
||||||
[PermissionTypes.AGENTS]: {},
|
[PermissionTypes.BOOKMARKS]: {},
|
||||||
[PermissionTypes.MULTI_CONVO]: {},
|
[PermissionTypes.AGENTS]: {},
|
||||||
[PermissionTypes.TEMPORARY_CHAT]: {},
|
[PermissionTypes.MULTI_CONVO]: {},
|
||||||
[PermissionTypes.RUN_CODE]: {},
|
[PermissionTypes.TEMPORARY_CHAT]: {},
|
||||||
|
[PermissionTypes.RUN_CODE]: {},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
[SystemRoles.USER]: {
|
[SystemRoles.USER]: {
|
||||||
name: SystemRoles.USER,
|
name: SystemRoles.USER,
|
||||||
[PermissionTypes.PROMPTS]: {},
|
permissions: {
|
||||||
[PermissionTypes.BOOKMARKS]: {},
|
[PermissionTypes.PROMPTS]: {},
|
||||||
[PermissionTypes.AGENTS]: {},
|
[PermissionTypes.BOOKMARKS]: {},
|
||||||
[PermissionTypes.MULTI_CONVO]: {},
|
[PermissionTypes.AGENTS]: {},
|
||||||
[PermissionTypes.TEMPORARY_CHAT]: {},
|
[PermissionTypes.MULTI_CONVO]: {},
|
||||||
[PermissionTypes.RUN_CODE]: {},
|
[PermissionTypes.TEMPORARY_CHAT]: {},
|
||||||
|
[PermissionTypes.RUN_CODE]: {},
|
||||||
|
},
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
|
||||||
|
|
@ -1,5 +1,6 @@
|
||||||
import * as types from '../types';
|
import * as types from '../types';
|
||||||
import * as r from '../roles';
|
import * as r from '../roles';
|
||||||
|
import * as p from '../permissions';
|
||||||
import {
|
import {
|
||||||
Tools,
|
Tools,
|
||||||
Assistant,
|
Assistant,
|
||||||
|
|
@ -251,9 +252,9 @@ export type UpdatePermVars<T> = {
|
||||||
updates: Partial<T>;
|
updates: Partial<T>;
|
||||||
};
|
};
|
||||||
|
|
||||||
export type UpdatePromptPermVars = UpdatePermVars<r.TPromptPermissions>;
|
export type UpdatePromptPermVars = UpdatePermVars<p.TPromptPermissions>;
|
||||||
|
|
||||||
export type UpdateAgentPermVars = UpdatePermVars<r.TAgentPermissions>;
|
export type UpdateAgentPermVars = UpdatePermVars<p.TAgentPermissions>;
|
||||||
|
|
||||||
export type UpdatePermResponse = r.TRole;
|
export type UpdatePermResponse = r.TRole;
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
{
|
{
|
||||||
"name": "@librechat/data-schemas",
|
"name": "@librechat/data-schemas",
|
||||||
"version": "0.0.5",
|
"version": "0.0.6",
|
||||||
"description": "Mongoose schemas and models for LibreChat",
|
"description": "Mongoose schemas and models for LibreChat",
|
||||||
"type": "module",
|
"type": "module",
|
||||||
"main": "dist/index.cjs",
|
"main": "dist/index.cjs",
|
||||||
|
|
|
||||||
|
|
@ -3,88 +3,81 @@ import { PermissionTypes, Permissions } from 'librechat-data-provider';
|
||||||
|
|
||||||
export interface IRole extends Document {
|
export interface IRole extends Document {
|
||||||
name: string;
|
name: string;
|
||||||
[PermissionTypes.BOOKMARKS]?: {
|
permissions: {
|
||||||
[Permissions.USE]?: boolean;
|
[PermissionTypes.BOOKMARKS]?: {
|
||||||
};
|
[Permissions.USE]?: boolean;
|
||||||
[PermissionTypes.PROMPTS]?: {
|
};
|
||||||
[Permissions.SHARED_GLOBAL]?: boolean;
|
[PermissionTypes.PROMPTS]?: {
|
||||||
[Permissions.USE]?: boolean;
|
[Permissions.SHARED_GLOBAL]?: boolean;
|
||||||
[Permissions.CREATE]?: boolean;
|
[Permissions.USE]?: boolean;
|
||||||
};
|
[Permissions.CREATE]?: boolean;
|
||||||
[PermissionTypes.AGENTS]?: {
|
};
|
||||||
[Permissions.SHARED_GLOBAL]?: boolean;
|
[PermissionTypes.AGENTS]?: {
|
||||||
[Permissions.USE]?: boolean;
|
[Permissions.SHARED_GLOBAL]?: boolean;
|
||||||
[Permissions.CREATE]?: boolean;
|
[Permissions.USE]?: boolean;
|
||||||
};
|
[Permissions.CREATE]?: boolean;
|
||||||
[PermissionTypes.MULTI_CONVO]?: {
|
};
|
||||||
[Permissions.USE]?: boolean;
|
[PermissionTypes.MULTI_CONVO]?: {
|
||||||
};
|
[Permissions.USE]?: boolean;
|
||||||
[PermissionTypes.TEMPORARY_CHAT]?: {
|
};
|
||||||
[Permissions.USE]?: boolean;
|
[PermissionTypes.TEMPORARY_CHAT]?: {
|
||||||
};
|
[Permissions.USE]?: boolean;
|
||||||
[PermissionTypes.RUN_CODE]?: {
|
};
|
||||||
[Permissions.USE]?: boolean;
|
[PermissionTypes.RUN_CODE]?: {
|
||||||
|
[Permissions.USE]?: boolean;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Create a sub-schema for permissions. Notice we disable _id for this subdocument.
|
||||||
|
const rolePermissionsSchema = new Schema(
|
||||||
|
{
|
||||||
|
[PermissionTypes.BOOKMARKS]: {
|
||||||
|
[Permissions.USE]: { type: Boolean, default: true },
|
||||||
|
},
|
||||||
|
[PermissionTypes.PROMPTS]: {
|
||||||
|
[Permissions.SHARED_GLOBAL]: { type: Boolean, default: false },
|
||||||
|
[Permissions.USE]: { type: Boolean, default: true },
|
||||||
|
[Permissions.CREATE]: { type: Boolean, default: true },
|
||||||
|
},
|
||||||
|
[PermissionTypes.AGENTS]: {
|
||||||
|
[Permissions.SHARED_GLOBAL]: { type: Boolean, default: false },
|
||||||
|
[Permissions.USE]: { type: Boolean, default: true },
|
||||||
|
[Permissions.CREATE]: { type: Boolean, default: true },
|
||||||
|
},
|
||||||
|
[PermissionTypes.MULTI_CONVO]: {
|
||||||
|
[Permissions.USE]: { type: Boolean, default: true },
|
||||||
|
},
|
||||||
|
[PermissionTypes.TEMPORARY_CHAT]: {
|
||||||
|
[Permissions.USE]: { type: Boolean, default: true },
|
||||||
|
},
|
||||||
|
[PermissionTypes.RUN_CODE]: {
|
||||||
|
[Permissions.USE]: { type: Boolean, default: true },
|
||||||
|
},
|
||||||
|
},
|
||||||
|
{ _id: false },
|
||||||
|
);
|
||||||
|
|
||||||
const roleSchema: Schema<IRole> = new Schema({
|
const roleSchema: Schema<IRole> = new Schema({
|
||||||
name: {
|
name: { type: String, required: true, unique: true, index: true },
|
||||||
type: String,
|
permissions: {
|
||||||
required: true,
|
type: rolePermissionsSchema,
|
||||||
unique: true,
|
default: () => ({
|
||||||
index: true,
|
[PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
|
||||||
},
|
[PermissionTypes.PROMPTS]: {
|
||||||
[PermissionTypes.BOOKMARKS]: {
|
[Permissions.SHARED_GLOBAL]: false,
|
||||||
[Permissions.USE]: {
|
[Permissions.USE]: true,
|
||||||
type: Boolean,
|
[Permissions.CREATE]: true,
|
||||||
default: true,
|
},
|
||||||
},
|
[PermissionTypes.AGENTS]: {
|
||||||
},
|
[Permissions.SHARED_GLOBAL]: false,
|
||||||
[PermissionTypes.PROMPTS]: {
|
[Permissions.USE]: true,
|
||||||
[Permissions.SHARED_GLOBAL]: {
|
[Permissions.CREATE]: true,
|
||||||
type: Boolean,
|
},
|
||||||
default: false,
|
[PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
|
||||||
},
|
[PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
|
||||||
[Permissions.USE]: {
|
[PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
|
||||||
type: Boolean,
|
}),
|
||||||
default: true,
|
|
||||||
},
|
|
||||||
[Permissions.CREATE]: {
|
|
||||||
type: Boolean,
|
|
||||||
default: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
[PermissionTypes.AGENTS]: {
|
|
||||||
[Permissions.SHARED_GLOBAL]: {
|
|
||||||
type: Boolean,
|
|
||||||
default: false,
|
|
||||||
},
|
|
||||||
[Permissions.USE]: {
|
|
||||||
type: Boolean,
|
|
||||||
default: true,
|
|
||||||
},
|
|
||||||
[Permissions.CREATE]: {
|
|
||||||
type: Boolean,
|
|
||||||
default: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
[PermissionTypes.MULTI_CONVO]: {
|
|
||||||
[Permissions.USE]: {
|
|
||||||
type: Boolean,
|
|
||||||
default: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
[PermissionTypes.TEMPORARY_CHAT]: {
|
|
||||||
[Permissions.USE]: {
|
|
||||||
type: Boolean,
|
|
||||||
default: true,
|
|
||||||
},
|
|
||||||
},
|
|
||||||
[PermissionTypes.RUN_CODE]: {
|
|
||||||
[Permissions.USE]: {
|
|
||||||
type: Boolean,
|
|
||||||
default: true,
|
|
||||||
},
|
|
||||||
},
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue