🛡️ refactor: Scope Action Mutations by Parent Resource Ownership (#12237)

* 🛡️ fix: Scope action mutations by parent resource ownership Prevent cross-tenant action overwrites by validating that an existing action's agent_id/assistant_id matches the URL parameter before allowing updates or deletes. Without this, a user with EDIT access on their own agent could reference a foreign action_id to hijack another agent's action record. * 🛡️ fix: Harden action ownership checks and scope write filters - Remove && short-circuit that bypassed the guard when agent_id or assistant_id was falsy (e.g. assistant-owned actions have no agent_id, so the check was skipped entirely on the agents route). - Include agent_id / assistant_id in the updateAction and deleteAction query filters so the DB write itself enforces ownership atomically. - Log a warning when deleteAction returns null (silent no-op from data-integrity mismatch). * 📝 docs: Update Action model JSDoc to reflect scoped query params * ✅ test: Add Action ownership scoping tests Cover update, delete, and cross-type protection scenarios using MongoMemoryServer to verify that scoped query filters (agent_id, assistant_id) prevent cross-tenant overwrites and deletions at the database level. * 🛡️ fix: Scope updateAction filter in agent duplication handler * 🐛 fix: Use action metadata domain instead of action_id when duplicating agent actions The duplicate handler was splitting `action.action_id` by `actionDelimiter` to extract the domain, but `action_id` is a bare nanoid that doesn't contain the delimiter. This produced malformed entries in the duplicated agent's actions array (nanoid_action_newNanoid instead of domain_action_newNanoid). The domain is available on `action.metadata.domain`. * ✅ test: Add integration tests for agent duplication action handling Uses MongoMemoryServer with real Agent and Action models to verify: - Duplicated actions use metadata.domain (not action_id) for the agent actions array entries - Sensitive metadata fields are stripped from duplicated actions - Original action documents are not modified
2026-03-16 20:56:35 +01:00 · 2026-03-15 10:19:29 -04:00 · 2026-03-15 10:19:29 -04:00 · 0c27ad2d55
commit 0c27ad2d55
parent 7c39a45944
6 changed files with 437 additions and 14 deletions
--- a/api/server/routes/agents/actions.js
+++ b/api/server/routes/agents/actions.js
@ -143,6 +143,9 @@ router.post(

      if (actions_result && actions_result.length) {
        const action = actions_result[0];
+        if (action.agent_id !== agent_id) {
+          return res.status(403).json({ message: 'Action does not belong to this agent' });
+        }
        metadata = { ...action.metadata, ...metadata };
      }

@ -184,7 +187,7 @@ router.post(
      }

      /** @type {[Action]} */
-      const updatedAction = await updateAction({ action_id }, actionUpdateData);
+      const updatedAction = await updateAction({ action_id, agent_id }, actionUpdateData);

      const sensitiveFields = ['api_key', 'oauth_client_id', 'oauth_client_secret'];
      for (let field of sensitiveFields) {
@ -251,7 +254,13 @@ router.delete(
        { tools: updatedTools, actions: updatedActions },
        { updatingUserId: req.user.id, forceVersion: true },
      );
-      await deleteAction({ action_id });
+      const deleted = await deleteAction({ action_id, agent_id });
+      if (!deleted) {
+        logger.warn('[Agent Action Delete] No matching action document found', {
+          action_id,
+          agent_id,
+        });
+      }
      res.status(200).json({ message: 'Action deleted successfully' });
    } catch (error) {
      const message = 'Trouble deleting the Agent Action';
--- a/api/server/routes/assistants/actions.js
+++ b/api/server/routes/assistants/actions.js
@ -60,6 +60,9 @@ router.post('/:assistant_id', async (req, res) => {

    if (actions_result && actions_result.length) {
      const action = actions_result[0];
+      if (action.assistant_id !== assistant_id) {
+        return res.status(403).json({ message: 'Action does not belong to this assistant' });
+      }
      metadata = { ...action.metadata, ...metadata };
    }

@ -117,7 +120,7 @@ router.post('/:assistant_id', async (req, res) => {
      // For new actions, use the assistant owner's user ID
      actionUpdateData.user = assistant_user || req.user.id;
    }
-    promises.push(updateAction({ action_id }, actionUpdateData));
+    promises.push(updateAction({ action_id, assistant_id }, actionUpdateData));

    /** @type {[AssistantDocument, Action]} */
    let [assistantDocument, updatedAction] = await Promise.all(promises);
@ -196,9 +199,15 @@ router.delete('/:assistant_id/:action_id/:model', async (req, res) => {
      assistantUpdateData.user = req.user.id;
    }
    promises.push(updateAssistantDoc({ assistant_id }, assistantUpdateData));
-    promises.push(deleteAction({ action_id }));
+    promises.push(deleteAction({ action_id, assistant_id }));

-    await Promise.all(promises);
+    const [, deletedAction] = await Promise.all(promises);
+    if (!deletedAction) {
+      logger.warn('[Assistant Action Delete] No matching action document found', {
+        action_id,
+        assistant_id,
+      });
+    }
    res.status(200).json({ message: 'Action deleted successfully' });
  } catch (error) {
    const message = 'Trouble deleting the Assistant Action';