Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-04-03 14:27:20 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

🛡️ fix: Restrict System Grants to Role Principals (#12491)

Browse source 
* 🛡️ fix: restrict system grants to role principals only

Narrows GrantPrincipalType to PrincipalType.ROLE, rejecting GROUP and
USER with 400. Removes grant cascade cleanup from group/user deletion
handlers and their route wiring since only roles can hold grants.

* 🛡️ fix: address review findings for grants roles-only restriction

Add missing GROUP rejection test for revokeGrant (symmetric with
getPrincipalGrants and assignGrant coverage), add extensibility comment
to GrantPrincipalType, and document the checkRoleExists guard.
This commit is contained in:
Dustin Healy 2026-03-31 16:25:14 -07:00 committed by GitHub
parent 2e706ebcb3
commit 2451bf54cf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 54 additions and 157 deletions
Download patch file Download diff file Expand all files Collapse all files

1
api/server/routes/admin/groups.js
View file

@ -24,7 +24,6 @@ const handlers = createAdminGroupsHandlers({
findUsers: db.findUsers,
deleteConfig: db.deleteConfig,
deleteAclEntries: db.deleteAclEntries,
deleteGrantsForPrincipal: db.deleteGrantsForPrincipal,
});
router.use(requireJwtAuth, requireAdminAccess);

1
api/server/routes/admin/users.js
View file

@ -17,7 +17,6 @@ const handlers = createAdminUsersHandlers({
deleteUserById: db.deleteUserById,
deleteConfig: db.deleteConfig,
deleteAclEntries: db.deleteAclEntries,
deleteGrantsForPrincipal: db.deleteGrantsForPrincipal,
});
router.use(requireJwtAuth, requireAdminAccess);