refactor: Implement permission checks for file access via agents

- Updated `hasAccessToFilesViaAgent` to utilize permission checks for VIEW and EDIT access. - Replaced project-based access validation with permission-based checks. - Enhanced tests to cover new permission logic and ensure proper access control for files associated with agents. - Cleaned up imports and initialized models in test files for consistency.
2025-12-20 18:30:15 +01:00 · 2025-07-14 20:24:40 -04:00 · 2025-07-14 20:24:40 -04:00 · 35c66b39c8
commit 35c66b39c8
parent 4caac90909
5 changed files with 512 additions and 270 deletions
--- a/api/server/routes/files/files.js
+++ b/api/server/routes/files/files.js
@ -5,8 +5,8 @@ const {
  Time,
  isUUID,
  CacheKeys,
-  Constants,
  FileSources,
+  PERMISSION_BITS,
  EModelEndpoint,
  isAgentsEndpoint,
  checkOpenAIStorage,
@ -20,9 +20,9 @@ const {
 const { getFiles, batchUpdateFiles, hasAccessToFilesViaAgent } = require('~/models/File');
 const { getStrategyFunctions } = require('~/server/services/Files/strategies');
 const { getOpenAIClient } = require('~/server/controllers/assistants/helpers');
+const { checkPermission } = require('~/server/services/PermissionService');
 const { loadAuthValues } = require('~/server/services/Tools/credentials');
 const { refreshS3FileUrls } = require('~/server/services/Files/S3/crud');
-const { getProjectByName } = require('~/models/Project');
 const { getAssistant } = require('~/models/Assistant');
 const { getAgent } = require('~/models/Agent');
 const { getLogStores } = require('~/cache');
@ -77,14 +77,15 @@ router.get('/agent/:agent_id', async (req, res) => {

    // Check if user has access to the agent
    if (agent.author.toString() !== userId) {
-      // Non-authors need the agent to be globally shared and collaborative
-      const globalProject = await getProjectByName(Constants.GLOBAL_PROJECT_NAME, '_id');
+      // Non-authors need at least EDIT permission to view agent files
+      const hasEditPermission = await checkPermission({
+        userId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        requiredPermission: PERMISSION_BITS.EDIT,
+      });

-      if (
-        !globalProject ||
-        !agent.projectIds.some((pid) => pid.toString() === globalProject._id.toString()) ||
-        !agent.isCollaborative
-      ) {
+      if (!hasEditPermission) {
        return res.status(200).json([]);
      }
    }