Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2025-12-20 18:30:15 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

refactor permission service with reuse of model methods from data-schema package

Browse source
This commit is contained in:
Atef Bellaaj 2025-06-12 18:11:25 +02:00 committed by Danny Avila
parent 25b97ba388
commit 5979efd607
No known key found for this signature in database
GPG key ID: BF31EEB2C5CA0956
2 changed files with 22 additions and 96 deletions
Download patch file Download diff file Expand all files Collapse all files

87
api/server/services/PermissionService.js
View file

@ -13,6 +13,10 @@ const {
createUser, createUser,
updateUser, updateUser,
findUser, findUser,
grantPermission: grantPermissionACL,
findAccessibleResources: findAccessibleResourcesACL,
hasPermission,
getEffectivePermissions: getEffectivePermissionsACL,
} = require('~/models'); } = require('~/models');
const { AclEntry, AccessRole, Group } = require('~/db/models'); const { AclEntry, AccessRole, Group } = require('~/db/models');
@ -72,34 +76,15 @@ const grantPermission = async ({
`Role ${accessRoleId} is for ${role.resourceType} resources, not ${resourceType}`, `Role ${accessRoleId} is for ${role.resourceType} resources, not ${resourceType}`,
); );
} }
return await grantPermissionACL(
const query = {
principalType, principalType,
principalId,
resourceType, resourceType,
resourceId, resourceId,
}; role.permBits,
grantedBy,
if (principalType !== 'public') { session,
query.principalId = principalId; );
query.principalModel = principalType === 'user' ? 'User' : 'Group';
}
const update = {
$set: {
permBits: role.permBits,
roleId: role._id,
grantedBy,
grantedAt: new Date(),
},
};
const options = {
upsert: true,
new: true,
...(session ? { session } : {}),
};
return await AclEntry.findOneAndUpdate(query, update, options);
} catch (error) { } catch (error) {
logger.error(`[PermissionService.grantPermission] Error: ${error.message}`); logger.error(`[PermissionService.grantPermission] Error: ${error.message}`);
throw error; throw error;
@ -128,18 +113,7 @@ const checkPermission = async ({ userId, resourceType, resourceId, requiredPermi
return false; return false;
} }
// Find any ACL entry matching the principals, resource, and check if it has all required permission bits return await hasPermission(principals, resourceType, resourceId, requiredPermission);
const entry = await AclEntry.findOne({
$or: principals.map((p) => ({
principalType: p.principalType,
...(p.principalType !== 'public' && { principalId: p.principalId }),
})),
resourceType,
resourceId,
permBits: { $bitsAllSet: requiredPermission },
}).lean();
return !!entry;
} catch (error) { } catch (error) {
logger.error(`[PermissionService.checkPermission] Error: ${error.message}`); logger.error(`[PermissionService.checkPermission] Error: ${error.message}`);
// Re-throw validation errors // Re-throw validation errors
@ -166,27 +140,7 @@ const getEffectivePermissions = async ({ userId, resourceType, resourceId }) =>
if (principals.length === 0) { if (principals.length === 0) {
return 0; return 0;
} }
return await getEffectivePermissionsACL(principals, resourceType, resourceId);
// Find all matching ACL entries
const aclEntries = await AclEntry.find({
$or: principals.map((p) => ({
principalType: p.principalType,
...(p.principalType !== 'public' && { principalId: p.principalId }),
})),
resourceType,
resourceId,
}).lean();
if (aclEntries.length === 0) {
return 0;
}
let effectiveBits = 0;
for (const entry of aclEntries) {
effectiveBits |= entry.permBits;
}
return effectiveBits;
} catch (error) { } catch (error) {
logger.error(`[PermissionService.getEffectivePermissions] Error: ${error.message}`); logger.error(`[PermissionService.getEffectivePermissions] Error: ${error.message}`);
return 0; return 0;
@ -208,23 +162,12 @@ const findAccessibleResources = async ({ userId, resourceType, requiredPermissio
} }
// Get all principals for the user (user + groups + public) // Get all principals for the user (user + groups + public)
const principals = await getUserPrincipals(userId); const principalsList = await getUserPrincipals(userId);
if (principals.length === 0) { if (principalsList.length === 0) {
return []; return [];
} }
return await findAccessibleResourcesACL(principalsList, resourceType, requiredPermissions);
// Find all matching ACL entries where user has at least the required permission bits
const entries = await AclEntry.find({
$or: principals.map((p) => ({
principalType: p.principalType,
...(p.principalType !== 'public' && { principalId: p.principalId }),
})),
resourceType,
permBits: { $bitsAllSet: requiredPermissions },
}).distinct('resourceId');
return entries;
} catch (error) { } catch (error) {
logger.error(`[PermissionService.findAccessibleResources] Error: ${error.message}`); logger.error(`[PermissionService.findAccessibleResources] Error: ${error.message}`);
// Re-throw validation errors // Re-throw validation errors

31
packages/data-schemas/src/methods/aclEntry.ts
View file

@ -85,7 +85,7 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) {
$or: principalsQuery, $or: principalsQuery,
resourceType, resourceType,
resourceId, resourceId,
permBits: { $bitsAnySet: permissionBit }, permBits: { $bitsAllSet: permissionBit },
}).lean(); }).lean();
return !!entry; return !!entry;
@ -96,22 +96,13 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) {
* @param principalsList - List of principals, each containing { principalType, principalId } * @param principalsList - List of principals, each containing { principalType, principalId }
* @param resourceType - The type of resource * @param resourceType - The type of resource
* @param resourceId - The ID of the resource * @param resourceId - The ID of the resource
* @returns Object with effectiveBits (combined permissions) and sources (individual entries) * @returns {Promise<number>} Effective permission bitmask
*/ */
async function getEffectivePermissions( async function getEffectivePermissions(
principalsList: Array<{ principalType: string; principalId?: string | Types.ObjectId }>, principalsList: Array<{ principalType: string; principalId?: string | Types.ObjectId }>,
resourceType: string, resourceType: string,
resourceId: string | Types.ObjectId, resourceId: string | Types.ObjectId,
): Promise<{ ): Promise<number> {
effectiveBits: number;
sources: Array<{
from: string;
principalId?: Types.ObjectId;
permBits: number;
direct: boolean;
inheritedFrom?: Types.ObjectId;
}>;
}> {
const aclEntries = await findEntriesByPrincipalsAndResource( const aclEntries = await findEntriesByPrincipalsAndResource(
principalsList, principalsList,
resourceType, resourceType,
@ -119,18 +110,10 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) {
); );
let effectiveBits = 0; let effectiveBits = 0;
const sources = aclEntries.map((entry) => { for (const entry of aclEntries) {
effectiveBits |= entry.permBits; effectiveBits |= entry.permBits;
return { }
from: entry.principalType, return effectiveBits;
principalId: entry.principalId,
permBits: entry.permBits,
direct: !entry.inheritedFrom,
inheritedFrom: entry.inheritedFrom,
};
});
return { effectiveBits, sources };
} }
/** /**
@ -286,7 +269,7 @@ export function createAclEntryMethods(mongoose: typeof import('mongoose')) {
const entries = await AclEntry.find({ const entries = await AclEntry.find({
$or: principalsQuery, $or: principalsQuery,
resourceType, resourceType,
permBits: { $bitsAnySet: requiredPermBit }, permBits: { $bitsAllSet: requiredPermBit },
}).distinct('resourceId'); }).distinct('resourceId');
return entries; return entries;