feat: Add role-level permissions for agent sharing people picker

- Add PEOPLE_PICKER permission type with VIEW_USERS and VIEW_GROUPS permissions - Create custom middleware for query-aware permission validation - Implement permission-based type filtering in PeoplePicker component - Hide people picker UI when user lacks permissions, show only public toggle - Support granular access: users-only, groups-only, or mixed search modes
2025-12-28 06:08:50 +01:00 · 2025-07-01 14:25:48 +02:00 · 2025-07-01 14:25:48 +02:00 · 73fb4181fe
commit 73fb4181fe
parent b03341517d
11 changed files with 220 additions and 32 deletions
--- a/api/server/middleware/checkPeoplePickerAccess.js
+++ b/api/server/middleware/checkPeoplePickerAccess.js
@ -0,0 +1,72 @@
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+const { logger } = require('~/config');
+
+/**
+ * Middleware to check if user has permission to access people picker functionality
+ * Checks specific permission based on the 'type' query parameter:
+ * - type=user: requires VIEW_USERS permission
+ * - type=group: requires VIEW_GROUPS permission
+ * - no type (mixed search): requires either VIEW_USERS OR VIEW_GROUPS
+ */
+const checkPeoplePickerAccess = async (req, res, next) => {
+  try {
+    const user = req.user;
+    if (!user || !user.role) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+      });
+    }
+
+    const role = await getRoleByName(user.role);
+    if (!role || !role.permissions) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'No permissions configured for user role',
+      });
+    }
+
+    const { type } = req.query;
+    const peoplePickerPerms = role.permissions[PermissionTypes.PEOPLE_PICKER] || {};
+    const canViewUsers = peoplePickerPerms[Permissions.VIEW_USERS] === true;
+    const canViewGroups = peoplePickerPerms[Permissions.VIEW_GROUPS] === true;
+
+    if (type === 'user') {
+      if (!canViewUsers) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for users',
+        });
+      }
+    } else if (type === 'group') {
+      if (!canViewGroups) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for groups',
+        });
+      }
+    } else {
+      if (!canViewUsers || !canViewGroups) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for both users and groups',
+        });
+      }
+    }
+    next();
+  } catch (error) {
+    logger.error(
+      `[checkPeoplePickerAccess][${req.user?.id}] checkPeoplePickerAccess error for req.query.type = ${req.query.type}`,
+      error,
+    );
+    return res.status(500).json({
+      error: 'Internal Server Error',
+      message: 'Failed to check permissions',
+    });
+  }
+};
+
+module.exports = {
+  checkPeoplePickerAccess,
+};
--- a/api/server/routes/accessPermissions.js
+++ b/api/server/routes/accessPermissions.js
@ -8,6 +8,7 @@ const {
  searchPrincipals,
 } = require('~/server/controllers/PermissionsController');
 const { requireJwtAuth, checkBan, uaParser, canAccessResource } = require('~/server/middleware');
+const { checkPeoplePickerAccess } = require('~/server/middleware/checkPeoplePickerAccess');

 const router = express.Router();

@ -25,7 +26,7 @@ router.use(uaParser);
 * GET /api/permissions/search-principals
 * Search for users and groups to grant permissions
 */
-router.get('/search-principals', searchPrincipals);
+router.get('/search-principals', checkPeoplePickerAccess, searchPrincipals);

 /**
 * GET /api/permissions/{resourceType}/roles
--- a/api/server/services/start/interface.js
+++ b/api/server/services/start/interface.js
@ -51,6 +51,16 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
    runCode: interfaceConfig?.runCode ?? defaults.runCode,
    webSearch: interfaceConfig?.webSearch ?? defaults.webSearch,
    customWelcome: interfaceConfig?.customWelcome ?? defaults.customWelcome,
+    peoplePicker: {
+      admin: {
+        users: interfaceConfig?.peoplePicker?.admin?.users ?? defaults.peoplePicker.admin.users,
+        groups: interfaceConfig?.peoplePicker?.admin?.groups ?? defaults.peoplePicker.admin.groups,
+      },
+      user: {
+        users: interfaceConfig?.peoplePicker?.user?.users ?? defaults.peoplePicker.user.users,
+        groups: interfaceConfig?.peoplePicker?.user?.groups ?? defaults.peoplePicker.user.groups,
+      },
+    },
  });

  await updateAccessPermissions(roleName, {
@ -65,6 +75,10 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
    [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: loadedInterface.temporaryChat },
    [PermissionTypes.RUN_CODE]: { [Permissions.USE]: loadedInterface.runCode },
    [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: loadedInterface.webSearch },
+    [PermissionTypes.PEOPLE_PICKER]: {
+      [Permissions.VIEW_USERS]: loadedInterface.peoplePicker.user?.users,
+      [Permissions.VIEW_GROUPS]: loadedInterface.peoplePicker.user?.groups,
+    },
  });
  await updateAccessPermissions(SystemRoles.ADMIN, {
    [PermissionTypes.PROMPTS]: { [Permissions.USE]: loadedInterface.prompts },
@ -78,6 +92,10 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
    [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: loadedInterface.temporaryChat },
    [PermissionTypes.RUN_CODE]: { [Permissions.USE]: loadedInterface.runCode },
    [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: loadedInterface.webSearch },
+    [PermissionTypes.PEOPLE_PICKER]: {
+      [Permissions.VIEW_USERS]: loadedInterface.peoplePicker.admin?.users,
+      [Permissions.VIEW_GROUPS]: loadedInterface.peoplePicker.admin?.groups,
+    },
  });

  let i = 0;