feat: Add role-level permissions for agent sharing people picker

- Add PEOPLE_PICKER permission type with VIEW_USERS and VIEW_GROUPS permissions - Create custom middleware for query-aware permission validation - Implement permission-based type filtering in PeoplePicker component - Hide people picker UI when user lacks permissions, show only public toggle - Support granular access: users-only, groups-only, or mixed search modes
2025-12-20 02:10:15 +01:00 · 2025-07-01 14:25:48 +02:00 · 2025-07-01 14:25:48 +02:00 · 73fb4181fe
commit 73fb4181fe
parent b03341517d
11 changed files with 220 additions and 32 deletions
--- a/api/server/middleware/checkPeoplePickerAccess.js
+++ b/api/server/middleware/checkPeoplePickerAccess.js
@ -0,0 +1,72 @@
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+const { logger } = require('~/config');
+
+/**
+ * Middleware to check if user has permission to access people picker functionality
+ * Checks specific permission based on the 'type' query parameter:
+ * - type=user: requires VIEW_USERS permission
+ * - type=group: requires VIEW_GROUPS permission
+ * - no type (mixed search): requires either VIEW_USERS OR VIEW_GROUPS
+ */
+const checkPeoplePickerAccess = async (req, res, next) => {
+  try {
+    const user = req.user;
+    if (!user || !user.role) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+      });
+    }
+
+    const role = await getRoleByName(user.role);
+    if (!role || !role.permissions) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'No permissions configured for user role',
+      });
+    }
+
+    const { type } = req.query;
+    const peoplePickerPerms = role.permissions[PermissionTypes.PEOPLE_PICKER] || {};
+    const canViewUsers = peoplePickerPerms[Permissions.VIEW_USERS] === true;
+    const canViewGroups = peoplePickerPerms[Permissions.VIEW_GROUPS] === true;
+
+    if (type === 'user') {
+      if (!canViewUsers) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for users',
+        });
+      }
+    } else if (type === 'group') {
+      if (!canViewGroups) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for groups',
+        });
+      }
+    } else {
+      if (!canViewUsers || !canViewGroups) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for both users and groups',
+        });
+      }
+    }
+    next();
+  } catch (error) {
+    logger.error(
+      `[checkPeoplePickerAccess][${req.user?.id}] checkPeoplePickerAccess error for req.query.type = ${req.query.type}`,
+      error,
+    );
+    return res.status(500).json({
+      error: 'Internal Server Error',
+      message: 'Failed to check permissions',
+    });
+  }
+};
+
+module.exports = {
+  checkPeoplePickerAccess,
+};