feat: Add role-level permissions for agent sharing people picker

- Add PEOPLE_PICKER permission type with VIEW_USERS and VIEW_GROUPS permissions - Create custom middleware for query-aware permission validation - Implement permission-based type filtering in PeoplePicker component - Hide people picker UI when user lacks permissions, show only public toggle - Support granular access: users-only, groups-only, or mixed search modes
2026-01-06 10:38:50 +01:00 · 2025-07-01 14:25:48 +02:00 · 2025-07-01 14:25:48 +02:00 · 73fb4181fe
commit 73fb4181fe
parent b03341517d
11 changed files with 220 additions and 32 deletions
--- a/packages/data-provider/src/config.ts
+++ b/packages/data-provider/src/config.ts
@ -488,7 +488,7 @@ const mcpServersSchema = z.object({

 export type TMcpServersConfig = z.infer<typeof mcpServersSchema>;

-export const intefaceSchema = z
+export const interfaceSchema = z
  .object({
    privacyPolicy: z
      .object({
@ -513,6 +513,22 @@ export const intefaceSchema = z
    temporaryChatRetention: z.number().min(1).max(8760).optional(),
    runCode: z.boolean().optional(),
    webSearch: z.boolean().optional(),
+    peoplePicker: z
+      .object({
+        admin: z
+          .object({
+            users: z.boolean().optional(),
+            groups: z.boolean().optional(),
+          })
+          .optional(),
+        user: z
+          .object({
+            users: z.boolean().optional(),
+            groups: z.boolean().optional(),
+          })
+          .optional(),
+      })
+      .optional(),
  })
  .default({
    endpointsMenu: true,
@ -528,9 +544,19 @@ export const intefaceSchema = z
    temporaryChat: true,
    runCode: true,
    webSearch: true,
+    peoplePicker: {
+      admin: {
+        users: true,
+        groups: true,
+      },
+      user: {
+        users: false,
+        groups: false,
+      },
+    },
  });

-export type TInterfaceConfig = z.infer<typeof intefaceSchema>;
+export type TInterfaceConfig = z.infer<typeof interfaceSchema>;
 export type TBalanceConfig = z.infer<typeof balanceSchema>;

 export const turnstileOptionsSchema = z
@ -748,7 +774,7 @@ export const configSchema = z.object({
  includedTools: z.array(z.string()).optional(),
  filteredTools: z.array(z.string()).optional(),
  mcpServers: MCPServersSchema.optional(),
-  interface: intefaceSchema,
+  interface: interfaceSchema,
  turnstile: turnstileSchema.optional(),
  fileStrategy: fileSourceSchema.default(FileSources.local),
  actions: z
--- a/packages/data-provider/src/permissions.ts
+++ b/packages/data-provider/src/permissions.ts
@ -36,6 +36,10 @@ export enum PermissionTypes {
   * Type for using the "Web Search" feature
   */
  WEB_SEARCH = 'WEB_SEARCH',
+  /**
+   * Type for People Picker Permissions
+   */
+  PEOPLE_PICKER = 'PEOPLE_PICKER',
 }

 /**
@ -51,6 +55,8 @@ export enum Permissions {
  SHARE = 'SHARE',
  /** Can disable if desired */
  OPT_OUT = 'OPT_OUT',
+  VIEW_USERS = 'VIEW_USERS',
+  VIEW_GROUPS = 'VIEW_GROUPS',
 }

 export const promptPermissionsSchema = z.object({
@ -103,6 +109,12 @@ export const webSearchPermissionsSchema = z.object({
 });
 export type TWebSearchPermissions = z.infer<typeof webSearchPermissionsSchema>;

+export const peoplePickerPermissionsSchema = z.object({
+  [Permissions.VIEW_USERS]: z.boolean().default(true),
+  [Permissions.VIEW_GROUPS]: z.boolean().default(true),
+});
+export type TPeoplePickerPermissions = z.infer<typeof peoplePickerPermissionsSchema>;
+
 // Define a single permissions schema that holds all permission types.
 export const permissionsSchema = z.object({
  [PermissionTypes.PROMPTS]: promptPermissionsSchema,
@ -113,4 +125,5 @@ export const permissionsSchema = z.object({
  [PermissionTypes.TEMPORARY_CHAT]: temporaryChatPermissionsSchema,
  [PermissionTypes.RUN_CODE]: runCodePermissionsSchema,
  [PermissionTypes.WEB_SEARCH]: webSearchPermissionsSchema,
+  [PermissionTypes.PEOPLE_PICKER]: peoplePickerPermissionsSchema,
 });
--- a/packages/data-provider/src/roles.ts
+++ b/packages/data-provider/src/roles.ts
@ -11,6 +11,7 @@ import {
  bookmarkPermissionsSchema,
  multiConvoPermissionsSchema,
  temporaryChatPermissionsSchema,
+  peoplePickerPermissionsSchema,
 } from './permissions';

 /**
@ -74,6 +75,10 @@ const defaultRolesSchema = z.object({
      [PermissionTypes.WEB_SEARCH]: webSearchPermissionsSchema.extend({
        [Permissions.USE]: z.boolean().default(true),
      }),
+      [PermissionTypes.PEOPLE_PICKER]: peoplePickerPermissionsSchema.extend({
+        [Permissions.VIEW_USERS]: z.boolean().default(true),
+        [Permissions.VIEW_GROUPS]: z.boolean().default(true),
+      }),
    }),
  }),
  [SystemRoles.USER]: roleSchema.extend({
@ -118,6 +123,10 @@ export const roleDefaults = defaultRolesSchema.parse({
      [PermissionTypes.WEB_SEARCH]: {
        [Permissions.USE]: true,
      },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_USERS]: true,
+        [Permissions.VIEW_GROUPS]: true,
+      },
    },
  },
  [SystemRoles.USER]: {
@ -131,6 +140,10 @@ export const roleDefaults = defaultRolesSchema.parse({
      [PermissionTypes.TEMPORARY_CHAT]: {},
      [PermissionTypes.RUN_CODE]: {},
      [PermissionTypes.WEB_SEARCH]: {},
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_USERS]: false,
+        [Permissions.VIEW_GROUPS]: false,
+      },
    },
  },
 });