feat: Add role-level permissions for agent sharing people picker

- Add PEOPLE_PICKER permission type with VIEW_USERS and VIEW_GROUPS permissions
  - Create custom middleware for query-aware permission validation
  - Implement permission-based type filtering in PeoplePicker component
  - Hide people picker UI when user lacks permissions, show only public toggle
  - Support granular access: users-only, groups-only, or mixed search modes

api/server/middleware/checkPeoplePickerAccess.js

@@ -0,0 +1,72 @@
+const { PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+const { logger } = require('~/config');
+
+/**
+ * Middleware to check if user has permission to access people picker functionality
+ * Checks specific permission based on the 'type' query parameter:
+ * - type=user: requires VIEW_USERS permission
+ * - type=group: requires VIEW_GROUPS permission
+ * - no type (mixed search): requires either VIEW_USERS OR VIEW_GROUPS
+ */
+const checkPeoplePickerAccess = async (req, res, next) => {
+  try {
+    const user = req.user;
+    if (!user || !user.role) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+      });
+    }
+
+    const role = await getRoleByName(user.role);
+    if (!role || !role.permissions) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'No permissions configured for user role',
+      });
+    }
+
+    const { type } = req.query;
+    const peoplePickerPerms = role.permissions[PermissionTypes.PEOPLE_PICKER] || {};
+    const canViewUsers = peoplePickerPerms[Permissions.VIEW_USERS] === true;
+    const canViewGroups = peoplePickerPerms[Permissions.VIEW_GROUPS] === true;
+
+    if (type === 'user') {
+      if (!canViewUsers) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for users',
+        });
+      }
+    } else if (type === 'group') {
+      if (!canViewGroups) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for groups',
+        });
+      }
+    } else {
+      if (!canViewUsers || !canViewGroups) {
+        return res.status(403).json({
+          error: 'Forbidden',
+          message: 'Insufficient permissions to search for both users and groups',
+        });
+      }
+    }
+    next();
+  } catch (error) {
+    logger.error(
+      `[checkPeoplePickerAccess][${req.user?.id}] checkPeoplePickerAccess error for req.query.type = ${req.query.type}`,
+      error,
+    );
+    return res.status(500).json({
+      error: 'Internal Server Error',
+      message: 'Failed to check permissions',
+    });
+  }
+};
+
+module.exports = {
+  checkPeoplePickerAccess,
+};

api/server/routes/accessPermissions.js

@@ -8,6 +8,7 @@ const {
   searchPrincipals,
 } = require('~/server/controllers/PermissionsController');
 const { requireJwtAuth, checkBan, uaParser, canAccessResource } = require('~/server/middleware');
+const { checkPeoplePickerAccess } = require('~/server/middleware/checkPeoplePickerAccess');
 
 const router = express.Router();
 
@@ -25,7 +26,7 @@ router.use(uaParser);
  * GET /api/permissions/search-principals
  * Search for users and groups to grant permissions
  */
-router.get('/search-principals', searchPrincipals);
+router.get('/search-principals', checkPeoplePickerAccess, searchPrincipals);
 
 /**
  * GET /api/permissions/{resourceType}/roles

api/server/services/start/interface.js

@@ -51,6 +51,16 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
     runCode: interfaceConfig?.runCode ?? defaults.runCode,
     webSearch: interfaceConfig?.webSearch ?? defaults.webSearch,
     customWelcome: interfaceConfig?.customWelcome ?? defaults.customWelcome,
+    peoplePicker: {
+      admin: {
+        users: interfaceConfig?.peoplePicker?.admin?.users ?? defaults.peoplePicker.admin.users,
+        groups: interfaceConfig?.peoplePicker?.admin?.groups ?? defaults.peoplePicker.admin.groups,
+      },
+      user: {
+        users: interfaceConfig?.peoplePicker?.user?.users ?? defaults.peoplePicker.user.users,
+        groups: interfaceConfig?.peoplePicker?.user?.groups ?? defaults.peoplePicker.user.groups,
+      },
+    },
   });
 
   await updateAccessPermissions(roleName, {
@@ -65,6 +75,10 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
     [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: loadedInterface.temporaryChat },
     [PermissionTypes.RUN_CODE]: { [Permissions.USE]: loadedInterface.runCode },
     [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: loadedInterface.webSearch },
+    [PermissionTypes.PEOPLE_PICKER]: {
+      [Permissions.VIEW_USERS]: loadedInterface.peoplePicker.user?.users,
+      [Permissions.VIEW_GROUPS]: loadedInterface.peoplePicker.user?.groups,
+    },
   });
   await updateAccessPermissions(SystemRoles.ADMIN, {
     [PermissionTypes.PROMPTS]: { [Permissions.USE]: loadedInterface.prompts },
@@ -78,6 +92,10 @@ async function loadDefaultInterface(config, configDefaults, roleName = SystemRol
     [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: loadedInterface.temporaryChat },
     [PermissionTypes.RUN_CODE]: { [Permissions.USE]: loadedInterface.runCode },
     [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: loadedInterface.webSearch },
+    [PermissionTypes.PEOPLE_PICKER]: {
+      [Permissions.VIEW_USERS]: loadedInterface.peoplePicker.admin?.users,
+      [Permissions.VIEW_GROUPS]: loadedInterface.peoplePicker.admin?.groups,
+    },
   });
 
   let i = 0;

client/src/components/SidePanel/Agents/Sharing/GrantAccessDialog.tsx

@@ -1,6 +1,6 @@
-import React, { useState, useEffect } from 'react';
+import React, { useState, useEffect, useMemo } from 'react';
 import { Share2Icon, Users, Loader, Shield, Link, CopyCheck } from 'lucide-react';
-import { ACCESS_ROLE_IDS } from 'librechat-data-provider';
+import { ACCESS_ROLE_IDS, PermissionTypes, Permissions } from 'librechat-data-provider';
 import type { TPrincipal } from 'librechat-data-provider';
 import {
   Button,
@@ -12,7 +12,7 @@ import {
 } from '~/components/ui';
 import { cn, removeFocusOutlines } from '~/utils';
 import { useToastContext } from '~/Providers';
-import { useLocalize, useCopyToClipboard } from '~/hooks';
+import { useLocalize, useCopyToClipboard, useHasAccess } from '~/hooks';
 import {
   useGetResourcePermissionsQuery,
   useUpdateResourcePermissionsMutation,
@@ -39,6 +39,29 @@ export default function GrantAccessDialog({
   const localize = useLocalize();
   const { showToast } = useToastContext();
 
+  // Check if user has permission to access people picker
+  const canViewUsers = useHasAccess({
+    permissionType: PermissionTypes.PEOPLE_PICKER,
+    permission: Permissions.VIEW_USERS,
+  });
+  const canViewGroups = useHasAccess({
+    permissionType: PermissionTypes.PEOPLE_PICKER,
+    permission: Permissions.VIEW_GROUPS,
+  });
+  const hasPeoplePickerAccess = canViewUsers || canViewGroups;
+
+  // Determine type filter based on permissions
+  const peoplePickerTypeFilter = useMemo(() => {
+    if (canViewUsers && canViewGroups) {
+      return null; // Both types allowed
+    } else if (canViewUsers) {
+      return 'user' as const;
+    } else if (canViewGroups) {
+      return 'group' as const;
+    }
+    return null;
+  }, [canViewUsers, canViewGroups]);
+
   const {
     data: permissionsData,
     // isLoading: isLoadingPermissions,
@@ -178,9 +201,12 @@ export default function GrantAccessDialog({
         </OGDialogTitle>
 
         <div className="space-y-6 p-2">
+          {hasPeoplePickerAccess && (
+            <>
               <PeoplePicker
                 onSelectionChange={setNewShares}
                 placeholder={localize('com_ui_search_people_placeholder')}
+                typeFilter={peoplePickerTypeFilter}
               />
 
               <div className="space-y-3">
@@ -198,6 +224,8 @@ export default function GrantAccessDialog({
                   onRoleChange={setDefaultPermissionId}
                 />
               </div>
+            </>
+          )}
           <PublicSharingToggle
             isPublic={isPublic}
             publicRole={publicRole}
@@ -207,11 +235,13 @@ export default function GrantAccessDialog({
           />
           <div className="flex justify-between border-t pt-4">
             <div className="flex gap-2">
+              {hasPeoplePickerAccess && (
                 <ManagePermissionsDialog
                   agentDbId={agentDbId}
                   agentName={agentName}
                   resourceType={resourceType}
                 />
+              )}
               {agentId && (
                 <Button
                   variant="outline"

client/src/components/SidePanel/Agents/Sharing/PeoplePicker/PeoplePicker.tsx

@@ -11,12 +11,14 @@ interface PeoplePickerProps {
   onSelectionChange: (principals: TPrincipal[]) => void;
   placeholder?: string;
   className?: string;
+  typeFilter?: 'user' | 'group' | null;
 }
 
 export default function PeoplePicker({
   onSelectionChange,
   placeholder,
   className = '',
+  typeFilter = null,
 }: PeoplePickerProps) {
   const localize = useLocalize();
   const [searchQuery, setSearchQuery] = useState('');
@@ -26,8 +28,9 @@ export default function PeoplePicker({
     () => ({
       q: searchQuery,
       limit: 30,
+      ...(typeFilter && { type: typeFilter }),
     }),
-    [searchQuery],
+    [searchQuery, typeFilter],
   );
 
   const {

packages/api/src/middleware/access.ts

@@ -128,7 +128,7 @@ export const generateCheckAccess = ({
       }
 
       logger.warn(
-        `[${permissionType}] Forbidden: "${req.originalUrl}" - Insufficient permissions for User ${req.user?.id}: ${permissions.join(', ')}`,
+        `[${permissionType}] Forbidden: "${req.originalUrl}" - Insufficient permissions for User ${(req.user as IUser)?.id}: ${permissions.join(', ')}`,
       );
       return res.status(403).json({ message: 'Forbidden: Insufficient permissions' });
     } catch (error) {

packages/data-provider/src/config.ts

@@ -488,7 +488,7 @@ const mcpServersSchema = z.object({
 
 export type TMcpServersConfig = z.infer<typeof mcpServersSchema>;
 
-export const intefaceSchema = z
+export const interfaceSchema = z
   .object({
     privacyPolicy: z
       .object({
@@ -513,6 +513,22 @@ export const intefaceSchema = z
     temporaryChatRetention: z.number().min(1).max(8760).optional(),
     runCode: z.boolean().optional(),
     webSearch: z.boolean().optional(),
+    peoplePicker: z
+      .object({
+        admin: z
+          .object({
+            users: z.boolean().optional(),
+            groups: z.boolean().optional(),
+          })
+          .optional(),
+        user: z
+          .object({
+            users: z.boolean().optional(),
+            groups: z.boolean().optional(),
+          })
+          .optional(),
+      })
+      .optional(),
   })
   .default({
     endpointsMenu: true,
@@ -528,9 +544,19 @@ export const intefaceSchema = z
     temporaryChat: true,
     runCode: true,
     webSearch: true,
+    peoplePicker: {
+      admin: {
+        users: true,
+        groups: true,
+      },
+      user: {
+        users: false,
+        groups: false,
+      },
+    },
   });
 
-export type TInterfaceConfig = z.infer<typeof intefaceSchema>;
+export type TInterfaceConfig = z.infer<typeof interfaceSchema>;
 export type TBalanceConfig = z.infer<typeof balanceSchema>;
 
 export const turnstileOptionsSchema = z
@@ -748,7 +774,7 @@ export const configSchema = z.object({
   includedTools: z.array(z.string()).optional(),
   filteredTools: z.array(z.string()).optional(),
   mcpServers: MCPServersSchema.optional(),
-  interface: intefaceSchema,
+  interface: interfaceSchema,
   turnstile: turnstileSchema.optional(),
   fileStrategy: fileSourceSchema.default(FileSources.local),
   actions: z

packages/data-provider/src/permissions.ts

@@ -36,6 +36,10 @@ export enum PermissionTypes {
    * Type for using the "Web Search" feature
    */
   WEB_SEARCH = 'WEB_SEARCH',
+  /**
+   * Type for People Picker Permissions
+   */
+  PEOPLE_PICKER = 'PEOPLE_PICKER',
 }
 
 /**
@@ -51,6 +55,8 @@ export enum Permissions {
   SHARE = 'SHARE',
   /** Can disable if desired */
   OPT_OUT = 'OPT_OUT',
+  VIEW_USERS = 'VIEW_USERS',
+  VIEW_GROUPS = 'VIEW_GROUPS',
 }
 
 export const promptPermissionsSchema = z.object({
@@ -103,6 +109,12 @@ export const webSearchPermissionsSchema = z.object({
 });
 export type TWebSearchPermissions = z.infer<typeof webSearchPermissionsSchema>;
 
+export const peoplePickerPermissionsSchema = z.object({
+  [Permissions.VIEW_USERS]: z.boolean().default(true),
+  [Permissions.VIEW_GROUPS]: z.boolean().default(true),
+});
+export type TPeoplePickerPermissions = z.infer<typeof peoplePickerPermissionsSchema>;
+
 // Define a single permissions schema that holds all permission types.
 export const permissionsSchema = z.object({
   [PermissionTypes.PROMPTS]: promptPermissionsSchema,
@@ -113,4 +125,5 @@ export const permissionsSchema = z.object({
   [PermissionTypes.TEMPORARY_CHAT]: temporaryChatPermissionsSchema,
   [PermissionTypes.RUN_CODE]: runCodePermissionsSchema,
   [PermissionTypes.WEB_SEARCH]: webSearchPermissionsSchema,
+  [PermissionTypes.PEOPLE_PICKER]: peoplePickerPermissionsSchema,
 });

packages/data-provider/src/roles.ts

@@ -11,6 +11,7 @@ import {
   bookmarkPermissionsSchema,
   multiConvoPermissionsSchema,
   temporaryChatPermissionsSchema,
+  peoplePickerPermissionsSchema,
 } from './permissions';
 
 /**
@@ -74,6 +75,10 @@ const defaultRolesSchema = z.object({
       [PermissionTypes.WEB_SEARCH]: webSearchPermissionsSchema.extend({
         [Permissions.USE]: z.boolean().default(true),
       }),
+      [PermissionTypes.PEOPLE_PICKER]: peoplePickerPermissionsSchema.extend({
+        [Permissions.VIEW_USERS]: z.boolean().default(true),
+        [Permissions.VIEW_GROUPS]: z.boolean().default(true),
+      }),
     }),
   }),
   [SystemRoles.USER]: roleSchema.extend({
@@ -118,6 +123,10 @@ export const roleDefaults = defaultRolesSchema.parse({
       [PermissionTypes.WEB_SEARCH]: {
         [Permissions.USE]: true,
       },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_USERS]: true,
+        [Permissions.VIEW_GROUPS]: true,
+      },
     },
   },
   [SystemRoles.USER]: {
@@ -131,6 +140,10 @@ export const roleDefaults = defaultRolesSchema.parse({
       [PermissionTypes.TEMPORARY_CHAT]: {},
       [PermissionTypes.RUN_CODE]: {},
       [PermissionTypes.WEB_SEARCH]: {},
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_USERS]: false,
+        [Permissions.VIEW_GROUPS]: false,
+      },
     },
   },
 });

packages/data-schemas/src/schema/role.ts

@@ -37,6 +37,10 @@ const rolePermissionsSchema = new Schema(
     [PermissionTypes.WEB_SEARCH]: {
       [Permissions.USE]: { type: Boolean, default: true },
     },
+    [PermissionTypes.PEOPLE_PICKER]: {
+      [Permissions.VIEW_USERS]: { type: Boolean, default: false },
+      [Permissions.VIEW_GROUPS]: { type: Boolean, default: false },
+    },
   },
   { _id: false },
 );
@@ -67,6 +71,10 @@ const roleSchema: Schema<IRole> = new Schema({
       [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
       [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
       [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_USERS]: false,
+        [Permissions.VIEW_GROUPS]: false,
+      },
     }),
   },
 });

packages/data-schemas/src/types/role.ts

@@ -35,5 +35,9 @@ export interface IRole extends Document {
     [PermissionTypes.WEB_SEARCH]?: {
       [Permissions.USE]?: boolean;
     };
+    [PermissionTypes.PEOPLE_PICKER]?: {
+      [Permissions.VIEW_USERS]?: boolean;
+      [Permissions.VIEW_GROUPS]?: boolean;
+    };
   };
 }