🔧 refactor: Permission handling for Resource Sharing (#11283)

* 🔧 refactor: permission handling for public sharing

- Updated permission keys from SHARED_GLOBAL to SHARE across various files for consistency.
- Added public access configuration in librechat.example.yaml.
- Adjusted related tests and components to reflect the new permission structure.

* chore: Update default SHARE permission to false

* fix: Update SHARE permissions in tests and implementation

- Added SHARE permission handling for user and admin roles in permissions.spec.ts and permissions.ts.
- Updated expected permissions in tests to reflect new SHARE permission values for various permission types.

* fix: Handle undefined values in PeoplePickerAdminSettings component

- Updated the checked and value props of the Switch component to handle undefined values gracefully by defaulting to false. This ensures consistent behavior when the field value is not set.

* feat: Add CREATE permission handling for prompts and agents

- Introduced CREATE permission for user and admin roles in permissions.spec.ts and permissions.ts.
- Updated expected permissions in tests to include CREATE permission for various permission types.

* 🔧 refactor: Enhance permission handling for sharing dialog usability

* refactor: public sharing permissions for resources

- Added middleware to check SHARE_PUBLIC permissions for agents, prompts, and MCP servers.
- Updated interface configuration in librechat.example.yaml to include public sharing options.
- Enhanced components and hooks to support public sharing functionality.
- Adjusted tests to validate new permission handling for public sharing across various resource types.

* refactor: update Share2Icon styling in GenericGrantAccessDialog

* refactor: update Share2Icon size in GenericGrantAccessDialog for consistency

* refactor: improve layout and styling of Share2Icon in GenericGrantAccessDialog

* refactor: update Share2Icon size in GenericGrantAccessDialog for improved consistency

* chore: remove redundant public sharing option from People Picker

* refactor: add SHARE_PUBLIC permission handling in updateInterfacePermissions tests

api/server/middleware/accessResources/canAccessAgentResource.spec.js

@@ -29,7 +29,7 @@ describe('canAccessAgentResource middleware', () => {
         AGENTS: {
           USE: true,
           CREATE: true,
-          SHARED_GLOBAL: false,
+          SHARE: true,
         },
       },
     });

api/server/middleware/accessResources/canAccessMCPServerResource.spec.js

@@ -26,10 +26,10 @@ describe('canAccessMCPServerResource middleware', () => {
     await Role.create({
       name: 'test-role',
       permissions: {
-        MCPSERVERS: {
+        MCP_SERVERS: {
           USE: true,
           CREATE: true,
-          SHARED_GLOBAL: false,
+          SHARE: true,
         },
       },
     });

api/server/middleware/accessResources/fileAccess.spec.js

@@ -32,7 +32,7 @@ describe('fileAccess middleware', () => {
         AGENTS: {
           USE: true,
           CREATE: true,
-          SHARED_GLOBAL: false,
+          SHARE: true,
         },
       },
     });

api/server/middleware/checkSharePublicAccess.js

@@ -0,0 +1,84 @@
+const { logger } = require('@librechat/data-schemas');
+const { ResourceType, PermissionTypes, Permissions } = require('librechat-data-provider');
+const { getRoleByName } = require('~/models/Role');
+
+/**
+ * Maps resource types to their corresponding permission types
+ */
+const resourceToPermissionType = {
+  [ResourceType.AGENT]: PermissionTypes.AGENTS,
+  [ResourceType.PROMPTGROUP]: PermissionTypes.PROMPTS,
+  [ResourceType.MCPSERVER]: PermissionTypes.MCP_SERVERS,
+};
+
+/**
+ * Middleware to check if user has SHARE_PUBLIC permission for a resource type
+ * Only enforced when request body contains `public: true`
+ * @param {import('express').Request} req - Express request
+ * @param {import('express').Response} res - Express response
+ * @param {import('express').NextFunction} next - Express next function
+ */
+const checkSharePublicAccess = async (req, res, next) => {
+  try {
+    const { public: isPublic } = req.body;
+
+    // Only check if trying to enable public sharing
+    if (!isPublic) {
+      return next();
+    }
+
+    const user = req.user;
+    if (!user || !user.role) {
+      return res.status(401).json({
+        error: 'Unauthorized',
+        message: 'Authentication required',
+      });
+    }
+
+    const { resourceType } = req.params;
+    const permissionType = resourceToPermissionType[resourceType];
+
+    if (!permissionType) {
+      return res.status(400).json({
+        error: 'Bad Request',
+        message: `Unsupported resource type for public sharing: ${resourceType}`,
+      });
+    }
+
+    const role = await getRoleByName(user.role);
+    if (!role || !role.permissions) {
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: 'No permissions configured for user role',
+      });
+    }
+
+    const resourcePerms = role.permissions[permissionType] || {};
+    const canSharePublic = resourcePerms[Permissions.SHARE_PUBLIC] === true;
+
+    if (!canSharePublic) {
+      logger.warn(
+        `[checkSharePublicAccess][${user.id}] User denied SHARE_PUBLIC for ${resourceType}`,
+      );
+      return res.status(403).json({
+        error: 'Forbidden',
+        message: `You do not have permission to share ${resourceType} resources publicly`,
+      });
+    }
+
+    next();
+  } catch (error) {
+    logger.error(
+      `[checkSharePublicAccess][${req.user?.id}] Error checking SHARE_PUBLIC permission`,
+      error,
+    );
+    return res.status(500).json({
+      error: 'Internal Server Error',
+      message: 'Failed to check public sharing permissions',
+    });
+  }
+};
+
+module.exports = {
+  checkSharePublicAccess,
+};

api/server/middleware/checkSharePublicAccess.spec.js

@@ -0,0 +1,164 @@
+const { ResourceType, PermissionTypes, Permissions } = require('librechat-data-provider');
+const { checkSharePublicAccess } = require('./checkSharePublicAccess');
+const { getRoleByName } = require('~/models/Role');
+
+jest.mock('~/models/Role');
+
+describe('checkSharePublicAccess middleware', () => {
+  let mockReq;
+  let mockRes;
+  let mockNext;
+
+  beforeEach(() => {
+    jest.clearAllMocks();
+    mockReq = {
+      user: { id: 'user123', role: 'USER' },
+      params: { resourceType: ResourceType.AGENT },
+      body: {},
+    };
+    mockRes = {
+      status: jest.fn().mockReturnThis(),
+      json: jest.fn(),
+    };
+    mockNext = jest.fn();
+  });
+
+  it('should call next() when public is not true', async () => {
+    mockReq.body = { public: false };
+
+    await checkSharePublicAccess(mockReq, mockRes, mockNext);
+
+    expect(mockNext).toHaveBeenCalled();
+    expect(mockRes.status).not.toHaveBeenCalled();
+  });
+
+  it('should call next() when public is undefined', async () => {
+    mockReq.body = { updated: [] };
+
+    await checkSharePublicAccess(mockReq, mockRes, mockNext);
+
+    expect(mockNext).toHaveBeenCalled();
+    expect(mockRes.status).not.toHaveBeenCalled();
+  });
+
+  it('should return 401 when user is not authenticated', async () => {
+    mockReq.body = { public: true };
+    mockReq.user = null;
+
+    await checkSharePublicAccess(mockReq, mockRes, mockNext);
+
+    expect(mockRes.status).toHaveBeenCalledWith(401);
+    expect(mockRes.json).toHaveBeenCalledWith({
+      error: 'Unauthorized',
+      message: 'Authentication required',
+    });
+    expect(mockNext).not.toHaveBeenCalled();
+  });
+
+  it('should return 403 when user role has no SHARE_PUBLIC permission for agents', async () => {
+    mockReq.body = { public: true };
+    mockReq.params = { resourceType: ResourceType.AGENT };
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.AGENTS]: {
+          [Permissions.SHARE]: true,
+          [Permissions.SHARE_PUBLIC]: false,
+        },
+      },
+    });
+
+    await checkSharePublicAccess(mockReq, mockRes, mockNext);
+
+    expect(mockRes.status).toHaveBeenCalledWith(403);
+    expect(mockRes.json).toHaveBeenCalledWith({
+      error: 'Forbidden',
+      message: `You do not have permission to share ${ResourceType.AGENT} resources publicly`,
+    });
+    expect(mockNext).not.toHaveBeenCalled();
+  });
+
+  it('should call next() when user has SHARE_PUBLIC permission for agents', async () => {
+    mockReq.body = { public: true };
+    mockReq.params = { resourceType: ResourceType.AGENT };
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.AGENTS]: {
+          [Permissions.SHARE]: true,
+          [Permissions.SHARE_PUBLIC]: true,
+        },
+      },
+    });
+
+    await checkSharePublicAccess(mockReq, mockRes, mockNext);
+
+    expect(mockNext).toHaveBeenCalled();
+    expect(mockRes.status).not.toHaveBeenCalled();
+  });
+
+  it('should check prompts permission for promptgroup resource type', async () => {
+    mockReq.body = { public: true };
+    mockReq.params = { resourceType: ResourceType.PROMPTGROUP };
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.SHARE_PUBLIC]: true,
+        },
+      },
+    });
+
+    await checkSharePublicAccess(mockReq, mockRes, mockNext);
+
+    expect(mockNext).toHaveBeenCalled();
+  });
+
+  it('should check mcp_servers permission for mcpserver resource type', async () => {
+    mockReq.body = { public: true };
+    mockReq.params = { resourceType: ResourceType.MCPSERVER };
+    getRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.MCP_SERVERS]: {
+          [Permissions.SHARE_PUBLIC]: true,
+        },
+      },
+    });
+
+    await checkSharePublicAccess(mockReq, mockRes, mockNext);
+
+    expect(mockNext).toHaveBeenCalled();
+  });
+
+  it('should return 400 for unsupported resource type', async () => {
+    mockReq.body = { public: true };
+    mockReq.params = { resourceType: 'unsupported' };
+
+    await checkSharePublicAccess(mockReq, mockRes, mockNext);
+
+    expect(mockRes.status).toHaveBeenCalledWith(400);
+    expect(mockRes.json).toHaveBeenCalledWith({
+      error: 'Bad Request',
+      message: 'Unsupported resource type for public sharing: unsupported',
+    });
+  });
+
+  it('should return 403 when role has no permissions object', async () => {
+    mockReq.body = { public: true };
+    getRoleByName.mockResolvedValue({ permissions: null });
+
+    await checkSharePublicAccess(mockReq, mockRes, mockNext);
+
+    expect(mockRes.status).toHaveBeenCalledWith(403);
+  });
+
+  it('should return 500 on error', async () => {
+    mockReq.body = { public: true };
+    getRoleByName.mockRejectedValue(new Error('Database error'));
+
+    await checkSharePublicAccess(mockReq, mockRes, mockNext);
+
+    expect(mockRes.status).toHaveBeenCalledWith(500);
+    expect(mockRes.json).toHaveBeenCalledWith({
+      error: 'Internal Server Error',
+      message: 'Failed to check public sharing permissions',
+    });
+  });
+});

api/server/middleware/roles/access.spec.js

@@ -51,9 +51,9 @@ describe('Access Middleware', () => {
       permissions: {
         [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
         [PermissionTypes.PROMPTS]: {
-          [Permissions.SHARED_GLOBAL]: false,
           [Permissions.USE]: true,
           [Permissions.CREATE]: true,
+          [Permissions.SHARE]: true,
         },
         [PermissionTypes.MEMORIES]: {
           [Permissions.USE]: true,
@@ -65,7 +65,7 @@ describe('Access Middleware', () => {
         [PermissionTypes.AGENTS]: {
           [Permissions.USE]: true,
           [Permissions.CREATE]: false,
-          [Permissions.SHARED_GLOBAL]: false,
+          [Permissions.SHARE]: false,
         },
         [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
         [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
@@ -79,9 +79,9 @@ describe('Access Middleware', () => {
       permissions: {
         [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
         [PermissionTypes.PROMPTS]: {
-          [Permissions.SHARED_GLOBAL]: true,
           [Permissions.USE]: true,
           [Permissions.CREATE]: true,
+          [Permissions.SHARE]: true,
         },
         [PermissionTypes.MEMORIES]: {
           [Permissions.USE]: true,
@@ -93,7 +93,7 @@ describe('Access Middleware', () => {
         [PermissionTypes.AGENTS]: {
           [Permissions.USE]: true,
           [Permissions.CREATE]: true,
-          [Permissions.SHARED_GLOBAL]: true,
+          [Permissions.SHARE]: true,
         },
         [PermissionTypes.MULTI_CONVO]: { [Permissions.USE]: true },
         [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
@@ -110,7 +110,7 @@ describe('Access Middleware', () => {
         [PermissionTypes.AGENTS]: {
           [Permissions.USE]: false,
           [Permissions.CREATE]: false,
-          [Permissions.SHARED_GLOBAL]: false,
+          [Permissions.SHARE]: false,
         },
         // Has permissions for other types
         [PermissionTypes.PROMPTS]: {
@@ -241,7 +241,7 @@ describe('Access Middleware', () => {
         req: {},
         user: { id: 'admin123', role: 'admin' },
         permissionType: PermissionTypes.AGENTS,
-        permissions: [Permissions.SHARED_GLOBAL],
+        permissions: [Permissions.SHARE],
         getRoleByName,
       });
       expect(shareResult).toBe(true);
@@ -318,7 +318,7 @@ describe('Access Middleware', () => {
 
       const middleware = generateCheckAccess({
         permissionType: PermissionTypes.AGENTS,
-        permissions: [Permissions.USE, Permissions.CREATE, Permissions.SHARED_GLOBAL],
+        permissions: [Permissions.USE, Permissions.CREATE, Permissions.SHARE],
         getRoleByName,
       });
       await middleware(req, res, next);
@@ -349,7 +349,7 @@ describe('Access Middleware', () => {
           [PermissionTypes.AGENTS]: {
             [Permissions.USE]: false,
             [Permissions.CREATE]: false,
-            [Permissions.SHARED_GLOBAL]: false,
+            [Permissions.SHARE]: false,
           },
         },
       });