🤖 fix: Collaborative Agents are only editable by ADMIN #4659

Co-authored-by: Leon Jünemann <leon.juenemann@maibornwolff.de>
2025-12-17 00:40:14 +01:00 · 2024-11-26 21:02:13 +01:00 · 2024-11-26 21:02:13 +01:00 · 8178ae2a20
commit 8178ae2a20
parent e0a5f879b6
1 changed files with 14 additions and 7 deletions
--- a/api/server/controllers/agents/v1.js
+++ b/api/server/controllers/agents/v1.js
@ -111,7 +111,6 @@ const getAgentHandler = async (req, res) => {
        isCollaborative: agent.isCollaborative,
      });
    }
    return res.status(200).json(agent);
  } catch (error) {
    logger.error('[/Agents/:id] Error retrieving agent', error);
@ -132,16 +131,24 @@ const updateAgentHandler = async (req, res) => {
  try {
    const id = req.params.id;
    const { projectIds, removeProjectIds, ...updateData } = req.body;
    const isAdmin = req.user.role === SystemRoles.ADMIN;
    const existingAgent = await getAgent({ id });
    const isAuthor = existingAgent.author.toString() === req.user.id;
-    let updatedAgent;
+    if (!existingAgent) {
-    const query = { id, author: req.user.id };
+      return res.status(404).json({ error: 'Agent not found' });
    if (req.user.role === SystemRoles.ADMIN) {
      delete query.author;
    }
-    if (Object.keys(updateData).length > 0) {
+    const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
-      updatedAgent = await updateAgent(query, updateData);
+
    if (!hasEditPermission) {
      return res.status(403).json({
        error: 'You do not have permission to modify this non-collaborative agent',
      });
    }
    let updatedAgent =
      Object.keys(updateData).length > 0 ? await updateAgent({ id }, updateData) : existingAgent;
    if (projectIds || removeProjectIds) {
      updatedAgent = await updateAgentProjects({
        user: req.user,