🗨️ feat: Granular Prompt Permissions via ACL and Permission Bits

feat: Implement prompt permissions management and access control middleware fix: agent deletion process to remove associated permissions and ACL entries fix: Import Permissions for enhanced access control in GrantAccessDialog feat: use PromptGroup for access control - Added migration script for PromptGroup permissions, categorizing groups into global view access and private groups. - Created unit tests for the migration script to ensure correct categorization and permission granting. - Introduced middleware for checking access permissions on PromptGroups and prompts via their groups. - Updated routes to utilize new access control middleware for PromptGroups. - Enhanced access role definitions to include roles specific to PromptGroups. - Modified ACL entry schema and types to accommodate PromptGroup resource type. - Updated data provider to include new access role identifiers for PromptGroups. feat: add generic access management dialogs and hooks for resource permissions fix: remove duplicate imports in FileContext component fix: remove duplicate mongoose dependency in package.json feat: add access permissions handling for dynamic resource types and add promptGroup roles feat: implement centralized role localization and update access role types refactor: simplify author handling in prompt group routes and enhance ACL checks feat: implement addPromptToGroup functionality and update PromptForm to use it feat: enhance permission handling in ChatGroupItem, DashGroupItem, and PromptForm components chore: rename migration script for prompt group permissions and update package.json scripts chore: update prompt tests
2025-12-17 08:50:15 +01:00 · 2025-07-26 12:28:31 -04:00 · 2025-07-26 12:28:31 -04:00 · ae732b2ebc
commit ae732b2ebc
parent 7e7e75714e
46 changed files with 3505 additions and 408 deletions
--- a/api/models/Agent.spec.js
+++ b/api/models/Agent.spec.js
@ -28,6 +28,8 @@ const {
  revertAgentVersion,
 } = require('./Agent');
 const { getCachedTools } = require('~/server/services/Config');
+const permissionService = require('~/server/services/PermissionService');
+const { AclEntry } = require('~/db/models');

 /**
 * @type {import('mongoose').Model<import('@librechat/data-schemas').IAgent>}
@ -407,12 +409,26 @@ describe('models/Agent', () => {

  describe('Agent CRUD Operations', () => {
    let mongoServer;
+    let AccessRole;

    beforeAll(async () => {
      mongoServer = await MongoMemoryServer.create();
      const mongoUri = mongoServer.getUri();
      Agent = mongoose.models.Agent || mongoose.model('Agent', agentSchema);
      await mongoose.connect(mongoUri);
+
+      // Initialize models
+      const dbModels = require('~/db/models');
+      AccessRole = dbModels.AccessRole;
+
+      // Create necessary access roles for agents
+      await AccessRole.create({
+        accessRoleId: 'agent_owner',
+        name: 'Owner',
+        description: 'Full control over agents',
+        resourceType: 'agent',
+        permBits: 15, // VIEW | EDIT | DELETE | SHARE
+      });
    }, 20000);

    afterAll(async () => {
@ -468,6 +484,51 @@ describe('models/Agent', () => {
      expect(agentAfterDelete).toBeNull();
    });

+    test('should remove ACL entries when deleting an agent', async () => {
+      const agentId = `agent_${uuidv4()}`;
+      const authorId = new mongoose.Types.ObjectId();
+
+      // Create agent
+      const agent = await createAgent({
+        id: agentId,
+        name: 'Agent With Permissions',
+        provider: 'test',
+        model: 'test-model',
+        author: authorId,
+      });
+
+      // Grant permissions (simulating sharing)
+      await permissionService.grantPermission({
+        principalType: 'user',
+        principalId: authorId,
+        resourceType: 'agent',
+        resourceId: agent._id,
+        accessRoleId: 'agent_owner',
+        grantedBy: authorId,
+      });
+
+      // Verify ACL entry exists
+      const aclEntriesBefore = await AclEntry.find({
+        resourceType: 'agent',
+        resourceId: agent._id,
+      });
+      expect(aclEntriesBefore).toHaveLength(1);
+
+      // Delete the agent
+      await deleteAgent({ id: agentId });
+
+      // Verify agent is deleted
+      const agentAfterDelete = await getAgent({ id: agentId });
+      expect(agentAfterDelete).toBeNull();
+
+      // Verify ACL entries are removed
+      const aclEntriesAfter = await AclEntry.find({
+        resourceType: 'agent',
+        resourceId: agent._id,
+      });
+      expect(aclEntriesAfter).toHaveLength(0);
+    });
+
    test('should list agents by author', async () => {
      const authorId = new mongoose.Types.ObjectId();
      const otherAuthorId = new mongoose.Types.ObjectId();