mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-17 00:40:14 +01:00
🗨️ feat: Granular Prompt Permissions via ACL and Permission Bits
feat: Implement prompt permissions management and access control middleware fix: agent deletion process to remove associated permissions and ACL entries fix: Import Permissions for enhanced access control in GrantAccessDialog feat: use PromptGroup for access control - Added migration script for PromptGroup permissions, categorizing groups into global view access and private groups. - Created unit tests for the migration script to ensure correct categorization and permission granting. - Introduced middleware for checking access permissions on PromptGroups and prompts via their groups. - Updated routes to utilize new access control middleware for PromptGroups. - Enhanced access role definitions to include roles specific to PromptGroups. - Modified ACL entry schema and types to accommodate PromptGroup resource type. - Updated data provider to include new access role identifiers for PromptGroups. feat: add generic access management dialogs and hooks for resource permissions fix: remove duplicate imports in FileContext component fix: remove duplicate mongoose dependency in package.json feat: add access permissions handling for dynamic resource types and add promptGroup roles feat: implement centralized role localization and update access role types refactor: simplify author handling in prompt group routes and enhance ACL checks feat: implement addPromptToGroup functionality and update PromptForm to use it feat: enhance permission handling in ChatGroupItem, DashGroupItem, and PromptForm components chore: rename migration script for prompt group permissions and update package.json scripts chore: update prompt tests
This commit is contained in:
Danny Avila
parent
7e7e75714e
commit
ae732b2ebc
46 changed files with 3505 additions and 408 deletions
|
|
@ -0,0 +1,60 @@
|
|||
const { getPromptGroup } = require('~/models/Prompt');
|
||||
const { canAccessResource } = require('./canAccessResource');
|
||||
|
||||
/**
|
||||
* PromptGroup ID resolver function
|
||||
* Resolves promptGroup ID to MongoDB ObjectId
|
||||
*
|
||||
* @param {string} groupId - PromptGroup ID from route parameter
|
||||
* @returns {Promise<Object|null>} PromptGroup document with _id field, or null if not found
|
||||
*/
|
||||
const resolvePromptGroupId = async (groupId) => {
|
||||
return await getPromptGroup({ _id: groupId });
|
||||
};
|
||||
|
||||
/**
|
||||
* PromptGroup-specific middleware factory that creates middleware to check promptGroup access permissions.
|
||||
* This middleware extends the generic canAccessResource to handle promptGroup ID resolution.
|
||||
*
|
||||
* @param {Object} options - Configuration options
|
||||
* @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
|
||||
* @param {string} [options.resourceIdParam='groupId'] - The name of the route parameter containing the promptGroup ID
|
||||
* @returns {Function} Express middleware function
|
||||
*
|
||||
* @example
|
||||
* // Basic usage for viewing promptGroups
|
||||
* router.get('/prompts/groups/:groupId',
|
||||
* canAccessPromptGroupResource({ requiredPermission: 1 }),
|
||||
* getPromptGroup
|
||||
* );
|
||||
*
|
||||
* @example
|
||||
* // Custom resource ID parameter and edit permission
|
||||
* router.patch('/prompts/groups/:id',
|
||||
* canAccessPromptGroupResource({
|
||||
* requiredPermission: 2,
|
||||
* resourceIdParam: 'id'
|
||||
* }),
|
||||
* updatePromptGroup
|
||||
* );
|
||||
*/
|
||||
const canAccessPromptGroupResource = (options) => {
|
||||
const { requiredPermission, resourceIdParam = 'groupId' } = options;
|
||||
|
||||
if (!requiredPermission || typeof requiredPermission !== 'number') {
|
||||
throw new Error(
|
||||
'canAccessPromptGroupResource: requiredPermission is required and must be a number',
|
||||
);
|
||||
}
|
||||
|
||||
return canAccessResource({
|
||||
resourceType: 'promptGroup',
|
||||
requiredPermission,
|
||||
resourceIdParam,
|
||||
idResolver: resolvePromptGroupId,
|
||||
});
|
||||
};
|
||||
|
||||
module.exports = {
|
||||
canAccessPromptGroupResource,
|
||||
};
|
||||
|
|
@ -0,0 +1,58 @@
|
|||
const { getPrompt } = require('~/models/Prompt');
|
||||
const { canAccessResource } = require('./canAccessResource');
|
||||
|
||||
/**
|
||||
* Prompt ID resolver function
|
||||
* Resolves prompt ID to MongoDB ObjectId
|
||||
*
|
||||
* @param {string} promptId - Prompt ID from route parameter
|
||||
* @returns {Promise<Object|null>} Prompt document with _id field, or null if not found
|
||||
*/
|
||||
const resolvePromptId = async (promptId) => {
|
||||
return await getPrompt({ _id: promptId });
|
||||
};
|
||||
|
||||
/**
|
||||
* Prompt-specific middleware factory that creates middleware to check prompt access permissions.
|
||||
* This middleware extends the generic canAccessResource to handle prompt ID resolution.
|
||||
*
|
||||
* @param {Object} options - Configuration options
|
||||
* @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
|
||||
* @param {string} [options.resourceIdParam='promptId'] - The name of the route parameter containing the prompt ID
|
||||
* @returns {Function} Express middleware function
|
||||
*
|
||||
* @example
|
||||
* // Basic usage for viewing prompts
|
||||
* router.get('/prompts/:promptId',
|
||||
* canAccessPromptResource({ requiredPermission: 1 }),
|
||||
* getPrompt
|
||||
* );
|
||||
*
|
||||
* @example
|
||||
* // Custom resource ID parameter and edit permission
|
||||
* router.patch('/prompts/:id',
|
||||
* canAccessPromptResource({
|
||||
* requiredPermission: 2,
|
||||
* resourceIdParam: 'id'
|
||||
* }),
|
||||
* updatePrompt
|
||||
* );
|
||||
*/
|
||||
const canAccessPromptResource = (options) => {
|
||||
const { requiredPermission, resourceIdParam = 'promptId' } = options;
|
||||
|
||||
if (!requiredPermission || typeof requiredPermission !== 'number') {
|
||||
throw new Error('canAccessPromptResource: requiredPermission is required and must be a number');
|
||||
}
|
||||
|
||||
return canAccessResource({
|
||||
resourceType: 'prompt',
|
||||
requiredPermission,
|
||||
resourceIdParam,
|
||||
idResolver: resolvePromptId,
|
||||
});
|
||||
};
|
||||
|
||||
module.exports = {
|
||||
canAccessPromptResource,
|
||||
};
|
||||
|
|
@ -0,0 +1,54 @@
|
|||
const { getPrompt } = require('~/models/Prompt');
|
||||
const { canAccessResource } = require('./canAccessResource');
|
||||
|
||||
/**
|
||||
* Prompt to PromptGroup ID resolver function
|
||||
* Resolves prompt ID to its parent promptGroup ID
|
||||
*
|
||||
* @param {string} promptId - Prompt ID from route parameter
|
||||
* @returns {Promise<Object|null>} Object with promptGroup's _id field, or null if not found
|
||||
*/
|
||||
const resolvePromptToGroupId = async (promptId) => {
|
||||
const prompt = await getPrompt({ _id: promptId });
|
||||
if (!prompt || !prompt.groupId) {
|
||||
return null;
|
||||
}
|
||||
// Return an object with _id that matches the promptGroup ID
|
||||
return { _id: prompt.groupId };
|
||||
};
|
||||
|
||||
/**
|
||||
* Middleware factory that checks promptGroup permissions when accessing individual prompts.
|
||||
* This allows permission management at the promptGroup level while still supporting
|
||||
* individual prompt access patterns.
|
||||
*
|
||||
* @param {Object} options - Configuration options
|
||||
* @param {number} options.requiredPermission - The permission bit required (1=view, 2=edit, 4=delete, 8=share)
|
||||
* @param {string} [options.resourceIdParam='promptId'] - The name of the route parameter containing the prompt ID
|
||||
* @returns {Function} Express middleware function
|
||||
*
|
||||
* @example
|
||||
* // Check promptGroup permissions when viewing a prompt
|
||||
* router.get('/prompts/:promptId',
|
||||
* canAccessPromptViaGroup({ requiredPermission: 1 }),
|
||||
* getPrompt
|
||||
* );
|
||||
*/
|
||||
const canAccessPromptViaGroup = (options) => {
|
||||
const { requiredPermission, resourceIdParam = 'promptId' } = options;
|
||||
|
||||
if (!requiredPermission || typeof requiredPermission !== 'number') {
|
||||
throw new Error('canAccessPromptViaGroup: requiredPermission is required and must be a number');
|
||||
}
|
||||
|
||||
return canAccessResource({
|
||||
resourceType: 'promptGroup',
|
||||
requiredPermission,
|
||||
resourceIdParam,
|
||||
idResolver: resolvePromptToGroupId,
|
||||
});
|
||||
};
|
||||
|
||||
module.exports = {
|
||||
canAccessPromptViaGroup,
|
||||
};
|
||||
|
|
@ -1,9 +1,15 @@
|
|||
const { canAccessResource } = require('./canAccessResource');
|
||||
const { canAccessAgentResource } = require('./canAccessAgentResource');
|
||||
const { canAccessAgentFromBody } = require('./canAccessAgentFromBody');
|
||||
const { canAccessPromptResource } = require('./canAccessPromptResource');
|
||||
const { canAccessPromptViaGroup } = require('./canAccessPromptViaGroup');
|
||||
const { canAccessPromptGroupResource } = require('./canAccessPromptGroupResource');
|
||||
|
||||
module.exports = {
|
||||
canAccessResource,
|
||||
canAccessAgentResource,
|
||||
canAccessAgentFromBody,
|
||||
canAccessPromptResource,
|
||||
canAccessPromptViaGroup,
|
||||
canAccessPromptGroupResource,
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue