🗨️ feat: Granular Prompt Permissions via ACL and Permission Bits

feat: Implement prompt permissions management and access control middleware fix: agent deletion process to remove associated permissions and ACL entries fix: Import Permissions for enhanced access control in GrantAccessDialog feat: use PromptGroup for access control - Added migration script for PromptGroup permissions, categorizing groups into global view access and private groups. - Created unit tests for the migration script to ensure correct categorization and permission granting. - Introduced middleware for checking access permissions on PromptGroups and prompts via their groups. - Updated routes to utilize new access control middleware for PromptGroups. - Enhanced access role definitions to include roles specific to PromptGroups. - Modified ACL entry schema and types to accommodate PromptGroup resource type. - Updated data provider to include new access role identifiers for PromptGroups. feat: add generic access management dialogs and hooks for resource permissions fix: remove duplicate imports in FileContext component fix: remove duplicate mongoose dependency in package.json feat: add access permissions handling for dynamic resource types and add promptGroup roles feat: implement centralized role localization and update access role types refactor: simplify author handling in prompt group routes and enhance ACL checks feat: implement addPromptToGroup functionality and update PromptForm to use it feat: enhance permission handling in ChatGroupItem, DashGroupItem, and PromptForm components chore: rename migration script for prompt group permissions and update package.json scripts chore: update prompt tests
2025-09-22 08:12:00 +02:00 · 2025-07-26 12:28:31 -04:00 · 2025-07-26 12:28:31 -04:00 · ae732b2ebc
commit ae732b2ebc
parent 7e7e75714e
46 changed files with 3505 additions and 408 deletions
--- a/config/migrate-prompt-permissions.js
+++ b/config/migrate-prompt-permissions.js
@ -0,0 +1,235 @@
+const path = require('path');
+const { logger } = require('@librechat/data-schemas');
+require('module-alias')({ base: path.resolve(__dirname, '..', 'api') });
+
+const { GLOBAL_PROJECT_NAME } = require('librechat-data-provider').Constants;
+const connect = require('./connect');
+
+const { grantPermission } = require('~/server/services/PermissionService');
+const { getProjectByName } = require('~/models/Project');
+const { findRoleByIdentifier } = require('~/models');
+const { PromptGroup } = require('~/db/models');
+
+async function migrateToPromptGroupPermissions({ dryRun = true, batchSize = 100 } = {}) {
+  await connect();
+
+  logger.info('Starting PromptGroup Permissions Migration', { dryRun, batchSize });
+
+  // Verify required roles exist
+  const ownerRole = await findRoleByIdentifier('promptGroup_owner');
+  const viewerRole = await findRoleByIdentifier('promptGroup_viewer');
+  const editorRole = await findRoleByIdentifier('promptGroup_editor');
+
+  if (!ownerRole || !viewerRole || !editorRole) {
+    throw new Error('Required promptGroup roles not found. Run role seeding first.');
+  }
+
+  // Get global project prompt group IDs
+  const globalProject = await getProjectByName(GLOBAL_PROJECT_NAME, ['promptGroupIds']);
+  const globalPromptGroupIds = new Set(
+    (globalProject?.promptGroupIds || []).map((id) => id.toString()),
+  );
+
+  logger.info(`Found ${globalPromptGroupIds.size} prompt groups in global project`);
+
+  // Find promptGroups without ACL entries
+  const promptGroupsToMigrate = await PromptGroup.aggregate([
+    {
+      $lookup: {
+        from: 'aclentries',
+        localField: '_id',
+        foreignField: 'resourceId',
+        as: 'aclEntries',
+      },
+    },
+    {
+      $addFields: {
+        promptGroupAclEntries: {
+          $filter: {
+            input: '$aclEntries',
+            as: 'aclEntry',
+            cond: {
+              $and: [
+                { $eq: ['$$aclEntry.resourceType', 'promptGroup'] },
+                { $eq: ['$$aclEntry.principalType', 'user'] },
+              ],
+            },
+          },
+        },
+      },
+    },
+    {
+      $match: {
+        author: { $exists: true, $ne: null },
+        promptGroupAclEntries: { $size: 0 },
+      },
+    },
+    {
+      $project: {
+        _id: 1,
+        name: 1,
+        author: 1,
+        authorName: 1,
+        category: 1,
+      },
+    },
+  ]);
+
+  const categories = {
+    globalViewAccess: [], // PromptGroup in global project -> Public VIEW
+    privateGroups: [], // Not in global project -> Private (owner only)
+  };
+
+  promptGroupsToMigrate.forEach((group) => {
+    const isGlobalGroup = globalPromptGroupIds.has(group._id.toString());
+
+    if (isGlobalGroup) {
+      categories.globalViewAccess.push(group);
+    } else {
+      categories.privateGroups.push(group);
+    }
+  });
+
+  logger.info('PromptGroup categorization:', {
+    globalViewAccess: categories.globalViewAccess.length,
+    privateGroups: categories.privateGroups.length,
+    total: promptGroupsToMigrate.length,
+  });
+
+  if (dryRun) {
+    return {
+      migrated: 0,
+      errors: 0,
+      dryRun: true,
+      summary: {
+        globalViewAccess: categories.globalViewAccess.length,
+        privateGroups: categories.privateGroups.length,
+        total: promptGroupsToMigrate.length,
+      },
+      details: {
+        globalViewAccess: categories.globalViewAccess.map((g) => ({
+          name: g.name,
+          _id: g._id,
+          category: g.category || 'uncategorized',
+          permissions: 'Owner + Public VIEW',
+        })),
+        privateGroups: categories.privateGroups.map((g) => ({
+          name: g.name,
+          _id: g._id,
+          category: g.category || 'uncategorized',
+          permissions: 'Owner only',
+        })),
+      },
+    };
+  }
+
+  const results = {
+    migrated: 0,
+    errors: 0,
+    publicViewGrants: 0,
+    ownerGrants: 0,
+  };
+
+  // Process in batches
+  for (let i = 0; i < promptGroupsToMigrate.length; i += batchSize) {
+    const batch = promptGroupsToMigrate.slice(i, i + batchSize);
+
+    logger.info(
+      `Processing batch ${Math.floor(i / batchSize) + 1}/${Math.ceil(promptGroupsToMigrate.length / batchSize)}`,
+    );
+
+    for (const group of batch) {
+      try {
+        const isGlobalGroup = globalPromptGroupIds.has(group._id.toString());
+
+        // Always grant owner permission to author
+        await grantPermission({
+          principalType: 'user',
+          principalId: group.author,
+          resourceType: 'promptGroup',
+          resourceId: group._id,
+          accessRoleId: 'promptGroup_owner',
+          grantedBy: group.author,
+        });
+        results.ownerGrants++;
+
+        // Grant public view permissions for promptGroups in global project
+        if (isGlobalGroup) {
+          await grantPermission({
+            principalType: 'public',
+            principalId: null,
+            resourceType: 'promptGroup',
+            resourceId: group._id,
+            accessRoleId: 'promptGroup_viewer',
+            grantedBy: group.author,
+          });
+          results.publicViewGrants++;
+        }
+
+        results.migrated++;
+        logger.debug(
+          `Migrated promptGroup "${group.name}" [${isGlobalGroup ? 'Global View' : 'Private'}]`,
+          {
+            groupId: group._id,
+            author: group.author,
+            isGlobalGroup,
+          },
+        );
+      } catch (error) {
+        results.errors++;
+        logger.error(`Failed to migrate promptGroup "${group.name}"`, {
+          groupId: group._id,
+          author: group.author,
+          error: error.message,
+        });
+      }
+    }
+
+    // Brief pause between batches
+    await new Promise((resolve) => setTimeout(resolve, 100));
+  }
+
+  logger.info('PromptGroup migration completed', results);
+  return results;
+}
+
+if (require.main === module) {
+  const dryRun = process.argv.includes('--dry-run');
+  const batchSize =
+    parseInt(process.argv.find((arg) => arg.startsWith('--batch-size='))?.split('=')[1]) || 100;
+
+  migrateToPromptGroupPermissions({ dryRun, batchSize })
+    .then((result) => {
+      if (dryRun) {
+        console.log('\n=== DRY RUN RESULTS ===');
+        console.log(`Total promptGroups to migrate: ${result.summary.total}`);
+        console.log(`- Global View Access: ${result.summary.globalViewAccess} promptGroups`);
+        console.log(`- Private PromptGroups: ${result.summary.privateGroups} promptGroups`);
+
+        if (result.details.globalViewAccess.length > 0) {
+          console.log('\nGlobal View Access promptGroups (first 10):');
+          result.details.globalViewAccess.slice(0, 10).forEach((group, i) => {
+            console.log(`  ${i + 1}. "${group.name}" [${group.category}] (${group._id})`);
+          });
+        }
+
+        if (result.details.privateGroups.length > 0) {
+          console.log('\nPrivate promptGroups (first 10):');
+          result.details.privateGroups.slice(0, 10).forEach((group, i) => {
+            console.log(`  ${i + 1}. "${group.name}" [${group.category}] (${group._id})`);
+          });
+        }
+
+        console.log('\nTo run the actual migration, remove the --dry-run flag');
+      } else {
+        console.log('\nMigration Results:', JSON.stringify(result, null, 2));
+      }
+      process.exit(0);
+    })
+    .catch((error) => {
+      console.error('PromptGroup migration failed:', error);
+      process.exit(1);
+    });
+}
+
+module.exports = { migrateToPromptGroupPermissions };