feat: Add role-level permissions for agent sharing people picker

- Add PEOPLE_PICKER permission type with VIEW_USERS and VIEW_GROUPS permissions - Create custom middleware for query-aware permission validation - Implement permission-based type filtering in PeoplePicker component - Hide people picker UI when user lacks permissions, show only public toggle - Support granular access: users-only, groups-only, or mixed search modes
2026-03-02 22:30:18 +01:00 · 2025-07-01 14:25:48 +02:00 · 2025-07-01 14:25:48 +02:00 · ce3dbf8609
commit ce3dbf8609
parent c6451e8cb6
11 changed files with 220 additions and 32 deletions
--- a/packages/api/src/middleware/access.ts
+++ b/packages/api/src/middleware/access.ts
@ -128,7 +128,7 @@ export const generateCheckAccess = ({
      }

      logger.warn(
-        `[${permissionType}] Forbidden: "${req.originalUrl}" - Insufficient permissions for User ${req.user?.id}: ${permissions.join(', ')}`,
+        `[${permissionType}] Forbidden: "${req.originalUrl}" - Insufficient permissions for User ${(req.user as IUser)?.id}: ${permissions.join(', ')}`,
      );
      return res.status(403).json({ message: 'Forbidden: Insufficient permissions' });
    } catch (error) {
--- a/packages/data-provider/src/config.ts
+++ b/packages/data-provider/src/config.ts
@ -492,7 +492,7 @@ const mcpServersSchema = z.object({

 export type TMcpServersConfig = z.infer<typeof mcpServersSchema>;

-export const intefaceSchema = z
+export const interfaceSchema = z
  .object({
    privacyPolicy: z
      .object({
@ -517,6 +517,22 @@ export const intefaceSchema = z
    temporaryChatRetention: z.number().min(1).max(8760).optional(),
    runCode: z.boolean().optional(),
    webSearch: z.boolean().optional(),
+    peoplePicker: z
+      .object({
+        admin: z
+          .object({
+            users: z.boolean().optional(),
+            groups: z.boolean().optional(),
+          })
+          .optional(),
+        user: z
+          .object({
+            users: z.boolean().optional(),
+            groups: z.boolean().optional(),
+          })
+          .optional(),
+      })
+      .optional(),
    fileSearch: z.boolean().optional(),
  })
  .default({
@ -533,10 +549,20 @@ export const intefaceSchema = z
    temporaryChat: true,
    runCode: true,
    webSearch: true,
+    peoplePicker: {
+      admin: {
+        users: true,
+        groups: true,
+      },
+      user: {
+        users: false,
+        groups: false,
+      },
+    },
    fileSearch: true,
  });

-export type TInterfaceConfig = z.infer<typeof intefaceSchema>;
+export type TInterfaceConfig = z.infer<typeof interfaceSchema>;
 export type TBalanceConfig = z.infer<typeof balanceSchema>;

 export const turnstileOptionsSchema = z
@ -754,7 +780,7 @@ export const configSchema = z.object({
  includedTools: z.array(z.string()).optional(),
  filteredTools: z.array(z.string()).optional(),
  mcpServers: MCPServersSchema.optional(),
-  interface: intefaceSchema,
+  interface: interfaceSchema,
  turnstile: turnstileSchema.optional(),
  fileStrategy: fileSourceSchema.default(FileSources.local),
  actions: z
--- a/packages/data-provider/src/permissions.ts
+++ b/packages/data-provider/src/permissions.ts
@ -36,6 +36,10 @@ export enum PermissionTypes {
   * Type for using the "Web Search" feature
   */
  WEB_SEARCH = 'WEB_SEARCH',
+  /**
+   * Type for People Picker Permissions
+   */
+  PEOPLE_PICKER = 'PEOPLE_PICKER',
  /**
   * Type for using the "File Search" feature
   */
@ -55,6 +59,8 @@ export enum Permissions {
  SHARE = 'SHARE',
  /** Can disable if desired */
  OPT_OUT = 'OPT_OUT',
+  VIEW_USERS = 'VIEW_USERS',
+  VIEW_GROUPS = 'VIEW_GROUPS',
 }

 export const promptPermissionsSchema = z.object({
@ -107,6 +113,12 @@ export const webSearchPermissionsSchema = z.object({
 });
 export type TWebSearchPermissions = z.infer<typeof webSearchPermissionsSchema>;

+export const peoplePickerPermissionsSchema = z.object({
+  [Permissions.VIEW_USERS]: z.boolean().default(true),
+  [Permissions.VIEW_GROUPS]: z.boolean().default(true),
+});
+export type TPeoplePickerPermissions = z.infer<typeof peoplePickerPermissionsSchema>;
+
 export const fileSearchPermissionsSchema = z.object({
  [Permissions.USE]: z.boolean().default(true),
 });
@ -122,5 +134,6 @@ export const permissionsSchema = z.object({
  [PermissionTypes.TEMPORARY_CHAT]: temporaryChatPermissionsSchema,
  [PermissionTypes.RUN_CODE]: runCodePermissionsSchema,
  [PermissionTypes.WEB_SEARCH]: webSearchPermissionsSchema,
+  [PermissionTypes.PEOPLE_PICKER]: peoplePickerPermissionsSchema,
  [PermissionTypes.FILE_SEARCH]: fileSearchPermissionsSchema,
 });
--- a/packages/data-provider/src/roles.ts
+++ b/packages/data-provider/src/roles.ts
@ -12,6 +12,7 @@ import {
  fileSearchPermissionsSchema,
  multiConvoPermissionsSchema,
  temporaryChatPermissionsSchema,
+  peoplePickerPermissionsSchema,
 } from './permissions';

 /**
@ -75,6 +76,10 @@ const defaultRolesSchema = z.object({
      [PermissionTypes.WEB_SEARCH]: webSearchPermissionsSchema.extend({
        [Permissions.USE]: z.boolean().default(true),
      }),
+      [PermissionTypes.PEOPLE_PICKER]: peoplePickerPermissionsSchema.extend({
+        [Permissions.VIEW_USERS]: z.boolean().default(true),
+        [Permissions.VIEW_GROUPS]: z.boolean().default(true),
+      }),
      [PermissionTypes.FILE_SEARCH]: fileSearchPermissionsSchema.extend({
        [Permissions.USE]: z.boolean().default(true),
      }),
@ -122,6 +127,10 @@ export const roleDefaults = defaultRolesSchema.parse({
      [PermissionTypes.WEB_SEARCH]: {
        [Permissions.USE]: true,
      },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_USERS]: true,
+        [Permissions.VIEW_GROUPS]: true,
+      },
      [PermissionTypes.FILE_SEARCH]: {
        [Permissions.USE]: true,
      },
@ -138,6 +147,10 @@ export const roleDefaults = defaultRolesSchema.parse({
      [PermissionTypes.TEMPORARY_CHAT]: {},
      [PermissionTypes.RUN_CODE]: {},
      [PermissionTypes.WEB_SEARCH]: {},
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_USERS]: false,
+        [Permissions.VIEW_GROUPS]: false,
+      },
      [PermissionTypes.FILE_SEARCH]: {},
    },
  },
--- a/packages/data-schemas/src/schema/role.ts
+++ b/packages/data-schemas/src/schema/role.ts
@ -39,6 +39,10 @@ const rolePermissionsSchema = new Schema(
    [PermissionTypes.WEB_SEARCH]: {
      [Permissions.USE]: { type: Boolean, default: true },
    },
+    [PermissionTypes.PEOPLE_PICKER]: {
+      [Permissions.VIEW_USERS]: { type: Boolean, default: false },
+      [Permissions.VIEW_GROUPS]: { type: Boolean, default: false },
+    },
    [PermissionTypes.FILE_SEARCH]: {
      [Permissions.USE]: { type: Boolean, default: true },
    },
@ -72,6 +76,10 @@ const roleSchema: Schema<IRole> = new Schema({
      [PermissionTypes.TEMPORARY_CHAT]: { [Permissions.USE]: true },
      [PermissionTypes.RUN_CODE]: { [Permissions.USE]: true },
      [PermissionTypes.WEB_SEARCH]: { [Permissions.USE]: true },
+      [PermissionTypes.PEOPLE_PICKER]: {
+        [Permissions.VIEW_USERS]: false,
+        [Permissions.VIEW_GROUPS]: false,
+      },
      [PermissionTypes.FILE_SEARCH]: { [Permissions.USE]: true },
    }),
  },
--- a/packages/data-schemas/src/types/role.ts
+++ b/packages/data-schemas/src/types/role.ts
@ -35,6 +35,10 @@ export interface IRole extends Document {
    [PermissionTypes.WEB_SEARCH]?: {
      [Permissions.USE]?: boolean;
    };
+    [PermissionTypes.PEOPLE_PICKER]?: {
+      [Permissions.VIEW_USERS]?: boolean;
+      [Permissions.VIEW_GROUPS]?: boolean;
+    };
    [PermissionTypes.FILE_SEARCH]?: {
      [Permissions.USE]?: boolean;
    };