From d2e1ca4c4a265bfb6db58e1f2d91f87773cfb66d Mon Sep 17 00:00:00 2001
From: Samuel Path <samuelpath@users.noreply.github.com>
Date: Fri, 11 Jul 2025 21:37:11 +0200
Subject: [PATCH] =?UTF-8?q?=F0=9F=96=BC=EF=B8=8F=20fix:=20Permission=20Che?=
 =?UTF-8?q?cks=20for=20Agent=20Avatar=20Uploads=20(#8412)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Implements permission validation before allowing agent avatar uploads. Only admins, the agent's author, or users of collaborative agents can modify avatars. Also improves error handling by checking for agent existence upfront and simplifies avatar update logic.

Co-authored-by: Sai Nihas <sai.nihas@shopify.com>
---
 api/server/controllers/agents/v1.js | 27 ++++++++++++++++++---------
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/api/server/controllers/agents/v1.js b/api/server/controllers/agents/v1.js
index 4aa50521cf..c3c6167605 100644
--- a/api/server/controllers/agents/v1.js
+++ b/api/server/controllers/agents/v1.js
@@ -391,6 +391,22 @@ const uploadAgentAvatarHandler = async (req, res) => {
       return res.status(400).json({ message: 'Agent ID is required' });
     }
 
+    const isAdmin = req.user.role === SystemRoles.ADMIN;
+    const existingAgent = await getAgent({ id: agent_id });
+
+    if (!existingAgent) {
+      return res.status(404).json({ error: 'Agent not found' });
+    }
+
+    const isAuthor = existingAgent.author.toString() === req.user.id;
+    const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
+
+    if (!hasEditPermission) {
+      return res.status(403).json({
+        error: 'You do not have permission to modify this non-collaborative agent',
+      });
+    }
+
     const buffer = await fs.readFile(req.file.path);
 
     const fileStrategy = req.app.locals.fileStrategy;
@@ -413,14 +429,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
       source: fileStrategy,
     };
 
-    let _avatar;
-    try {
-      const agent = await getAgent({ id: agent_id });
-      _avatar = agent.avatar;
-    } catch (error) {
-      logger.error('[/:agent_id/avatar] Error fetching agent', error);
-      _avatar = {};
-    }
+    let _avatar = existingAgent.avatar;
 
     if (_avatar && _avatar.source) {
       const { deleteFile } = getStrategyFunctions(_avatar.source);
@@ -442,7 +451,7 @@ const uploadAgentAvatarHandler = async (req, res) => {
     };
 
     promises.push(
-      await updateAgent({ id: agent_id, author: req.user.id }, data, {
+      await updateAgent({ id: agent_id }, data, {
         updatingUserId: req.user.id,
       }),
     );