Andreas/LibreChat
1
0
Fork 0
mirror of https://github.com/danny-avila/LibreChat.git synced 2026-03-17 13:16:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 3
LibreChat/packages
History
Exact
Danny Avila 2f09d29c71
🛂 fix: Validate types Query Param in People Picker Access Middleware (#12276) 
* 🛂 fix: Validate `types` query param in people picker access middleware

checkPeoplePickerAccess only inspected `req.query.type` (singular),
allowing callers to bypass type-specific permission checks by using
the `types` (plural) parameter accepted by the controller. Now both
`type` and `types` are collected and each requested principal type is
validated against the caller's role permissions.

* 🛂 refactor: Hoist valid types constant, improve logging, and add edge-case tests

- Hoist VALID_PRINCIPAL_TYPES to module-level Set to avoid per-request allocation
- Include both `type` and `types` in error log for debuggability
- Restore detailed JSDoc documenting per-type permission requirements
- Add missing .json() assertion on partial-denial test
- Add edge-case tests: all-invalid types, empty string types, PrincipalType.PUBLIC

* 🏷️ fix: Align TPrincipalSearchParams with actual controller API

The stale type used `type` (singular) but the controller and all callers
use `types` (plural array). Aligns with PrincipalSearchParams in
types/queries.ts.
2026-03-17 02:46:11 -04:00
..
api 🧯 fix: Add Pre-Parse File Size Guard to Document Parser (#12275) 2026-03-17 02:36:18 -04:00
client v0.8.3 (#12161) 2026-03-09 15:19:57 -04:00
data-provider 🛂 fix: Validate types Query Param in People Picker Access Middleware (#12276) 2026-03-17 02:46:11 -04:00
data-schemas 🔑 fix: Require OTP Verification for 2FA Re-Enrollment and Backup Code Regeneration (#12223) 2026-03-14 01:51:31 -04:00