mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-03-18 13:46:34 +01:00
2f09d29c71
* 🛂 fix: Validate `types` query param in people picker access middleware checkPeoplePickerAccess only inspected `req.query.type` (singular), allowing callers to bypass type-specific permission checks by using the `types` (plural) parameter accepted by the controller. Now both `type` and `types` are collected and each requested principal type is validated against the caller's role permissions. * 🛂 refactor: Hoist valid types constant, improve logging, and add edge-case tests - Hoist VALID_PRINCIPAL_TYPES to module-level Set to avoid per-request allocation - Include both `type` and `types` in error log for debuggability - Restore detailed JSDoc documenting per-type permission requirements - Add missing .json() assertion on partial-denial test - Add edge-case tests: all-invalid types, empty string types, PrincipalType.PUBLIC * 🏷️ fix: Align TPrincipalSearchParams with actual controller API The stale type used `type` (singular) but the controller and all callers use `types` (plural array). Aligns with PrincipalSearchParams in types/queries.ts. |
||
|---|---|---|
| .. | ||
| react-query | ||
| specs | ||
| src | ||
| .gitignore | ||
| babel.config.js | ||
| check_updates.sh | ||
| jest.config.js | ||
| package.json | ||
| rollup.config.js | ||
| server-rollup.config.js | ||
| tsconfig.json | ||
| tsconfig.spec.json | ||