mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-04-03 14:27:20 +02:00
2451bf54cf
* 🛡️ fix: restrict system grants to role principals only Narrows GrantPrincipalType to PrincipalType.ROLE, rejecting GROUP and USER with 400. Removes grant cascade cleanup from group/user deletion handlers and their route wiring since only roles can hold grants. * 🛡️ fix: address review findings for grants roles-only restriction Add missing GROUP rejection test for revokeGrant (symmetric with getPrincipalGrants and assignGrant coverage), add extensibility comment to GrantPrincipalType, and document the checkRoleExists guard.
28 lines
1.1 KiB
JavaScript
28 lines
1.1 KiB
JavaScript
const express = require('express');
|
|
const { createAdminUsersHandlers } = require('@librechat/api');
|
|
const { SystemCapabilities } = require('@librechat/data-schemas');
|
|
const { requireCapability } = require('~/server/middleware/roles/capabilities');
|
|
const { requireJwtAuth } = require('~/server/middleware');
|
|
const db = require('~/models');
|
|
|
|
const router = express.Router();
|
|
|
|
const requireAdminAccess = requireCapability(SystemCapabilities.ACCESS_ADMIN);
|
|
const requireReadUsers = requireCapability(SystemCapabilities.READ_USERS);
|
|
// const requireManageUsers = requireCapability(SystemCapabilities.MANAGE_USERS);
|
|
|
|
const handlers = createAdminUsersHandlers({
|
|
findUsers: db.findUsers,
|
|
countUsers: db.countUsers,
|
|
deleteUserById: db.deleteUserById,
|
|
deleteConfig: db.deleteConfig,
|
|
deleteAclEntries: db.deleteAclEntries,
|
|
});
|
|
|
|
router.use(requireJwtAuth, requireAdminAccess);
|
|
|
|
router.get('/', requireReadUsers, handlers.listUsers);
|
|
router.get('/search', requireReadUsers, handlers.searchUsers);
|
|
// router.delete('/:id', requireManageUsers, handlers.deleteUser);
|
|
|
|
module.exports = router;
|