mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-18 17:30:16 +01:00
0e719592c6
* feat: Add 'Run Code' and 'Temporary Chat' permissions to role management * feat: Add NextFunction typedef to api/typedefs.js * feat: Add temporary chat and run code permissions to role schema * refactor: Enhance access check middleware with logging for permission errors and better typing * refactor: Set default value of USE permission to true in multiConvoPermissionsSchema * refactor: Implement checkAccess function for separation of permission validation logic from middleware * feat: Integrate permission checks for tool execution and enhance Markdown code block with execution capability * fix: Convert REDIS_MAX_LISTENERS to a number, closes #5979
78 lines
2.6 KiB
JavaScript
78 lines
2.6 KiB
JavaScript
const { getRoleByName } = require('~/models/Role');
|
|
const { logger } = require('~/config');
|
|
|
|
/**
|
|
* Core function to check if a user has one or more required permissions
|
|
*
|
|
* @param {object} user - The user object
|
|
* @param {PermissionTypes} permissionType - The type of permission to check
|
|
* @param {Permissions[]} permissions - The list of specific permissions to check
|
|
* @param {Record<Permissions, string[]>} [bodyProps] - An optional object where keys are permissions and values are arrays of properties to check
|
|
* @param {object} [checkObject] - The object to check properties against
|
|
* @returns {Promise<boolean>} Whether the user has the required permissions
|
|
*/
|
|
const checkAccess = async (user, permissionType, permissions, bodyProps = {}, checkObject = {}) => {
|
|
if (!user) {
|
|
return false;
|
|
}
|
|
|
|
const role = await getRoleByName(user.role);
|
|
if (role && role[permissionType]) {
|
|
const hasAnyPermission = permissions.some((permission) => {
|
|
if (role[permissionType][permission]) {
|
|
return true;
|
|
}
|
|
|
|
if (bodyProps[permission] && checkObject) {
|
|
return bodyProps[permission].some((prop) =>
|
|
Object.prototype.hasOwnProperty.call(checkObject, prop),
|
|
);
|
|
}
|
|
|
|
return false;
|
|
});
|
|
|
|
return hasAnyPermission;
|
|
}
|
|
|
|
return false;
|
|
};
|
|
|
|
/**
|
|
* Middleware to check if a user has one or more required permissions, optionally based on `req.body` properties.
|
|
*
|
|
* @param {PermissionTypes} permissionType - The type of permission to check.
|
|
* @param {Permissions[]} permissions - The list of specific permissions to check.
|
|
* @param {Record<Permissions, string[]>} [bodyProps] - An optional object where keys are permissions and values are arrays of `req.body` properties to check.
|
|
* @returns {(req: ServerRequest, res: ServerResponse, next: NextFunction) => Promise<void>} Express middleware function.
|
|
*/
|
|
const generateCheckAccess = (permissionType, permissions, bodyProps = {}) => {
|
|
return async (req, res, next) => {
|
|
try {
|
|
const hasAccess = await checkAccess(
|
|
req.user,
|
|
permissionType,
|
|
permissions,
|
|
bodyProps,
|
|
req.body,
|
|
);
|
|
|
|
if (hasAccess) {
|
|
return next();
|
|
}
|
|
|
|
logger.warn(
|
|
`[${permissionType}] Forbidden: Insufficient permissions for User ${req.user.id}: ${permissions.join(', ')}`,
|
|
);
|
|
return res.status(403).json({ message: 'Forbidden: Insufficient permissions' });
|
|
} catch (error) {
|
|
logger.error(error);
|
|
return res.status(500).json({ message: `Server error: ${error.message}` });
|
|
}
|
|
};
|
|
};
|
|
|
|
module.exports = {
|
|
checkAccess,
|
|
generateCheckAccess,
|
|
};
|