mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-09-22 06:00:56 +02:00
81139046e5
* WIP: conversion of `ocr` to `context` * refactor: make `primeResources` backwards-compatible for `ocr` tool_resources * refactor: Convert legacy `ocr` tool resource to `context` in agent updates - Implemented conversion logic to replace `ocr` with `context` in both incoming updates and existing agent data. - Merged file IDs and files from `ocr` into `context` while ensuring deduplication. - Updated tools array to reflect the change from `ocr` to `context`. * refactor: Enhance context file handling in agent processing - Updated the logic for managing context files by consolidating file IDs from both `ocr` and `context` resources. - Improved backwards compatibility by ensuring that context files are correctly populated and handled. - Simplified the iteration over context files for better readability and maintainability. * refactor: Enhance tool_resources handling in primeResources - Added tests to verify the deletion behavior of tool_resources fields, ensuring original objects remain unchanged. - Implemented logic to delete `ocr` and `context` fields after fetching and re-categorizing files. - Preserved context field when the context capability is disabled, ensuring correct behavior in various scenarios. * refactor: Replace `ocrEnabled` with `contextEnabled` in AgentConfig * refactor: Adjust legacy tool handling order for improved clarity * refactor: Implement OCR to context conversion functions and remove original conversion logic in update agent handling * refactor: Move contextEnabled declaration to maintain consistent order in capabilities * refactor: Update localization keys for file context to improve clarity and accuracy * chore: Update localization key for file context information to improve clarity
123 lines
3.7 KiB
JavaScript
123 lines
3.7 KiB
JavaScript
const { logger } = require('@librechat/data-schemas');
|
|
const { PermissionBits, hasPermissions, ResourceType } = require('librechat-data-provider');
|
|
const { getEffectivePermissions } = require('~/server/services/PermissionService');
|
|
const { getAgents } = require('~/models/Agent');
|
|
const { getFiles } = require('~/models/File');
|
|
|
|
/**
|
|
* Checks if user has access to a file through agent permissions
|
|
* Files inherit permissions from agents - if you can view the agent, you can access its files
|
|
*/
|
|
const checkAgentBasedFileAccess = async ({ userId, role, fileId }) => {
|
|
try {
|
|
/** Agents that have this file in their tool_resources */
|
|
const agentsWithFile = await getAgents({
|
|
$or: [
|
|
{ 'tool_resources.execute_code.file_ids': fileId },
|
|
{ 'tool_resources.file_search.file_ids': fileId },
|
|
{ 'tool_resources.context.file_ids': fileId },
|
|
{ 'tool_resources.ocr.file_ids': fileId },
|
|
],
|
|
});
|
|
|
|
if (!agentsWithFile || agentsWithFile.length === 0) {
|
|
return false;
|
|
}
|
|
|
|
// Check if user has access to any of these agents
|
|
for (const agent of agentsWithFile) {
|
|
// Check if user is the agent author
|
|
if (agent.author && agent.author.toString() === userId) {
|
|
logger.debug(`[fileAccess] User is author of agent ${agent.id}`);
|
|
return true;
|
|
}
|
|
|
|
// Check ACL permissions for VIEW access on the agent
|
|
try {
|
|
const permissions = await getEffectivePermissions({
|
|
userId,
|
|
role,
|
|
resourceType: ResourceType.AGENT,
|
|
resourceId: agent._id || agent.id,
|
|
});
|
|
|
|
if (hasPermissions(permissions, PermissionBits.VIEW)) {
|
|
logger.debug(`[fileAccess] User ${userId} has VIEW permissions on agent ${agent.id}`);
|
|
return true;
|
|
}
|
|
} catch (permissionError) {
|
|
logger.warn(
|
|
`[fileAccess] Permission check failed for agent ${agent.id}:`,
|
|
permissionError.message,
|
|
);
|
|
// Continue checking other agents
|
|
}
|
|
}
|
|
|
|
return false;
|
|
} catch (error) {
|
|
logger.error('[fileAccess] Error checking agent-based access:', error);
|
|
return false;
|
|
}
|
|
};
|
|
|
|
/**
|
|
* Middleware to check if user can access a file
|
|
* Checks: 1) File ownership, 2) Agent-based access (file inherits agent permissions)
|
|
*/
|
|
const fileAccess = async (req, res, next) => {
|
|
try {
|
|
const fileId = req.params.file_id;
|
|
const userId = req.user?.id;
|
|
const userRole = req.user?.role;
|
|
if (!fileId) {
|
|
return res.status(400).json({
|
|
error: 'Bad Request',
|
|
message: 'file_id is required',
|
|
});
|
|
}
|
|
|
|
if (!userId) {
|
|
return res.status(401).json({
|
|
error: 'Unauthorized',
|
|
message: 'Authentication required',
|
|
});
|
|
}
|
|
|
|
const [file] = await getFiles({ file_id: fileId });
|
|
if (!file) {
|
|
return res.status(404).json({
|
|
error: 'Not Found',
|
|
message: 'File not found',
|
|
});
|
|
}
|
|
|
|
if (file.user && file.user.toString() === userId) {
|
|
req.fileAccess = { file };
|
|
return next();
|
|
}
|
|
|
|
/** Agent-based access (file inherits agent permissions) */
|
|
const hasAgentAccess = await checkAgentBasedFileAccess({ userId, role: userRole, fileId });
|
|
if (hasAgentAccess) {
|
|
req.fileAccess = { file };
|
|
return next();
|
|
}
|
|
|
|
logger.warn(`[fileAccess] User ${userId} denied access to file ${fileId}`);
|
|
return res.status(403).json({
|
|
error: 'Forbidden',
|
|
message: 'Insufficient permissions to access this file',
|
|
});
|
|
} catch (error) {
|
|
logger.error('[fileAccess] Error checking file access:', error);
|
|
return res.status(500).json({
|
|
error: 'Internal Server Error',
|
|
message: 'Failed to check file access permissions',
|
|
});
|
|
}
|
|
};
|
|
|
|
module.exports = {
|
|
fileAccess,
|
|
};
|