mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-03-16 12:46:34 +01:00
8e8fb01d18
* 🔏 fix: Apply agent access control filtering to context/OCR resource loading
The context/OCR file path in primeResources fetched files by file_id
without applying filterFilesByAgentAccess, unlike the file_search and
execute_code paths. Add filterFiles dependency injection to primeResources
and invoke it after getFiles to enforce consistent access control.
* fix: Wire filterFilesByAgentAccess into all agent initialization callers
Pass the filterFilesByAgentAccess function from the JS layer into the TS
initializeAgent → primeResources chain via dependency injection, covering
primary, handoff, added-convo, and memory agent init paths.
* test: Add access control filtering tests for primeResources
Cover filterFiles invocation with context/OCR files, verify filtering
rejects inaccessible files, and confirm graceful fallback when filterFiles,
userId, or agentId are absent.
* fix: Guard filterFilesByAgentAccess against ephemeral agent IDs
Ephemeral agents have no DB document, so getAgent returns null and the
access map defaults to all-false, silently blocking all non-owned files.
Short-circuit with isEphemeralAgentId to preserve the pass-through
behavior for inline-built agents (memory, tool agents).
* fix: Clean up resources.ts and JS caller import order
Remove redundant optional chain on req.user.role inside user-guarded
block, update primeResources JSDoc with filterFiles and agentId params,
and reorder JS imports to longest-to-shortest per project conventions.
* test: Strengthen OCR assertion and add filterFiles error-path test
Use toHaveBeenCalledWith for the OCR filtering test to verify exact
arguments after the OCR→context merge step. Add test for filterFiles
rejection to verify graceful degradation (logs error, returns original
tool_resources).
* fix: Correct import order in addedConvo.js and initialize.js
Sort by total line length descending: loadAddedAgent (91) before
filterFilesByAgentAccess (84), loadAgentTools (91) before
filterFilesByAgentAccess (84).
* test: Add unit tests for filterFilesByAgentAccess and hasAccessToFilesViaAgent
Cover every branch in permissions.js: ephemeral agent guard, missing
userId/agentId/files early returns, all-owned short-circuit, mixed
owned + non-owned with VIEW/no-VIEW, agent-not-found fail-closed,
author path scoped to attached files, EDIT gate on delete, DB error
fail-closed, and agent with no tool_resources.
* test: Cover file.user undefined/null in permissions spec
Files with no user field fall into the non-owned path and get run
through hasAccessToFilesViaAgent. Add two cases: attached file with
no user field is returned, unattached file with no user field is
excluded.
144 lines
4.8 KiB
JavaScript
144 lines
4.8 KiB
JavaScript
const { logger } = require('@librechat/data-schemas');
|
|
const { initializeAgent, validateAgentModel } = require('@librechat/api');
|
|
const { loadAddedAgent, setGetAgent, ADDED_AGENT_ID } = require('~/models/loadAddedAgent');
|
|
const { filterFilesByAgentAccess } = require('~/server/services/Files/permissions');
|
|
const { getConvoFiles } = require('~/models/Conversation');
|
|
const { getAgent } = require('~/models/Agent');
|
|
const db = require('~/models');
|
|
|
|
// Initialize the getAgent dependency
|
|
setGetAgent(getAgent);
|
|
|
|
/**
|
|
* Process addedConvo for parallel agent execution.
|
|
* Creates a parallel agent config from an added conversation.
|
|
*
|
|
* When an added agent has no incoming edges, it becomes a start node
|
|
* and runs in parallel with the primary agent automatically.
|
|
*
|
|
* Edge cases handled:
|
|
* - Primary agent has edges (handoffs): Added agent runs in parallel with primary,
|
|
* but doesn't participate in the primary's handoff graph
|
|
* - Primary agent has agent_ids (legacy chain): Added agent runs in parallel with primary,
|
|
* but doesn't participate in the chain
|
|
* - Primary agent has both: Added agent is independent, runs parallel from start
|
|
*
|
|
* @param {Object} params
|
|
* @param {import('express').Request} params.req
|
|
* @param {import('express').Response} params.res
|
|
* @param {Object} params.endpointOption - The endpoint option containing addedConvo
|
|
* @param {Object} params.modelsConfig - The models configuration
|
|
* @param {Function} params.logViolation - Function to log violations
|
|
* @param {Function} params.loadTools - Function to load agent tools
|
|
* @param {Array} params.requestFiles - Request files
|
|
* @param {string} params.conversationId - The conversation ID
|
|
* @param {string} [params.parentMessageId] - The parent message ID for thread filtering
|
|
* @param {Set} params.allowedProviders - Set of allowed providers
|
|
* @param {Map} params.agentConfigs - Map of agent configs to add to
|
|
* @param {string} params.primaryAgentId - The primary agent ID
|
|
* @param {Object|undefined} params.userMCPAuthMap - User MCP auth map to merge into
|
|
* @returns {Promise<{userMCPAuthMap: Object|undefined}>} The updated userMCPAuthMap
|
|
*/
|
|
const processAddedConvo = async ({
|
|
req,
|
|
res,
|
|
endpointOption,
|
|
modelsConfig,
|
|
logViolation,
|
|
loadTools,
|
|
requestFiles,
|
|
conversationId,
|
|
parentMessageId,
|
|
allowedProviders,
|
|
agentConfigs,
|
|
primaryAgentId,
|
|
primaryAgent,
|
|
userMCPAuthMap,
|
|
}) => {
|
|
const addedConvo = endpointOption.addedConvo;
|
|
if (addedConvo == null) {
|
|
return { userMCPAuthMap };
|
|
}
|
|
|
|
logger.debug('[processAddedConvo] Processing added conversation', {
|
|
model: addedConvo.model,
|
|
agentId: addedConvo.agent_id,
|
|
endpoint: addedConvo.endpoint,
|
|
});
|
|
|
|
try {
|
|
const addedAgent = await loadAddedAgent({ req, conversation: addedConvo, primaryAgent });
|
|
if (!addedAgent) {
|
|
return { userMCPAuthMap };
|
|
}
|
|
|
|
const addedValidation = await validateAgentModel({
|
|
req,
|
|
res,
|
|
modelsConfig,
|
|
logViolation,
|
|
agent: addedAgent,
|
|
});
|
|
|
|
if (!addedValidation.isValid) {
|
|
logger.warn(
|
|
`[processAddedConvo] Added agent validation failed: ${addedValidation.error?.message}`,
|
|
);
|
|
return { userMCPAuthMap };
|
|
}
|
|
|
|
const addedConfig = await initializeAgent(
|
|
{
|
|
req,
|
|
res,
|
|
loadTools,
|
|
requestFiles,
|
|
conversationId,
|
|
parentMessageId,
|
|
agent: addedAgent,
|
|
endpointOption,
|
|
allowedProviders,
|
|
},
|
|
{
|
|
getConvoFiles,
|
|
getFiles: db.getFiles,
|
|
getUserKey: db.getUserKey,
|
|
getMessages: db.getMessages,
|
|
updateFilesUsage: db.updateFilesUsage,
|
|
getUserCodeFiles: db.getUserCodeFiles,
|
|
getUserKeyValues: db.getUserKeyValues,
|
|
getToolFilesByIds: db.getToolFilesByIds,
|
|
getCodeGeneratedFiles: db.getCodeGeneratedFiles,
|
|
filterFilesByAgentAccess,
|
|
},
|
|
);
|
|
|
|
if (userMCPAuthMap != null) {
|
|
Object.assign(userMCPAuthMap, addedConfig.userMCPAuthMap ?? {});
|
|
} else {
|
|
userMCPAuthMap = addedConfig.userMCPAuthMap;
|
|
}
|
|
|
|
const addedAgentId = addedConfig.id || ADDED_AGENT_ID;
|
|
agentConfigs.set(addedAgentId, addedConfig);
|
|
|
|
// No edges needed - agent without incoming edges becomes a start node
|
|
// and runs in parallel with the primary agent automatically.
|
|
// This is independent of any edges/agent_ids the primary agent has.
|
|
|
|
logger.debug(
|
|
`[processAddedConvo] Added parallel agent: ${addedAgentId} (primary: ${primaryAgentId}, ` +
|
|
`primary has edges: ${!!endpointOption.edges}, primary has agent_ids: ${!!endpointOption.agent_ids})`,
|
|
);
|
|
|
|
return { userMCPAuthMap };
|
|
} catch (err) {
|
|
logger.error('[processAddedConvo] Error processing addedConvo for parallel agent', err);
|
|
return { userMCPAuthMap };
|
|
}
|
|
};
|
|
|
|
module.exports = {
|
|
processAddedConvo,
|
|
ADDED_AGENT_ID,
|
|
};
|