mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-02-06 17:51:50 +01:00
8cf5ae7e79
* 🔧 refactor: Update permissions handling in updateInterfacePermissions function - Removed explicit SHARE and SHARE_PUBLIC permissions for PROMPTS when prompts are true, simplifying the permission logic. - Adjusted the permissions structure to conditionally include SHARE and SHARE_PUBLIC based on the type of interface configuration, enhancing maintainability and clarity in permission management. - Updated related tests to reflect the changes in permission handling for consistency and accuracy. * 🔧 refactor: Enhance permission configuration in updateInterfacePermissions - Introduced a new `create` property in the permission configuration object to improve flexibility in permission management. - Updated helper functions to accommodate the new `create` property, ensuring backward compatibility with existing boolean configurations. - Adjusted default values for prompts and agents to include the new `create` property, enhancing the overall permission structure. * 🧪 test: Add regression tests for SHARE/SHARE_PUBLIC permission handling - Introduced tests to ensure existing SHARE and SHARE_PUBLIC values are preserved when using boolean configuration for agents. - Added validation to confirm that SHARE and SHARE_PUBLIC are included in the update payload when using object configuration, enhancing the accuracy of permission management. - These tests address potential regressions and improve the robustness of the permission handling logic in the updateInterfacePermissions function. * fix: accessing undefined regex - Moved the creation of the domainSeparatorRegex to the beginning of the loadToolDefinitionsWrapper function for improved clarity and performance. - Removed redundant regex initialization within the function's loop, enhancing code efficiency and maintainability. * 🧪 test: Enhance regression tests for SHARE/SHARE_PUBLIC permission handling - Added a new test to ensure that SHARE and SHARE_PUBLIC permissions are preserved when using object configuration without explicit share/public keys. - Updated existing tests to validate the inclusion of SHARE and SHARE_PUBLIC in the update payload when using object configuration, improving the robustness of permission management. - Adjusted the updateInterfacePermissions function to conditionally include SHARE and SHARE_PUBLIC based on the presence of share/public keys in the configuration, enhancing clarity and maintainability. * 🔧 refactor: Update permission handling in updateInterfacePermissions - Simplified the logic for including CREATE, SHARE, and SHARE_PUBLIC permissions in the update payload based on the presence of corresponding keys in the configuration object. - Adjusted tests to reflect the changes, ensuring that only the USE permission is updated when existing permissions are present, preserving the database values for CREATE, SHARE, and SHARE_PUBLIC. - Enhanced clarity in comments to better explain the permission management logic.
417 lines
17 KiB
TypeScript
417 lines
17 KiB
TypeScript
import { logger } from '@librechat/data-schemas';
|
|
import {
|
|
SystemRoles,
|
|
Permissions,
|
|
roleDefaults,
|
|
PermissionTypes,
|
|
getConfigDefaults,
|
|
} from 'librechat-data-provider';
|
|
import type { IRole, AppConfig } from '@librechat/data-schemas';
|
|
import { isMemoryEnabled } from '~/memory/config';
|
|
|
|
/**
|
|
* Checks if a permission type has explicit configuration
|
|
*/
|
|
function hasExplicitConfig(
|
|
interfaceConfig: AppConfig['interfaceConfig'],
|
|
permissionType: PermissionTypes,
|
|
) {
|
|
switch (permissionType) {
|
|
case PermissionTypes.PROMPTS:
|
|
return interfaceConfig?.prompts !== undefined;
|
|
case PermissionTypes.BOOKMARKS:
|
|
return interfaceConfig?.bookmarks !== undefined;
|
|
case PermissionTypes.MEMORIES:
|
|
return interfaceConfig?.memories !== undefined;
|
|
case PermissionTypes.MULTI_CONVO:
|
|
return interfaceConfig?.multiConvo !== undefined;
|
|
case PermissionTypes.AGENTS:
|
|
return interfaceConfig?.agents !== undefined;
|
|
case PermissionTypes.TEMPORARY_CHAT:
|
|
return interfaceConfig?.temporaryChat !== undefined;
|
|
case PermissionTypes.RUN_CODE:
|
|
return interfaceConfig?.runCode !== undefined;
|
|
case PermissionTypes.WEB_SEARCH:
|
|
return interfaceConfig?.webSearch !== undefined;
|
|
case PermissionTypes.PEOPLE_PICKER:
|
|
return interfaceConfig?.peoplePicker !== undefined;
|
|
case PermissionTypes.MARKETPLACE:
|
|
return interfaceConfig?.marketplace !== undefined;
|
|
case PermissionTypes.FILE_SEARCH:
|
|
return interfaceConfig?.fileSearch !== undefined;
|
|
case PermissionTypes.FILE_CITATIONS:
|
|
return interfaceConfig?.fileCitations !== undefined;
|
|
case PermissionTypes.MCP_SERVERS:
|
|
return interfaceConfig?.mcpServers !== undefined;
|
|
case PermissionTypes.REMOTE_AGENTS:
|
|
return interfaceConfig?.remoteAgents !== undefined;
|
|
default:
|
|
return false;
|
|
}
|
|
}
|
|
|
|
export async function updateInterfacePermissions({
|
|
appConfig,
|
|
getRoleByName,
|
|
updateAccessPermissions,
|
|
}: {
|
|
appConfig: AppConfig;
|
|
getRoleByName: (roleName: string, fieldsToSelect?: string | string[]) => Promise<IRole | null>;
|
|
updateAccessPermissions: (
|
|
roleName: string,
|
|
permissionsUpdate: Partial<Record<PermissionTypes, Record<string, boolean | undefined>>>,
|
|
|
|
roleData?: IRole | null,
|
|
) => Promise<void>;
|
|
}) {
|
|
const loadedInterface = appConfig?.interfaceConfig;
|
|
if (!loadedInterface) {
|
|
return;
|
|
}
|
|
/** Configured values for interface object structure */
|
|
const interfaceConfig = appConfig?.config?.interface;
|
|
const memoryConfig = appConfig?.config?.memory;
|
|
const memoryEnabled = isMemoryEnabled(memoryConfig);
|
|
/** Check if memory is explicitly disabled (memory.disabled === true) */
|
|
const isMemoryExplicitlyDisabled = memoryConfig?.disabled === true;
|
|
/** Check if memory should be enabled (explicitly enabled or valid config) */
|
|
const shouldEnableMemory =
|
|
memoryConfig?.disabled === false ||
|
|
(memoryConfig && memoryEnabled && memoryConfig.disabled === undefined);
|
|
/** Check if personalization is enabled (defaults to true if memory is configured and enabled) */
|
|
const isPersonalizationEnabled =
|
|
memoryConfig && memoryEnabled && memoryConfig.personalize !== false;
|
|
|
|
/** Helper to get permission value with proper precedence */
|
|
const getPermissionValue = (
|
|
configValue?: boolean,
|
|
roleDefault?: boolean,
|
|
schemaDefault?: boolean,
|
|
) => {
|
|
if (configValue !== undefined) return configValue;
|
|
if (roleDefault !== undefined) return roleDefault;
|
|
return schemaDefault;
|
|
};
|
|
|
|
const defaults = getConfigDefaults().interface;
|
|
|
|
// Permission precedence order:
|
|
// 1. Explicit user configuration (from librechat.yaml)
|
|
// 2. Role-specific defaults (from roleDefaults)
|
|
// 3. Interface schema defaults (from interfaceSchema.default())
|
|
for (const roleName of [SystemRoles.USER, SystemRoles.ADMIN]) {
|
|
const defaultPerms = roleDefaults[roleName]?.permissions;
|
|
|
|
const existingRole = await getRoleByName(roleName);
|
|
const existingPermissions = existingRole?.permissions as
|
|
| Partial<Record<PermissionTypes, Record<string, boolean | undefined>>>
|
|
| undefined;
|
|
const permissionsToUpdate: Partial<
|
|
Record<PermissionTypes, Record<string, boolean | undefined>>
|
|
> = {};
|
|
|
|
/**
|
|
* Helper to add permission if it should be updated
|
|
*/
|
|
const addPermissionIfNeeded = (
|
|
permType: PermissionTypes,
|
|
permissions: Record<string, boolean | undefined>,
|
|
) => {
|
|
const permTypeExists = existingPermissions?.[permType];
|
|
const isExplicitlyConfigured =
|
|
interfaceConfig && hasExplicitConfig(interfaceConfig, permType);
|
|
const isMemoryDisabled = permType === PermissionTypes.MEMORIES && isMemoryExplicitlyDisabled;
|
|
const isMemoryReenabling =
|
|
permType === PermissionTypes.MEMORIES &&
|
|
shouldEnableMemory &&
|
|
existingPermissions?.[PermissionTypes.MEMORIES]?.[Permissions.USE] === false;
|
|
|
|
// Only update if: doesn't exist OR explicitly configured OR memory state change
|
|
if (!permTypeExists || isExplicitlyConfigured || isMemoryDisabled || isMemoryReenabling) {
|
|
permissionsToUpdate[permType] = permissions;
|
|
if (!permTypeExists) {
|
|
logger.debug(`Role '${roleName}': Setting up default permissions for '${permType}'`);
|
|
} else if (isExplicitlyConfigured) {
|
|
logger.debug(`Role '${roleName}': Applying explicit config for '${permType}'`);
|
|
} else if (isMemoryDisabled) {
|
|
logger.debug(`Role '${roleName}': Disabling memories as memory.disabled is true`);
|
|
} else if (isMemoryReenabling) {
|
|
logger.debug(
|
|
`Role '${roleName}': Re-enabling memories due to valid memory configuration`,
|
|
);
|
|
}
|
|
} else {
|
|
logger.debug(`Role '${roleName}': Preserving existing permissions for '${permType}'`);
|
|
}
|
|
};
|
|
|
|
// Helper to extract value from boolean or object config
|
|
type PermissionConfig =
|
|
| boolean
|
|
| { use?: boolean; create?: boolean; share?: boolean; public?: boolean }
|
|
| undefined;
|
|
const getConfigUse = (config: PermissionConfig) =>
|
|
typeof config === 'boolean' ? config : config?.use;
|
|
const getConfigCreate = (config: PermissionConfig) =>
|
|
typeof config === 'boolean' ? undefined : config?.create;
|
|
const getConfigShare = (config: PermissionConfig) =>
|
|
typeof config === 'boolean' ? undefined : config?.share;
|
|
const getConfigPublic = (config: PermissionConfig) =>
|
|
typeof config === 'boolean' ? undefined : config?.public;
|
|
|
|
// Get default values (for backward compat when config is boolean)
|
|
const promptsDefaultUse =
|
|
typeof defaults.prompts === 'boolean' ? defaults.prompts : defaults.prompts?.use;
|
|
const agentsDefaultUse =
|
|
typeof defaults.agents === 'boolean' ? defaults.agents : defaults.agents?.use;
|
|
const promptsDefaultCreate =
|
|
typeof defaults.prompts === 'object' ? defaults.prompts?.create : undefined;
|
|
const agentsDefaultCreate =
|
|
typeof defaults.agents === 'object' ? defaults.agents?.create : undefined;
|
|
const promptsDefaultShare =
|
|
typeof defaults.prompts === 'object' ? defaults.prompts?.share : undefined;
|
|
const agentsDefaultShare =
|
|
typeof defaults.agents === 'object' ? defaults.agents?.share : undefined;
|
|
const promptsDefaultPublic =
|
|
typeof defaults.prompts === 'object' ? defaults.prompts?.public : undefined;
|
|
const agentsDefaultPublic =
|
|
typeof defaults.agents === 'object' ? defaults.agents?.public : undefined;
|
|
|
|
const allPermissions: Partial<Record<PermissionTypes, Record<string, boolean | undefined>>> = {
|
|
[PermissionTypes.PROMPTS]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
getConfigUse(loadedInterface.prompts),
|
|
defaultPerms[PermissionTypes.PROMPTS]?.[Permissions.USE],
|
|
promptsDefaultUse,
|
|
),
|
|
...((typeof interfaceConfig?.prompts === 'object' && 'create' in interfaceConfig.prompts) ||
|
|
!existingPermissions?.[PermissionTypes.PROMPTS]
|
|
? {
|
|
[Permissions.CREATE]: getPermissionValue(
|
|
getConfigCreate(loadedInterface.prompts),
|
|
defaultPerms[PermissionTypes.PROMPTS]?.[Permissions.CREATE],
|
|
promptsDefaultCreate ?? true,
|
|
),
|
|
}
|
|
: {}),
|
|
...((typeof interfaceConfig?.prompts === 'object' &&
|
|
('share' in interfaceConfig.prompts || 'public' in interfaceConfig.prompts)) ||
|
|
!existingPermissions?.[PermissionTypes.PROMPTS]
|
|
? {
|
|
[Permissions.SHARE]: getPermissionValue(
|
|
getConfigShare(loadedInterface.prompts),
|
|
defaultPerms[PermissionTypes.PROMPTS]?.[Permissions.SHARE],
|
|
promptsDefaultShare,
|
|
),
|
|
[Permissions.SHARE_PUBLIC]: getPermissionValue(
|
|
getConfigPublic(loadedInterface.prompts),
|
|
defaultPerms[PermissionTypes.PROMPTS]?.[Permissions.SHARE_PUBLIC],
|
|
promptsDefaultPublic,
|
|
),
|
|
}
|
|
: {}),
|
|
},
|
|
[PermissionTypes.BOOKMARKS]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
loadedInterface.bookmarks,
|
|
defaultPerms[PermissionTypes.BOOKMARKS]?.[Permissions.USE],
|
|
defaults.bookmarks,
|
|
),
|
|
},
|
|
[PermissionTypes.MEMORIES]: {
|
|
[Permissions.USE]: (() => {
|
|
if (isMemoryExplicitlyDisabled) return false;
|
|
if (shouldEnableMemory) return true;
|
|
return getPermissionValue(
|
|
loadedInterface.memories,
|
|
defaultPerms[PermissionTypes.MEMORIES]?.[Permissions.USE],
|
|
defaults.memories,
|
|
);
|
|
})(),
|
|
...(defaultPerms[PermissionTypes.MEMORIES]?.[Permissions.CREATE] !== undefined && {
|
|
[Permissions.CREATE]: isMemoryExplicitlyDisabled
|
|
? false
|
|
: defaultPerms[PermissionTypes.MEMORIES][Permissions.CREATE],
|
|
}),
|
|
...(defaultPerms[PermissionTypes.MEMORIES]?.[Permissions.READ] !== undefined && {
|
|
[Permissions.READ]: isMemoryExplicitlyDisabled
|
|
? false
|
|
: defaultPerms[PermissionTypes.MEMORIES][Permissions.READ],
|
|
}),
|
|
...(defaultPerms[PermissionTypes.MEMORIES]?.[Permissions.UPDATE] !== undefined && {
|
|
[Permissions.UPDATE]: isMemoryExplicitlyDisabled
|
|
? false
|
|
: defaultPerms[PermissionTypes.MEMORIES][Permissions.UPDATE],
|
|
}),
|
|
[Permissions.OPT_OUT]: isMemoryExplicitlyDisabled
|
|
? false
|
|
: isPersonalizationEnabled || undefined,
|
|
},
|
|
[PermissionTypes.MULTI_CONVO]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
loadedInterface.multiConvo,
|
|
defaultPerms[PermissionTypes.MULTI_CONVO]?.[Permissions.USE],
|
|
defaults.multiConvo,
|
|
),
|
|
},
|
|
[PermissionTypes.AGENTS]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
getConfigUse(loadedInterface.agents),
|
|
defaultPerms[PermissionTypes.AGENTS]?.[Permissions.USE],
|
|
agentsDefaultUse,
|
|
),
|
|
...((typeof interfaceConfig?.agents === 'object' && 'create' in interfaceConfig.agents) ||
|
|
!existingPermissions?.[PermissionTypes.AGENTS]
|
|
? {
|
|
[Permissions.CREATE]: getPermissionValue(
|
|
getConfigCreate(loadedInterface.agents),
|
|
defaultPerms[PermissionTypes.AGENTS]?.[Permissions.CREATE],
|
|
agentsDefaultCreate ?? true,
|
|
),
|
|
}
|
|
: {}),
|
|
...((typeof interfaceConfig?.agents === 'object' &&
|
|
('share' in interfaceConfig.agents || 'public' in interfaceConfig.agents)) ||
|
|
!existingPermissions?.[PermissionTypes.AGENTS]
|
|
? {
|
|
[Permissions.SHARE]: getPermissionValue(
|
|
getConfigShare(loadedInterface.agents),
|
|
defaultPerms[PermissionTypes.AGENTS]?.[Permissions.SHARE],
|
|
agentsDefaultShare,
|
|
),
|
|
[Permissions.SHARE_PUBLIC]: getPermissionValue(
|
|
getConfigPublic(loadedInterface.agents),
|
|
defaultPerms[PermissionTypes.AGENTS]?.[Permissions.SHARE_PUBLIC],
|
|
agentsDefaultPublic,
|
|
),
|
|
}
|
|
: {}),
|
|
},
|
|
[PermissionTypes.TEMPORARY_CHAT]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
loadedInterface.temporaryChat,
|
|
defaultPerms[PermissionTypes.TEMPORARY_CHAT]?.[Permissions.USE],
|
|
defaults.temporaryChat,
|
|
),
|
|
},
|
|
[PermissionTypes.RUN_CODE]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
loadedInterface.runCode,
|
|
defaultPerms[PermissionTypes.RUN_CODE]?.[Permissions.USE],
|
|
defaults.runCode,
|
|
),
|
|
},
|
|
[PermissionTypes.WEB_SEARCH]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
loadedInterface.webSearch,
|
|
defaultPerms[PermissionTypes.WEB_SEARCH]?.[Permissions.USE],
|
|
defaults.webSearch,
|
|
),
|
|
},
|
|
[PermissionTypes.PEOPLE_PICKER]: {
|
|
[Permissions.VIEW_USERS]: getPermissionValue(
|
|
loadedInterface.peoplePicker?.users,
|
|
defaultPerms[PermissionTypes.PEOPLE_PICKER]?.[Permissions.VIEW_USERS],
|
|
defaults.peoplePicker?.users,
|
|
),
|
|
[Permissions.VIEW_GROUPS]: getPermissionValue(
|
|
loadedInterface.peoplePicker?.groups,
|
|
defaultPerms[PermissionTypes.PEOPLE_PICKER]?.[Permissions.VIEW_GROUPS],
|
|
defaults.peoplePicker?.groups,
|
|
),
|
|
[Permissions.VIEW_ROLES]: getPermissionValue(
|
|
loadedInterface.peoplePicker?.roles,
|
|
defaultPerms[PermissionTypes.PEOPLE_PICKER]?.[Permissions.VIEW_ROLES],
|
|
defaults.peoplePicker?.roles,
|
|
),
|
|
},
|
|
[PermissionTypes.MARKETPLACE]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
loadedInterface.marketplace?.use,
|
|
defaultPerms[PermissionTypes.MARKETPLACE]?.[Permissions.USE],
|
|
defaults.marketplace?.use,
|
|
),
|
|
},
|
|
[PermissionTypes.FILE_SEARCH]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
loadedInterface.fileSearch,
|
|
defaultPerms[PermissionTypes.FILE_SEARCH]?.[Permissions.USE],
|
|
defaults.fileSearch,
|
|
),
|
|
},
|
|
[PermissionTypes.FILE_CITATIONS]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
loadedInterface.fileCitations,
|
|
defaultPerms[PermissionTypes.FILE_CITATIONS]?.[Permissions.USE],
|
|
defaults.fileCitations,
|
|
),
|
|
},
|
|
[PermissionTypes.MCP_SERVERS]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
loadedInterface.mcpServers?.use,
|
|
defaultPerms[PermissionTypes.MCP_SERVERS]?.[Permissions.USE],
|
|
defaults.mcpServers?.use,
|
|
),
|
|
[Permissions.CREATE]: getPermissionValue(
|
|
loadedInterface.mcpServers?.create,
|
|
defaultPerms[PermissionTypes.MCP_SERVERS]?.[Permissions.CREATE],
|
|
defaults.mcpServers?.create,
|
|
),
|
|
...((typeof interfaceConfig?.mcpServers === 'object' &&
|
|
('share' in interfaceConfig.mcpServers || 'public' in interfaceConfig.mcpServers)) ||
|
|
!existingPermissions?.[PermissionTypes.MCP_SERVERS]
|
|
? {
|
|
[Permissions.SHARE]: getPermissionValue(
|
|
loadedInterface.mcpServers?.share,
|
|
defaultPerms[PermissionTypes.MCP_SERVERS]?.[Permissions.SHARE],
|
|
defaults.mcpServers?.share,
|
|
),
|
|
[Permissions.SHARE_PUBLIC]: getPermissionValue(
|
|
loadedInterface.mcpServers?.public,
|
|
defaultPerms[PermissionTypes.MCP_SERVERS]?.[Permissions.SHARE_PUBLIC],
|
|
defaults.mcpServers?.public,
|
|
),
|
|
}
|
|
: {}),
|
|
},
|
|
[PermissionTypes.REMOTE_AGENTS]: {
|
|
[Permissions.USE]: getPermissionValue(
|
|
loadedInterface.remoteAgents?.use,
|
|
defaultPerms[PermissionTypes.REMOTE_AGENTS]?.[Permissions.USE],
|
|
defaults.remoteAgents?.use,
|
|
),
|
|
[Permissions.CREATE]: getPermissionValue(
|
|
loadedInterface.remoteAgents?.create,
|
|
defaultPerms[PermissionTypes.REMOTE_AGENTS]?.[Permissions.CREATE],
|
|
defaults.remoteAgents?.create,
|
|
),
|
|
...((typeof interfaceConfig?.remoteAgents === 'object' &&
|
|
('share' in interfaceConfig.remoteAgents || 'public' in interfaceConfig.remoteAgents)) ||
|
|
!existingPermissions?.[PermissionTypes.REMOTE_AGENTS]
|
|
? {
|
|
[Permissions.SHARE]: getPermissionValue(
|
|
loadedInterface.remoteAgents?.share,
|
|
defaultPerms[PermissionTypes.REMOTE_AGENTS]?.[Permissions.SHARE],
|
|
defaults.remoteAgents?.share,
|
|
),
|
|
[Permissions.SHARE_PUBLIC]: getPermissionValue(
|
|
loadedInterface.remoteAgents?.public,
|
|
defaultPerms[PermissionTypes.REMOTE_AGENTS]?.[Permissions.SHARE_PUBLIC],
|
|
defaults.remoteAgents?.public,
|
|
),
|
|
}
|
|
: {}),
|
|
},
|
|
};
|
|
|
|
// Check and add each permission type if needed
|
|
for (const [permType, permissions] of Object.entries(allPermissions)) {
|
|
addPermissionIfNeeded(permType as PermissionTypes, permissions);
|
|
}
|
|
|
|
// Update permissions if any need updating
|
|
if (Object.keys(permissionsToUpdate).length > 0) {
|
|
await updateAccessPermissions(roleName, permissionsToUpdate, existingRole);
|
|
}
|
|
}
|
|
}
|