mirror of
https://github.com/danny-avila/LibreChat.git
synced 2026-01-13 14:08:51 +01:00
76e17ba701
* 🔧 refactor: permission handling for public sharing - Updated permission keys from SHARED_GLOBAL to SHARE across various files for consistency. - Added public access configuration in librechat.example.yaml. - Adjusted related tests and components to reflect the new permission structure. * chore: Update default SHARE permission to false * fix: Update SHARE permissions in tests and implementation - Added SHARE permission handling for user and admin roles in permissions.spec.ts and permissions.ts. - Updated expected permissions in tests to reflect new SHARE permission values for various permission types. * fix: Handle undefined values in PeoplePickerAdminSettings component - Updated the checked and value props of the Switch component to handle undefined values gracefully by defaulting to false. This ensures consistent behavior when the field value is not set. * feat: Add CREATE permission handling for prompts and agents - Introduced CREATE permission for user and admin roles in permissions.spec.ts and permissions.ts. - Updated expected permissions in tests to include CREATE permission for various permission types. * 🔧 refactor: Enhance permission handling for sharing dialog usability * refactor: public sharing permissions for resources - Added middleware to check SHARE_PUBLIC permissions for agents, prompts, and MCP servers. - Updated interface configuration in librechat.example.yaml to include public sharing options. - Enhanced components and hooks to support public sharing functionality. - Adjusted tests to validate new permission handling for public sharing across various resource types. * refactor: update Share2Icon styling in GenericGrantAccessDialog * refactor: update Share2Icon size in GenericGrantAccessDialog for consistency * refactor: improve layout and styling of Share2Icon in GenericGrantAccessDialog * refactor: update Share2Icon size in GenericGrantAccessDialog for improved consistency * chore: remove redundant public sharing option from People Picker * refactor: add SHARE_PUBLIC permission handling in updateInterfacePermissions tests
483 lines
14 KiB
JavaScript
483 lines
14 KiB
JavaScript
const mongoose = require('mongoose');
|
|
const { ResourceType, PrincipalType, PrincipalModel } = require('librechat-data-provider');
|
|
const { MongoMemoryServer } = require('mongodb-memory-server');
|
|
const { fileAccess } = require('./fileAccess');
|
|
const { User, Role, AclEntry } = require('~/db/models');
|
|
const { createAgent } = require('~/models/Agent');
|
|
const { createFile } = require('~/models');
|
|
|
|
describe('fileAccess middleware', () => {
|
|
let mongoServer;
|
|
let req, res, next;
|
|
let testUser, otherUser, thirdUser;
|
|
|
|
beforeAll(async () => {
|
|
mongoServer = await MongoMemoryServer.create();
|
|
const mongoUri = mongoServer.getUri();
|
|
await mongoose.connect(mongoUri);
|
|
});
|
|
|
|
afterAll(async () => {
|
|
await mongoose.disconnect();
|
|
await mongoServer.stop();
|
|
});
|
|
|
|
beforeEach(async () => {
|
|
await mongoose.connection.dropDatabase();
|
|
|
|
// Create test role
|
|
await Role.create({
|
|
name: 'test-role',
|
|
permissions: {
|
|
AGENTS: {
|
|
USE: true,
|
|
CREATE: true,
|
|
SHARE: true,
|
|
},
|
|
},
|
|
});
|
|
|
|
// Create test users
|
|
testUser = await User.create({
|
|
email: 'test@example.com',
|
|
name: 'Test User',
|
|
username: 'testuser',
|
|
role: 'test-role',
|
|
});
|
|
|
|
otherUser = await User.create({
|
|
email: 'other@example.com',
|
|
name: 'Other User',
|
|
username: 'otheruser',
|
|
role: 'test-role',
|
|
});
|
|
|
|
thirdUser = await User.create({
|
|
email: 'third@example.com',
|
|
name: 'Third User',
|
|
username: 'thirduser',
|
|
role: 'test-role',
|
|
});
|
|
|
|
// Setup request/response objects
|
|
req = {
|
|
user: { id: testUser._id.toString(), role: testUser.role },
|
|
params: {},
|
|
};
|
|
res = {
|
|
status: jest.fn().mockReturnThis(),
|
|
json: jest.fn(),
|
|
};
|
|
next = jest.fn();
|
|
|
|
jest.clearAllMocks();
|
|
});
|
|
|
|
describe('basic file access', () => {
|
|
test('should allow access when user owns the file', async () => {
|
|
// Create a file owned by testUser
|
|
await createFile({
|
|
user: testUser._id.toString(),
|
|
file_id: 'file_owned_by_user',
|
|
filepath: '/test/file.txt',
|
|
filename: 'file.txt',
|
|
type: 'text/plain',
|
|
size: 100,
|
|
});
|
|
|
|
req.params.file_id = 'file_owned_by_user';
|
|
await fileAccess(req, res, next);
|
|
|
|
expect(next).toHaveBeenCalled();
|
|
expect(req.fileAccess).toBeDefined();
|
|
expect(req.fileAccess.file).toBeDefined();
|
|
expect(res.status).not.toHaveBeenCalled();
|
|
});
|
|
|
|
test('should deny access when user does not own the file and no agent access', async () => {
|
|
// Create a file owned by otherUser
|
|
await createFile({
|
|
user: otherUser._id.toString(),
|
|
file_id: 'file_owned_by_other',
|
|
filepath: '/test/file.txt',
|
|
filename: 'file.txt',
|
|
type: 'text/plain',
|
|
size: 100,
|
|
});
|
|
|
|
req.params.file_id = 'file_owned_by_other';
|
|
await fileAccess(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(403);
|
|
expect(res.json).toHaveBeenCalledWith({
|
|
error: 'Forbidden',
|
|
message: 'Insufficient permissions to access this file',
|
|
});
|
|
});
|
|
|
|
test('should return 404 when file does not exist', async () => {
|
|
req.params.file_id = 'non_existent_file';
|
|
await fileAccess(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(404);
|
|
expect(res.json).toHaveBeenCalledWith({
|
|
error: 'Not Found',
|
|
message: 'File not found',
|
|
});
|
|
});
|
|
|
|
test('should return 400 when file_id is missing', async () => {
|
|
// Don't set file_id in params
|
|
await fileAccess(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(400);
|
|
expect(res.json).toHaveBeenCalledWith({
|
|
error: 'Bad Request',
|
|
message: 'file_id is required',
|
|
});
|
|
});
|
|
|
|
test('should return 401 when user is not authenticated', async () => {
|
|
req.user = null;
|
|
req.params.file_id = 'some_file';
|
|
|
|
await fileAccess(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(401);
|
|
expect(res.json).toHaveBeenCalledWith({
|
|
error: 'Unauthorized',
|
|
message: 'Authentication required',
|
|
});
|
|
});
|
|
});
|
|
|
|
describe('agent-based file access', () => {
|
|
beforeEach(async () => {
|
|
// Create a file owned by otherUser (not testUser)
|
|
await createFile({
|
|
user: otherUser._id.toString(),
|
|
file_id: 'shared_file_via_agent',
|
|
filepath: '/test/shared.txt',
|
|
filename: 'shared.txt',
|
|
type: 'text/plain',
|
|
size: 100,
|
|
});
|
|
});
|
|
|
|
test('should allow access when user is author of agent with file', async () => {
|
|
// Create agent owned by testUser with the file
|
|
await createAgent({
|
|
id: `agent_${Date.now()}`,
|
|
name: 'Test Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: testUser._id,
|
|
tool_resources: {
|
|
file_search: {
|
|
file_ids: ['shared_file_via_agent'],
|
|
},
|
|
},
|
|
});
|
|
|
|
req.params.file_id = 'shared_file_via_agent';
|
|
await fileAccess(req, res, next);
|
|
|
|
expect(next).toHaveBeenCalled();
|
|
expect(req.fileAccess).toBeDefined();
|
|
expect(req.fileAccess.file).toBeDefined();
|
|
});
|
|
|
|
test('should allow access when user has VIEW permission on agent with file', async () => {
|
|
// Create agent owned by otherUser
|
|
const agent = await createAgent({
|
|
id: `agent_${Date.now()}`,
|
|
name: 'Shared Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: otherUser._id,
|
|
tool_resources: {
|
|
execute_code: {
|
|
file_ids: ['shared_file_via_agent'],
|
|
},
|
|
},
|
|
});
|
|
|
|
// Grant VIEW permission to testUser
|
|
await AclEntry.create({
|
|
principalType: PrincipalType.USER,
|
|
principalId: testUser._id,
|
|
principalModel: PrincipalModel.USER,
|
|
resourceType: ResourceType.AGENT,
|
|
resourceId: agent._id,
|
|
permBits: 1, // VIEW permission
|
|
grantedBy: otherUser._id,
|
|
});
|
|
|
|
req.params.file_id = 'shared_file_via_agent';
|
|
await fileAccess(req, res, next);
|
|
|
|
expect(next).toHaveBeenCalled();
|
|
expect(req.fileAccess).toBeDefined();
|
|
});
|
|
|
|
test('should check file in ocr tool_resources', async () => {
|
|
await createAgent({
|
|
id: `agent_ocr_${Date.now()}`,
|
|
name: 'OCR Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: testUser._id,
|
|
tool_resources: {
|
|
ocr: {
|
|
file_ids: ['shared_file_via_agent'],
|
|
},
|
|
},
|
|
});
|
|
|
|
req.params.file_id = 'shared_file_via_agent';
|
|
await fileAccess(req, res, next);
|
|
|
|
expect(next).toHaveBeenCalled();
|
|
expect(req.fileAccess).toBeDefined();
|
|
});
|
|
|
|
test('should deny access when user has no permission on agent with file', async () => {
|
|
// Create agent owned by otherUser without granting permission to testUser
|
|
const agent = await createAgent({
|
|
id: `agent_${Date.now()}`,
|
|
name: 'Private Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: otherUser._id,
|
|
tool_resources: {
|
|
file_search: {
|
|
file_ids: ['shared_file_via_agent'],
|
|
},
|
|
},
|
|
});
|
|
|
|
// Create ACL entry for otherUser only (owner)
|
|
await AclEntry.create({
|
|
principalType: PrincipalType.USER,
|
|
principalId: otherUser._id,
|
|
principalModel: PrincipalModel.USER,
|
|
resourceType: ResourceType.AGENT,
|
|
resourceId: agent._id,
|
|
permBits: 15, // All permissions
|
|
grantedBy: otherUser._id,
|
|
});
|
|
|
|
req.params.file_id = 'shared_file_via_agent';
|
|
await fileAccess(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(403);
|
|
});
|
|
});
|
|
|
|
describe('multiple agents with same file', () => {
|
|
/**
|
|
* This test suite verifies that when multiple agents have the same file,
|
|
* all agents are checked for permissions, not just the first one found.
|
|
* This ensures users can access files through any agent they have permission for.
|
|
*/
|
|
|
|
test('should check ALL agents with file, not just first one', async () => {
|
|
// Create a file owned by someone else
|
|
await createFile({
|
|
user: otherUser._id.toString(),
|
|
file_id: 'multi_agent_file',
|
|
filepath: '/test/multi.txt',
|
|
filename: 'multi.txt',
|
|
type: 'text/plain',
|
|
size: 100,
|
|
});
|
|
|
|
// Create first agent (owned by otherUser, no access for testUser)
|
|
const agent1 = await createAgent({
|
|
id: 'agent_no_access',
|
|
name: 'No Access Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: otherUser._id,
|
|
tool_resources: {
|
|
file_search: {
|
|
file_ids: ['multi_agent_file'],
|
|
},
|
|
},
|
|
});
|
|
|
|
// Create ACL for agent1 - only otherUser has access
|
|
await AclEntry.create({
|
|
principalType: PrincipalType.USER,
|
|
principalId: otherUser._id,
|
|
principalModel: PrincipalModel.USER,
|
|
resourceType: ResourceType.AGENT,
|
|
resourceId: agent1._id,
|
|
permBits: 15,
|
|
grantedBy: otherUser._id,
|
|
});
|
|
|
|
// Create second agent (owned by thirdUser, but testUser has VIEW access)
|
|
const agent2 = await createAgent({
|
|
id: 'agent_with_access',
|
|
name: 'Accessible Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: thirdUser._id,
|
|
tool_resources: {
|
|
file_search: {
|
|
file_ids: ['multi_agent_file'],
|
|
},
|
|
},
|
|
});
|
|
|
|
// Grant testUser VIEW access to agent2
|
|
await AclEntry.create({
|
|
principalType: PrincipalType.USER,
|
|
principalId: testUser._id,
|
|
principalModel: PrincipalModel.USER,
|
|
resourceType: ResourceType.AGENT,
|
|
resourceId: agent2._id,
|
|
permBits: 1, // VIEW permission
|
|
grantedBy: thirdUser._id,
|
|
});
|
|
|
|
req.params.file_id = 'multi_agent_file';
|
|
await fileAccess(req, res, next);
|
|
|
|
/**
|
|
* Should succeed because testUser has access to agent2,
|
|
* even though they don't have access to agent1.
|
|
* The fix ensures all agents are checked, not just the first one.
|
|
*/
|
|
expect(next).toHaveBeenCalled();
|
|
expect(req.fileAccess).toBeDefined();
|
|
expect(res.status).not.toHaveBeenCalled();
|
|
});
|
|
|
|
test('should find file in any agent tool_resources type', async () => {
|
|
// Create a file
|
|
await createFile({
|
|
user: otherUser._id.toString(),
|
|
file_id: 'multi_tool_file',
|
|
filepath: '/test/tool.txt',
|
|
filename: 'tool.txt',
|
|
type: 'text/plain',
|
|
size: 100,
|
|
});
|
|
|
|
// Agent 1: file in file_search (no access for testUser)
|
|
await createAgent({
|
|
id: 'agent_file_search',
|
|
name: 'File Search Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: otherUser._id,
|
|
tool_resources: {
|
|
file_search: {
|
|
file_ids: ['multi_tool_file'],
|
|
},
|
|
},
|
|
});
|
|
|
|
// Agent 2: same file in execute_code (testUser has access)
|
|
await createAgent({
|
|
id: 'agent_execute_code',
|
|
name: 'Execute Code Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: thirdUser._id,
|
|
tool_resources: {
|
|
execute_code: {
|
|
file_ids: ['multi_tool_file'],
|
|
},
|
|
},
|
|
});
|
|
|
|
// Agent 3: same file in ocr (testUser also has access)
|
|
await createAgent({
|
|
id: 'agent_ocr',
|
|
name: 'OCR Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: testUser._id, // testUser owns this one
|
|
tool_resources: {
|
|
ocr: {
|
|
file_ids: ['multi_tool_file'],
|
|
},
|
|
},
|
|
});
|
|
|
|
req.params.file_id = 'multi_tool_file';
|
|
await fileAccess(req, res, next);
|
|
|
|
/**
|
|
* Should succeed because testUser owns agent3,
|
|
* even if other agents with the file are found first.
|
|
*/
|
|
expect(next).toHaveBeenCalled();
|
|
expect(req.fileAccess).toBeDefined();
|
|
});
|
|
});
|
|
|
|
describe('edge cases', () => {
|
|
test('should handle agent with empty tool_resources', async () => {
|
|
await createFile({
|
|
user: otherUser._id.toString(),
|
|
file_id: 'orphan_file',
|
|
filepath: '/test/orphan.txt',
|
|
filename: 'orphan.txt',
|
|
type: 'text/plain',
|
|
size: 100,
|
|
});
|
|
|
|
// Create agent with no files in tool_resources
|
|
await createAgent({
|
|
id: `agent_empty_${Date.now()}`,
|
|
name: 'Empty Resources Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: testUser._id,
|
|
tool_resources: {},
|
|
});
|
|
|
|
req.params.file_id = 'orphan_file';
|
|
await fileAccess(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(403);
|
|
});
|
|
|
|
test('should handle agent with null tool_resources', async () => {
|
|
await createFile({
|
|
user: otherUser._id.toString(),
|
|
file_id: 'another_orphan_file',
|
|
filepath: '/test/orphan2.txt',
|
|
filename: 'orphan2.txt',
|
|
type: 'text/plain',
|
|
size: 100,
|
|
});
|
|
|
|
// Create agent with null tool_resources
|
|
await createAgent({
|
|
id: `agent_null_${Date.now()}`,
|
|
name: 'Null Resources Agent',
|
|
provider: 'openai',
|
|
model: 'gpt-4',
|
|
author: testUser._id,
|
|
tool_resources: null,
|
|
});
|
|
|
|
req.params.file_id = 'another_orphan_file';
|
|
await fileAccess(req, res, next);
|
|
|
|
expect(next).not.toHaveBeenCalled();
|
|
expect(res.status).toHaveBeenCalledWith(403);
|
|
});
|
|
});
|
|
});
|