mirror of
https://github.com/danny-avila/LibreChat.git
synced 2025-12-16 08:20:14 +01:00
dbe4dd96b4
* 🧹 chore: Update logger imports to use @librechat/data-schemas across multiple files and remove unused sleep function from queue.js (#9930) * chore: Replace local isEnabled utility with @librechat/api import across multiple files, update test files * chore: Replace local logger import with @librechat/data-schemas logger in countTokens.js and fork.js * chore: Update logs volume path in docker-compose.yml to correct directory * chore: import order of isEnabled in static.js
82 lines
2.6 KiB
JavaScript
82 lines
2.6 KiB
JavaScript
const { logger } = require('@librechat/data-schemas');
|
|
const { PrincipalType, PermissionTypes, Permissions } = require('librechat-data-provider');
|
|
const { getRoleByName } = require('~/models/Role');
|
|
|
|
/**
|
|
* Middleware to check if user has permission to access people picker functionality
|
|
* Checks specific permission based on the 'type' query parameter:
|
|
* - type=user: requires VIEW_USERS permission
|
|
* - type=group: requires VIEW_GROUPS permission
|
|
* - type=role: requires VIEW_ROLES permission
|
|
* - no type (mixed search): requires either VIEW_USERS OR VIEW_GROUPS OR VIEW_ROLES
|
|
*/
|
|
const checkPeoplePickerAccess = async (req, res, next) => {
|
|
try {
|
|
const user = req.user;
|
|
if (!user || !user.role) {
|
|
return res.status(401).json({
|
|
error: 'Unauthorized',
|
|
message: 'Authentication required',
|
|
});
|
|
}
|
|
|
|
const role = await getRoleByName(user.role);
|
|
if (!role || !role.permissions) {
|
|
return res.status(403).json({
|
|
error: 'Forbidden',
|
|
message: 'No permissions configured for user role',
|
|
});
|
|
}
|
|
|
|
const { type } = req.query;
|
|
const peoplePickerPerms = role.permissions[PermissionTypes.PEOPLE_PICKER] || {};
|
|
const canViewUsers = peoplePickerPerms[Permissions.VIEW_USERS] === true;
|
|
const canViewGroups = peoplePickerPerms[Permissions.VIEW_GROUPS] === true;
|
|
const canViewRoles = peoplePickerPerms[Permissions.VIEW_ROLES] === true;
|
|
|
|
const permissionChecks = {
|
|
[PrincipalType.USER]: {
|
|
hasPermission: canViewUsers,
|
|
message: 'Insufficient permissions to search for users',
|
|
},
|
|
[PrincipalType.GROUP]: {
|
|
hasPermission: canViewGroups,
|
|
message: 'Insufficient permissions to search for groups',
|
|
},
|
|
[PrincipalType.ROLE]: {
|
|
hasPermission: canViewRoles,
|
|
message: 'Insufficient permissions to search for roles',
|
|
},
|
|
};
|
|
|
|
const check = permissionChecks[type];
|
|
if (check && !check.hasPermission) {
|
|
return res.status(403).json({
|
|
error: 'Forbidden',
|
|
message: check.message,
|
|
});
|
|
}
|
|
|
|
if (!type && !canViewUsers && !canViewGroups && !canViewRoles) {
|
|
return res.status(403).json({
|
|
error: 'Forbidden',
|
|
message: 'Insufficient permissions to search for users, groups, or roles',
|
|
});
|
|
}
|
|
|
|
next();
|
|
} catch (error) {
|
|
logger.error(
|
|
`[checkPeoplePickerAccess][${req.user?.id}] checkPeoplePickerAccess error for req.query.type = ${req.query.type}`,
|
|
error,
|
|
);
|
|
return res.status(500).json({
|
|
error: 'Internal Server Error',
|
|
message: 'Failed to check permissions',
|
|
});
|
|
}
|
|
};
|
|
|
|
module.exports = {
|
|
checkPeoplePickerAccess,
|
|
};
|