anything-llm/server/utils/middleware/multiUserProtected.js
Sean Hatfield fa29003a46
Create manager role and limit default role (#351)
* added manager role to options

* block default role from editing workspace settings on workspace and text input box

* block default user from accessing settings at all

* create manager route

* let pass through if in single user mode

* fix permissions for manager and admin roles in settings

* fix settings button for single user and remove unneeded console.logs

* rename routes and paths for clarity

* admin, manager, default roles complete

* remove unneeded comments

* consistency changes

* manage permissions for mum modes

* update sidebar for single-user mode

* update comment on middleware
Modify permission setting for admins

* update render conditional

* Add role usage hint to each role

---------

Co-authored-by: timothycarambat <rambat1010@gmail.com>
2023-11-13 14:51:16 -08:00

42 lines
1.4 KiB
JavaScript

const { SystemSettings } = require("../../models/systemSettings");
const { userFromSession } = require("../http");
const ROLES = ["admin", "manager"];
// Explicitly check that multi user mode is enabled as well as that the
// requesting user has the appropriate role to modify or call the URL.
async function strictMultiUserRoleValid(request, response, next) {
const multiUserMode =
response.locals?.multiUserMode ?? (await SystemSettings.isMultiUserMode());
if (!multiUserMode) return response.sendStatus(401).end();
const user =
response.locals?.user ?? (await userFromSession(request, response));
if (!ROLES.includes(user?.role)) return response.sendStatus(401).end();
next();
}
// Apply role permission checks IF the current system is in multi-user mode.
// This is relevant for routes that are shared between MUM and single-user mode.
// Checks if the requesting user has the appropriate role to modify or call the URL.
async function flexUserRoleValid(request, response, next) {
const multiUserMode =
response.locals?.multiUserMode ?? (await SystemSettings.isMultiUserMode());
if (!multiUserMode) {
next();
return;
}
const user =
response.locals?.user ?? (await userFromSession(request, response));
if (!ROLES.includes(user?.role)) return response.sendStatus(401).end();
next();
}
module.exports = {
strictMultiUserRoleValid,
flexUserRoleValid,
};