mirror of
https://github.com/Mintplex-Labs/anything-llm.git
synced 2024-11-11 01:10:11 +01:00
9a237db3d1
* Implement total permission overhaul Add explicit permissions on each flex and strict route Patch issues with role escalation and CRUD of users Patch permissions on all routes for coverage Improve middleware to accept role array for clarity * update comments * remove permissions to API-keys for manager. Manager could generate API-key and using high-privelege api-key give themselves admin * update sidebar permissions for multi-user and single user * update options for mobile sidebar
72 lines
2.1 KiB
JavaScript
72 lines
2.1 KiB
JavaScript
const { SystemSettings } = require("../../models/systemSettings");
|
|
const { userFromSession } = require("../http");
|
|
const ROLES = {
|
|
all: "<all>",
|
|
admin: "admin",
|
|
manager: "manager",
|
|
default: "default",
|
|
};
|
|
const DEFAULT_ROLES = [ROLES.admin, ROLES.admin];
|
|
|
|
// Explicitly check that multi user mode is enabled as well as that the
|
|
// requesting user has the appropriate role to modify or call the URL.
|
|
function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
|
|
return async (request, response, next) => {
|
|
// If the access-control is allowable for all - skip validations and continue;
|
|
if (allowedRoles.includes(ROLES.all)) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
const multiUserMode =
|
|
response.locals?.multiUserMode ??
|
|
(await SystemSettings.isMultiUserMode());
|
|
if (!multiUserMode) return response.sendStatus(401).end();
|
|
|
|
const user =
|
|
response.locals?.user ?? (await userFromSession(request, response));
|
|
if (allowedRoles.includes(user?.role)) {
|
|
next();
|
|
return;
|
|
}
|
|
return response.sendStatus(401).end();
|
|
};
|
|
}
|
|
|
|
// Apply role permission checks IF the current system is in multi-user mode.
|
|
// This is relevant for routes that are shared between MUM and single-user mode.
|
|
// Checks if the requesting user has the appropriate role to modify or call the URL.
|
|
function flexUserRoleValid(allowedRoles = DEFAULT_ROLES) {
|
|
return async (request, response, next) => {
|
|
// If the access-control is allowable for all - skip validations and continue;
|
|
// It does not matter if multi-user or not.
|
|
if (allowedRoles.includes(ROLES.all)) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
// Bypass if not in multi-user mode
|
|
const multiUserMode =
|
|
response.locals?.multiUserMode ??
|
|
(await SystemSettings.isMultiUserMode());
|
|
if (!multiUserMode) {
|
|
next();
|
|
return;
|
|
}
|
|
|
|
const user =
|
|
response.locals?.user ?? (await userFromSession(request, response));
|
|
if (allowedRoles.includes(user?.role)) {
|
|
next();
|
|
return;
|
|
}
|
|
return response.sendStatus(401).end();
|
|
};
|
|
}
|
|
|
|
module.exports = {
|
|
ROLES,
|
|
strictMultiUserRoleValid,
|
|
flexUserRoleValid,
|
|
};
|