CHAI
/
chtech-anythingllm
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
28 Commits
1 Branch
0 Tags
235 MiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
chtech-anythingllm/server/utils/middleware/multiUserProtected.js

94 lines
2.6 KiB
Raw Permalink Normal View History

first commit
11 months ago
  1. const { SystemSettings } = require("../../models/systemSettings");
  2. const { userFromSession } = require("../http");
  3. const ROLES = {
  4. all: "<all>",
  5. admin: "admin",
  6. manager: "manager",
  7. default: "default",
  8. };
  9. const DEFAULT_ROLES = [ROLES.admin, ROLES.admin];
  11. /**
  12. * Explicitly check that multi user mode is enabled as well as that the
  13. * requesting user has the appropriate role to modify or call the URL.
  14. * @param {string[]} allowedRoles - The roles that are allowed to access the route
  15. * @returns {function}
  16. */
  17. function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
  18. return async (request, response, next) => {
  19. // If the access-control is allowable for all - skip validations and continue;
  20. if (allowedRoles.includes(ROLES.all)) {
  21. next();
  22. return;
  23. }
  25. const multiUserMode =
  26. response.locals?.multiUserMode ??
  27. (await SystemSettings.isMultiUserMode());
  28. if (!multiUserMode) return response.sendStatus(401).end();
  30. const user =
  31. response.locals?.user ?? (await userFromSession(request, response));
  32. if (allowedRoles.includes(user?.role)) {
  33. next();
  34. return;
  35. }
  36. return response.sendStatus(401).end();
  37. };
  38. }
  40. /**
  41. * Apply role permission checks IF the current system is in multi-user mode.
  42. * This is relevant for routes that are shared between MUM and single-user mode.
  43. * @param {string[]} allowedRoles - The roles that are allowed to access the route
  44. * @returns {function}
  45. */
  46. function flexUserRoleValid(allowedRoles = DEFAULT_ROLES) {
  47. return async (request, response, next) => {
  48. // If the access-control is allowable for all - skip validations and continue;
  49. // It does not matter if multi-user or not.
  50. if (allowedRoles.includes(ROLES.all)) {
  51. next();
  52. return;
  53. }
  55. // Bypass if not in multi-user mode
  56. const multiUserMode =
  57. response.locals?.multiUserMode ??
  58. (await SystemSettings.isMultiUserMode());
  59. if (!multiUserMode) {
  60. next();
  61. return;
  62. }
  64. const user =
  65. response.locals?.user ?? (await userFromSession(request, response));
  66. if (allowedRoles.includes(user?.role)) {
  67. next();
  68. return;
  69. }
  70. return response.sendStatus(401).end();
  71. };
  72. }
  74. // Middleware check on a public route if the instance is in a valid
  75. // multi-user set up.
  76. async function isMultiUserSetup(_request, response, next) {
  77. const multiUserMode = await SystemSettings.isMultiUserMode();
  78. if (!multiUserMode) {
  79. response.status(403).json({
  80. error: "Invalid request",
  81. });
  82. return;
  83. }
  85. next();
  86. return;
  87. }
  89. module.exports = {
  90. ROLES,
  91. strictMultiUserRoleValid,
  92. flexUserRoleValid,
  93. isMultiUserSetup,
  94. };