From 8d302c3f670c582b09d47e96132c248101447a11 Mon Sep 17 00:00:00 2001
From: Sean Hatfield <seanhatfield5@gmail.com>
Date: Tue, 31 Dec 2024 06:58:26 +0800
Subject: [PATCH] Patch custom models endpoint (#2903)

* prevent non admin users from changing llm settings via custom-models endpoint

* permission middleware to JSDOC

---------

Co-authored-by: timothycarambat <rambat1010@gmail.com>
---
 server/endpoints/system.js                    |  2 +-
 server/utils/middleware/multiUserProtected.js | 17 ++++++++++++-----
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index d060e503f..3b578f94a 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -946,7 +946,7 @@ function systemEndpoints(app) {
 
   app.post(
     "/system/custom-models",
-    [validatedRequest],
+    [validatedRequest, flexUserRoleValid([ROLES.admin])],
     async (request, response) => {
       try {
         const { provider, apiKey = null, basePath = null } = reqBody(request);
diff --git a/server/utils/middleware/multiUserProtected.js b/server/utils/middleware/multiUserProtected.js
index 4f128ace1..cf7e58cfe 100644
--- a/server/utils/middleware/multiUserProtected.js
+++ b/server/utils/middleware/multiUserProtected.js
@@ -8,8 +8,12 @@ const ROLES = {
 };
 const DEFAULT_ROLES = [ROLES.admin, ROLES.admin];
 
-// Explicitly check that multi user mode is enabled as well as that the
-// requesting user has the appropriate role to modify or call the URL.
+/**
+ * Explicitly check that multi user mode is enabled as well as that the
+ * requesting user has the appropriate role to modify or call the URL.
+ * @param {string[]} allowedRoles - The roles that are allowed to access the route
+ * @returns {function}
+ */
 function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
   return async (request, response, next) => {
     // If the access-control is allowable for all - skip validations and continue;
@@ -33,9 +37,12 @@ function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
   };
 }
 
-// Apply role permission checks IF the current system is in multi-user mode.
-// This is relevant for routes that are shared between MUM and single-user mode.
-// Checks if the requesting user has the appropriate role to modify or call the URL.
+/**
+ * Apply role permission checks IF the current system is in multi-user mode.
+ * This is relevant for routes that are shared between MUM and single-user mode.
+ * @param {string[]} allowedRoles - The roles that are allowed to access the route
+ * @returns {function}
+ */
 function flexUserRoleValid(allowedRoles = DEFAULT_ROLES) {
   return async (request, response, next) => {
     // If the access-control is allowable for all - skip validations and continue;
-- 
GitLab