Skip to content
Snippets Groups Projects
Unverified Commit 8d302c3f authored by Sean Hatfield's avatar Sean Hatfield Committed by GitHub
Browse files

Patch custom models endpoint (#2903) 


* prevent non admin users from changing llm settings via custom-models endpoint

* permission middleware to JSDOC

---------

Co-authored-by: default avatartimothycarambat <rambat1010@gmail.com>
parent dd017c6c
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
server/endpoints/system.js
+ 1
1
View file @ 8d302c3f
...@@ -946,7 +946,7 @@ function systemEndpoints(app) { ...@@ -946,7 +946,7 @@ function systemEndpoints(app) {
app.post( app.post(
"/system/custom-models", "/system/custom-models",
[validatedRequest], [validatedRequest, flexUserRoleValid([ROLES.admin])],
async (request, response) => { async (request, response) => {
try { try {
const { provider, apiKey = null, basePath = null } = reqBody(request); const { provider, apiKey = null, basePath = null } = reqBody(request);
......
server/utils/middleware/multiUserProtected.js
+ 12
5
View file @ 8d302c3f
...@@ -8,8 +8,12 @@ const ROLES = { ...@@ -8,8 +8,12 @@ const ROLES = {
}; };
const DEFAULT_ROLES = [ROLES.admin, ROLES.admin]; const DEFAULT_ROLES = [ROLES.admin, ROLES.admin];
// Explicitly check that multi user mode is enabled as well as that the /**
// requesting user has the appropriate role to modify or call the URL. * Explicitly check that multi user mode is enabled as well as that the
* requesting user has the appropriate role to modify or call the URL.
* @param {string[]} allowedRoles - The roles that are allowed to access the route
* @returns {function}
*/
function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) { function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
return async (request, response, next) => { return async (request, response, next) => {
// If the access-control is allowable for all - skip validations and continue; // If the access-control is allowable for all - skip validations and continue;
...@@ -33,9 +37,12 @@ function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) { ...@@ -33,9 +37,12 @@ function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
}; };
} }
// Apply role permission checks IF the current system is in multi-user mode. /**
// This is relevant for routes that are shared between MUM and single-user mode. * Apply role permission checks IF the current system is in multi-user mode.
// Checks if the requesting user has the appropriate role to modify or call the URL. * This is relevant for routes that are shared between MUM and single-user mode.
* @param {string[]} allowedRoles - The roles that are allowed to access the route
* @returns {function}
*/
function flexUserRoleValid(allowedRoles = DEFAULT_ROLES) { function flexUserRoleValid(allowedRoles = DEFAULT_ROLES) {
return async (request, response, next) => { return async (request, response, next) => {
// If the access-control is allowable for all - skip validations and continue; // If the access-control is allowable for all - skip validations and continue;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

:feet::heart: Strive to be the person your dogs believe you are :heart::feet: