sij/anything-llm
1
0
Fork 0
mirror of https://github.com/Mintplex-Labs/anything-llm.git synced 2025-04-17 18:18:11 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions1

Patch custom models endpoint ()

Browse source 
* prevent non admin users from changing llm settings via custom-models endpoint

* permission middleware to JSDOC

---------

Co-authored-by: timothycarambat <rambat1010@gmail.com>
This commit is contained in:
Sean Hatfield 2024-12-31 06:58:26 +08:00 committed by GitHub
parent dd017c6cbb
commit 8d302c3f67
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 13 additions and 6 deletions
server
endpoints
system.js
utils/middleware
multiUserProtected.js

2
server/endpoints/system.js
View file

@ -946,7 +946,7 @@ function systemEndpoints(app) {
app.post(
"/system/custom-models",
[validatedRequest],
[validatedRequest, flexUserRoleValid([ROLES.admin])],
async (request, response) => {
try {
const { provider, apiKey = null, basePath = null } = reqBody(request);

17
server/utils/middleware/multiUserProtected.js
View file

@ -8,8 +8,12 @@ const ROLES = {
};
const DEFAULT_ROLES = [ROLES.admin, ROLES.admin];
// Explicitly check that multi user mode is enabled as well as that the
// requesting user has the appropriate role to modify or call the URL.
/**
* Explicitly check that multi user mode is enabled as well as that the
* requesting user has the appropriate role to modify or call the URL.
* @param {string[]} allowedRoles - The roles that are allowed to access the route
* @returns {function}
*/
function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
return async (request, response, next) => {
// If the access-control is allowable for all - skip validations and continue;
@ -33,9 +37,12 @@ function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
};
}
// Apply role permission checks IF the current system is in multi-user mode.
// This is relevant for routes that are shared between MUM and single-user mode.
// Checks if the requesting user has the appropriate role to modify or call the URL.
/**
* Apply role permission checks IF the current system is in multi-user mode.
* This is relevant for routes that are shared between MUM and single-user mode.
* @param {string[]} allowedRoles - The roles that are allowed to access the route
* @returns {function}
*/
function flexUserRoleValid(allowedRoles = DEFAULT_ROLES) {
return async (request, response, next) => {
// If the access-control is allowable for all - skip validations and continue;