Patch custom models endpoint (#2903)

* prevent non admin users from changing llm settings via custom-models endpoint * permission middleware to JSDOC --------- Co-authored-by: timothycarambat <[email protected]>
Mintplex-Labs · Dec 30, 2024 · 8d302c3 · 8d302c3
1 parent dd017c6
commit 8d302c3
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 6 deletions.
diff --git a/server/endpoints/system.js b/server/endpoints/system.js
@@ -946,7 +946,7 @@ function systemEndpoints(app) {
 
   app.post(
     "/system/custom-models",
-    [validatedRequest],
+    [validatedRequest, flexUserRoleValid([ROLES.admin])],
     async (request, response) => {
       try {
         const { provider, apiKey = null, basePath = null } = reqBody(request);

diff --git a/server/utils/middleware/multiUserProtected.js b/server/utils/middleware/multiUserProtected.js
@@ -8,8 +8,12 @@ const ROLES = {
 };
 const DEFAULT_ROLES = [ROLES.admin, ROLES.admin];
 
-// Explicitly check that multi user mode is enabled as well as that the
-// requesting user has the appropriate role to modify or call the URL.
+/**
+ * Explicitly check that multi user mode is enabled as well as that the
+ * requesting user has the appropriate role to modify or call the URL.
+ * @param {string[]} allowedRoles - The roles that are allowed to access the route
+ * @returns {function}
+ */
 function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
   return async (request, response, next) => {
     // If the access-control is allowable for all - skip validations and continue;
@@ -33,9 +37,12 @@ function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
   };
 }
 
-// Apply role permission checks IF the current system is in multi-user mode.
-// This is relevant for routes that are shared between MUM and single-user mode.
-// Checks if the requesting user has the appropriate role to modify or call the URL.
+/**
+ * Apply role permission checks IF the current system is in multi-user mode.
+ * This is relevant for routes that are shared between MUM and single-user mode.
+ * @param {string[]} allowedRoles - The roles that are allowed to access the route
+ * @returns {function}
+ */
 function flexUserRoleValid(allowedRoles = DEFAULT_ROLES) {
   return async (request, response, next) => {
     // If the access-control is allowable for all - skip validations and continue;