diff --git a/server/endpoints/system.js b/server/endpoints/system.js index d060e503f0..3b578f94a2 100644 --- a/server/endpoints/system.js +++ b/server/endpoints/system.js @@ -946,7 +946,7 @@ function systemEndpoints(app) { app.post( "/system/custom-models", - [validatedRequest], + [validatedRequest, flexUserRoleValid([ROLES.admin])], async (request, response) => { try { const { provider, apiKey = null, basePath = null } = reqBody(request); diff --git a/server/utils/middleware/multiUserProtected.js b/server/utils/middleware/multiUserProtected.js index 4f128ace14..cf7e58cfe1 100644 --- a/server/utils/middleware/multiUserProtected.js +++ b/server/utils/middleware/multiUserProtected.js @@ -8,8 +8,12 @@ const ROLES = { }; const DEFAULT_ROLES = [ROLES.admin, ROLES.admin]; -// Explicitly check that multi user mode is enabled as well as that the -// requesting user has the appropriate role to modify or call the URL. +/** + * Explicitly check that multi user mode is enabled as well as that the + * requesting user has the appropriate role to modify or call the URL. + * @param {string[]} allowedRoles - The roles that are allowed to access the route + * @returns {function} + */ function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) { return async (request, response, next) => { // If the access-control is allowable for all - skip validations and continue; @@ -33,9 +37,12 @@ function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) { }; } -// Apply role permission checks IF the current system is in multi-user mode. -// This is relevant for routes that are shared between MUM and single-user mode. -// Checks if the requesting user has the appropriate role to modify or call the URL. +/** + * Apply role permission checks IF the current system is in multi-user mode. + * This is relevant for routes that are shared between MUM and single-user mode. + * @param {string[]} allowedRoles - The roles that are allowed to access the route + * @returns {function} + */ function flexUserRoleValid(allowedRoles = DEFAULT_ROLES) { return async (request, response, next) => { // If the access-control is allowable for all - skip validations and continue;