From 9a237db3d1f66cdbcf5079599258f5fb251c5564 Mon Sep 17 00:00:00 2001
From: Timothy Carambat <rambat1010@gmail.com>
Date: Mon, 22 Jan 2024 14:14:01 -0800
Subject: [PATCH] Implement total permission overhaul (#629)

* Implement total permission overhaul
Add explicit permissions on each flex and strict route
Patch issues with role escalation and CRUD of users
Patch permissions on all routes for coverage
Improve middleware to accept role array for clarity

* update comments

* remove permissions to API-keys for manager. Manager could generate API-key and using high-privelege api-key give themselves admin

* update sidebar permissions for multi-user and single user

* update options for mobile sidebar
---
 frontend/src/App.jsx                          |   2 +-
 .../src/components/SettingsSidebar/index.jsx  | 213 ++++++++++++------
 frontend/src/models/system.js                 |   2 +
 .../src/pages/Admin/Users/UserRow/index.jsx   |  35 ++-
 frontend/src/pages/Admin/Users/index.jsx      |   3 +-
 server/endpoints/admin.js                     |  94 +++++---
 server/endpoints/api/admin/index.js           |  23 +-
 server/endpoints/chat.js                      |   8 +-
 server/endpoints/extensions/index.js          |   7 +-
 server/endpoints/system.js                    | 208 +++++++----------
 server/endpoints/utils.js                     |  75 ++----
 server/endpoints/workspaces.js                |  72 +++---
 server/models/workspace.js                    |   6 +-
 server/utils/helpers/admin/index.js           |  52 +++++
 server/utils/helpers/chat/convertTo.js        | 113 ++++++++++
 server/utils/middleware/multiUserProtected.js |  72 ++++--
 16 files changed, 611 insertions(+), 374 deletions(-)
 create mode 100644 server/utils/helpers/admin/index.js
 create mode 100644 server/utils/helpers/chat/convertTo.js

diff --git a/frontend/src/App.jsx b/frontend/src/App.jsx
index 7acd2c5347..058505d204 100644
--- a/frontend/src/App.jsx
+++ b/frontend/src/App.jsx
@@ -81,7 +81,7 @@ export default function App() {
               />
               <Route
                 path="/settings/api-keys"
-                element={<ManagerRoute Component={GeneralApiKeys} />}
+                element={<AdminRoute Component={GeneralApiKeys} />}
               />
               <Route
                 path="/settings/workspace-chats"
diff --git a/frontend/src/components/SettingsSidebar/index.jsx b/frontend/src/components/SettingsSidebar/index.jsx
index 99cf1eb35d..851ea5d57f 100644
--- a/frontend/src/components/SettingsSidebar/index.jsx
+++ b/frontend/src/components/SettingsSidebar/index.jsx
@@ -62,79 +62,97 @@ export default function SettingsSidebar() {
           <div className="h-[100%] flex flex-col w-full justify-between pt-4 overflow-y-hidden">
             <div className="h-auto sidebar-items">
               <div className="flex flex-col gap-y-2 h-[65vh] pb-8 overflow-y-scroll no-scroll">
-                {/* Admin/manager Multi-user Settings */}
-                {!!user && user?.role !== "default" && (
-                  <>
-                    <Option
-                      href={paths.settings.system()}
-                      btnText="System Preferences"
-                      icon={<SquaresFour className="h-5 w-5 flex-shrink-0" />}
-                    />
-                    <Option
-                      href={paths.settings.invites()}
-                      btnText="Invitation"
-                      icon={
-                        <EnvelopeSimple className="h-5 w-5 flex-shrink-0" />
-                      }
-                    />
-                    <Option
-                      href={paths.settings.users()}
-                      btnText="Users"
-                      icon={<Users className="h-5 w-5 flex-shrink-0" />}
-                    />
-                    <Option
-                      href={paths.settings.workspaces()}
-                      btnText="Workspaces"
-                      icon={<BookOpen className="h-5 w-5 flex-shrink-0" />}
-                    />
-                  </>
-                )}
-
+                <Option
+                  href={paths.settings.system()}
+                  btnText="System Preferences"
+                  icon={<SquaresFour className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  allowedRole={["admin", "manager"]}
+                />
+                <Option
+                  href={paths.settings.invites()}
+                  btnText="Invitation"
+                  icon={<EnvelopeSimple className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  allowedRole={["admin", "manager"]}
+                />
+                <Option
+                  href={paths.settings.users()}
+                  btnText="Users"
+                  icon={<Users className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  allowedRole={["admin", "manager"]}
+                />
+                <Option
+                  href={paths.settings.workspaces()}
+                  btnText="Workspaces"
+                  icon={<BookOpen className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  allowedRole={["admin", "manager"]}
+                />
                 <Option
                   href={paths.settings.chats()}
                   btnText="Workspace Chat"
                   icon={<ChatCenteredText className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  flex={true}
+                  allowedRole={["admin", "manager"]}
                 />
-
                 <Option
                   href={paths.settings.appearance()}
                   btnText="Appearance"
                   icon={<Eye className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  flex={true}
+                  allowedRole={["admin", "manager"]}
                 />
                 <Option
                   href={paths.settings.apiKeys()}
                   btnText="API Keys"
                   icon={<Key className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  flex={true}
+                  allowedRole={["admin"]}
+                />
+                <Option
+                  href={paths.settings.llmPreference()}
+                  btnText="LLM Preference"
+                  icon={<ChatText className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  flex={true}
+                  allowedRole={["admin"]}
+                />
+                <Option
+                  href={paths.settings.embeddingPreference()}
+                  btnText="Embedding Preference"
+                  icon={<FileCode className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  flex={true}
+                  allowedRole={["admin"]}
+                />
+                <Option
+                  href={paths.settings.vectorDatabase()}
+                  btnText="Vector Database"
+                  icon={<Database className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  flex={true}
+                  allowedRole={["admin"]}
+                />
+                <Option
+                  href={paths.settings.dataConnectors.list()}
+                  btnText="Data Connectors"
+                  icon={<Plugs className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  flex={true}
+                  allowedRole={["admin", "manager"]}
                 />
-
-                {(!user || user?.role === "admin") && (
-                  <>
-                    <Option
-                      href={paths.settings.llmPreference()}
-                      btnText="LLM Preference"
-                      icon={<ChatText className="h-5 w-5 flex-shrink-0" />}
-                    />
-                    <Option
-                      href={paths.settings.embeddingPreference()}
-                      btnText="Embedding Preference"
-                      icon={<FileCode className="h-5 w-5 flex-shrink-0" />}
-                    />
-                    <Option
-                      href={paths.settings.vectorDatabase()}
-                      btnText="Vector Database"
-                      icon={<Database className="h-5 w-5 flex-shrink-0" />}
-                    />
-                    <Option
-                      href={paths.settings.dataConnectors.list()}
-                      btnText="Data Connectors"
-                      icon={<Plugs className="h-5 w-5 flex-shrink-0" />}
-                    />
-                  </>
-                )}
                 <Option
                   href={paths.settings.security()}
                   btnText="Security"
                   icon={<Lock className="h-5 w-5 flex-shrink-0" />}
+                  user={user}
+                  flex={true}
+                  allowedRole={["admin", "manager"]}
                 />
               </div>
             </div>
@@ -265,63 +283,95 @@ export function SidebarMobileHeader() {
                     href={paths.settings.system()}
                     btnText="System Preferences"
                     icon={<SquaresFour className="h-5 w-5 flex-shrink-0" />}
+                    user={user}
+                    allowedRole={["admin", "manager"]}
                   />
                   <Option
                     href={paths.settings.invites()}
                     btnText="Invitation"
                     icon={<EnvelopeSimple className="h-5 w-5 flex-shrink-0" />}
+                    user={user}
+                    allowedRole={["admin", "manager"]}
                   />
                   <Option
                     href={paths.settings.users()}
                     btnText="Users"
                     icon={<Users className="h-5 w-5 flex-shrink-0" />}
+                    user={user}
+                    allowedRole={["admin", "manager"]}
                   />
                   <Option
                     href={paths.settings.workspaces()}
                     btnText="Workspaces"
                     icon={<BookOpen className="h-5 w-5 flex-shrink-0" />}
+                    user={user}
+                    allowedRole={["admin", "manager"]}
                   />
-
                   <Option
                     href={paths.settings.chats()}
                     btnText="Workspace Chat"
                     icon={
                       <ChatCenteredText className="h-5 w-5 flex-shrink-0" />
                     }
+                    user={user}
+                    flex={true}
+                    allowedRole={["admin", "manager"]}
                   />
                   <Option
                     href={paths.settings.appearance()}
                     btnText="Appearance"
                     icon={<Eye className="h-5 w-5 flex-shrink-0" />}
+                    user={user}
+                    flex={true}
+                    allowedRole={["admin", "manager"]}
                   />
                   <Option
                     href={paths.settings.apiKeys()}
                     btnText="API Keys"
                     icon={<Key className="h-5 w-5 flex-shrink-0" />}
+                    user={user}
+                    flex={true}
+                    allowedRole={["admin"]}
+                  />
+                  <Option
+                    href={paths.settings.llmPreference()}
+                    btnText="LLM Preference"
+                    icon={<ChatText className="h-5 w-5 flex-shrink-0" />}
+                    user={user}
+                    flex={true}
+                    allowedRole={["admin"]}
+                  />
+                  <Option
+                    href={paths.settings.embeddingPreference()}
+                    btnText="Embedding Preference"
+                    icon={<FileCode className="h-5 w-5 flex-shrink-0" />}
+                    user={user}
+                    flex={true}
+                    allowedRole={["admin"]}
+                  />
+                  <Option
+                    href={paths.settings.vectorDatabase()}
+                    btnText="Vector Database"
+                    icon={<Database className="h-5 w-5 flex-shrink-0" />}
+                    user={user}
+                    flex={true}
+                    allowedRole={["admin"]}
+                  />
+                  <Option
+                    href={paths.settings.dataConnectors.list()}
+                    btnText="Data Connectors"
+                    icon={<Plugs className="h-5 w-5 flex-shrink-0" />}
+                    user={user}
+                    flex={true}
+                    allowedRole={["admin", "manager"]}
                   />
-                  {(!user || user?.role === "admin") && (
-                    <>
-                      <Option
-                        href={paths.settings.llmPreference()}
-                        btnText="LLM Preference"
-                        icon={<ChatText className="h-5 w-5 flex-shrink-0" />}
-                      />
-                      <Option
-                        href={paths.settings.embeddingPreference()}
-                        btnText="Embedding Preference"
-                        icon={<FileCode className="h-5 w-5 flex-shrink-0" />}
-                      />
-                      <Option
-                        href={paths.settings.vectorDatabase()}
-                        btnText="Vector Database"
-                        icon={<Database className="h-5 w-5 flex-shrink-0" />}
-                      />
-                    </>
-                  )}
                   <Option
                     href={paths.settings.security()}
                     btnText="Security"
                     icon={<Lock className="h-5 w-5 flex-shrink-0" />}
+                    user={user}
+                    flex={true}
+                    allowedRole={["admin", "manager"]}
                   />
                 </div>
               </div>
@@ -364,8 +414,21 @@ export function SidebarMobileHeader() {
   );
 }
 
-const Option = ({ btnText, icon, href }) => {
+const Option = ({
+  btnText,
+  icon,
+  href,
+  flex = false,
+  user = null,
+  allowedRole = [],
+}) => {
   const isActive = window.location.pathname === href;
+
+  // Option only for multi-user
+  if (!flex && !allowedRole.includes(user?.role)) return null;
+
+  // Option is dual-mode, but user exists, we need to check permissions
+  if (flex && !!user && !allowedRole.includes(user?.role)) return null;
   return (
     <div className="flex gap-x-2 items-center justify-between text-white">
       <a
diff --git a/frontend/src/models/system.js b/frontend/src/models/system.js
index e504fcb26d..596348ede8 100644
--- a/frontend/src/models/system.js
+++ b/frontend/src/models/system.js
@@ -209,6 +209,7 @@ const System = {
     return await fetch(`${API_BASE}/system/pfp/${id}`, {
       method: "GET",
       cache: "no-cache",
+      headers: baseHeaders(),
     })
       .then((res) => {
         if (res.ok && res.status !== 204) return res.blob();
@@ -283,6 +284,7 @@ const System = {
     return await fetch(`${API_BASE}/system/welcome-messages`, {
       method: "GET",
       cache: "no-cache",
+      headers: baseHeaders(),
     })
       .then((res) => {
         if (!res.ok) throw new Error("Could not fetch welcome messages.");
diff --git a/frontend/src/pages/Admin/Users/UserRow/index.jsx b/frontend/src/pages/Admin/Users/UserRow/index.jsx
index d734759fc6..cd1c477327 100644
--- a/frontend/src/pages/Admin/Users/UserRow/index.jsx
+++ b/frontend/src/pages/Admin/Users/UserRow/index.jsx
@@ -3,9 +3,17 @@ import { titleCase } from "text-case";
 import Admin from "@/models/admin";
 import EditUserModal, { EditUserModalId } from "./EditUserModal";
 import { DotsThreeOutline } from "@phosphor-icons/react";
+import showToast from "@/utils/toast";
+
+const ModMap = {
+  admin: ["admin", "manager", "default"],
+  manager: ["manager", "default"],
+  default: [],
+};
 
 export default function UserRow({ currUser, user }) {
   const rowRef = useRef(null);
+  const canModify = ModMap[currUser?.role || "default"].includes(user.role);
   const [suspended, setSuspended] = useState(user.suspended === 1);
   const handleSuspend = async () => {
     if (
@@ -14,8 +22,19 @@ export default function UserRow({ currUser, user }) {
       )
     )
       return false;
-    setSuspended(!suspended);
-    await Admin.updateUser(user.id, { suspended: suspended ? 0 : 1 });
+
+    const { success, error } = await Admin.updateUser(user.id, {
+      suspended: suspended ? 0 : 1,
+    });
+    if (!success) showToast(error, "error", { clear: true });
+    if (success) {
+      showToast(
+        `User ${!suspended ? "has been suspended" : "is no longer suspended"}.`,
+        "success",
+        { clear: true }
+      );
+      setSuspended(!suspended);
+    }
   };
   const handleDelete = async () => {
     if (
@@ -24,8 +43,12 @@ export default function UserRow({ currUser, user }) {
       )
     )
       return false;
-    rowRef?.current?.remove();
-    await Admin.deleteUser(user.id);
+    const { success, error } = await Admin.deleteUser(user.id);
+    if (!success) showToast(error, "error", { clear: true });
+    if (success) {
+      rowRef?.current?.remove();
+      showToast("User deleted from system.", "success", { clear: true });
+    }
   };
 
   return (
@@ -40,7 +63,7 @@ export default function UserRow({ currUser, user }) {
         <td className="px-6 py-4">{titleCase(user.role)}</td>
         <td className="px-6 py-4">{user.createdAt}</td>
         <td className="px-6 py-4 flex items-center gap-x-6">
-          {currUser?.role !== "default" && (
+          {canModify && (
             <button
               onClick={() =>
                 document?.getElementById(EditUserModalId(user))?.showModal()
@@ -50,7 +73,7 @@ export default function UserRow({ currUser, user }) {
               <DotsThreeOutline weight="fill" className="h-5 w-5" />
             </button>
           )}
-          {currUser?.id !== user.id && currUser?.role !== "default" && (
+          {currUser?.id !== user.id && canModify && (
             <>
               <button
                 onClick={handleSuspend}
diff --git a/frontend/src/pages/Admin/Users/index.jsx b/frontend/src/pages/Admin/Users/index.jsx
index b59bbe5761..fb8f500802 100644
--- a/frontend/src/pages/Admin/Users/index.jsx
+++ b/frontend/src/pages/Admin/Users/index.jsx
@@ -105,7 +105,8 @@ const ROLE_HINT = {
     "Cannot modify any settings at all.",
   ],
   manager: [
-    "Can view all workspaces and modify all settings.",
+    "Can view, create, and delete any workspaces and modify workspace-specific settings.",
+    "Can create, update and invite new users to the instance.",
     "Cannot modify LLM, vectorDB, embedding, or other connections.",
   ],
   admin: [
diff --git a/server/endpoints/admin.js b/server/endpoints/admin.js
index b32de3b3e1..b107a11b42 100644
--- a/server/endpoints/admin.js
+++ b/server/endpoints/admin.js
@@ -7,9 +7,15 @@ const { DocumentVectors } = require("../models/vectors");
 const { Workspace } = require("../models/workspace");
 const { WorkspaceChats } = require("../models/workspaceChats");
 const { getVectorDbClass } = require("../utils/helpers");
+const {
+  validRoleSelection,
+  canModifyAdmin,
+  validCanModify,
+} = require("../utils/helpers/admin");
 const { reqBody, userFromSession } = require("../utils/http");
 const {
   strictMultiUserRoleValid,
+  ROLES,
 } = require("../utils/middleware/multiUserProtected");
 const { validatedRequest } = require("../utils/middleware/validatedRequest");
 
@@ -18,7 +24,7 @@ function adminEndpoints(app) {
 
   app.get(
     "/admin/users",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (_request, response) => {
       try {
         const users = (await User.where()).map((user) => {
@@ -35,10 +41,20 @@ function adminEndpoints(app) {
 
   app.post(
     "/admin/users/new",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
+        const currUser = await userFromSession(request, response);
         const newUserParams = reqBody(request);
+        const roleValidation = validRoleSelection(currUser, newUserParams);
+
+        if (!roleValidation.valid) {
+          response
+            .status(200)
+            .json({ user: null, error: roleValidation.error });
+          return;
+        }
+
         const { user: newUser, error } = await User.create(newUserParams);
         response.status(200).json({ user: newUser, error });
       } catch (e) {
@@ -50,29 +66,34 @@ function adminEndpoints(app) {
 
   app.post(
     "/admin/user/:id",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
+        const currUser = await userFromSession(request, response);
         const { id } = request.params;
         const updates = reqBody(request);
         const user = await User.get({ id: Number(id) });
 
-        // Check to make sure with this update that includes a role change to
-        // something other than admin that we still have at least one admin left.
-        if (
-          updates.hasOwnProperty("role") && // has admin prop to change
-          updates.role !== "admin" && // and we are changing to non-admin
-          user.role === "admin" // and they currently are an admin
-        ) {
-          const adminCount = await User.count({ role: "admin" });
-          if (adminCount - 1 <= 0) {
-            response.status(200).json({
-              success: false,
-              error:
-                "No system admins will remain if you do this. Update failed.",
-            });
-            return;
-          }
+        const canModify = validCanModify(currUser, user);
+        if (!canModify.valid) {
+          response.status(200).json({ success: false, error: canModify.error });
+          return;
+        }
+
+        const roleValidation = validRoleSelection(currUser, updates);
+        if (!roleValidation.valid) {
+          response
+            .status(200)
+            .json({ success: false, error: roleValidation.error });
+          return;
+        }
+
+        const validAdminRoleModification = await canModifyAdmin(user, updates);
+        if (!validAdminRoleModification.valid) {
+          response
+            .status(200)
+            .json({ success: false, error: validAdminRoleModification.error });
+          return;
         }
 
         const { success, error } = await User.update(id, updates);
@@ -86,10 +107,19 @@ function adminEndpoints(app) {
 
   app.delete(
     "/admin/user/:id",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
+        const currUser = await userFromSession(request, response);
         const { id } = request.params;
+        const user = await User.get({ id: Number(id) });
+
+        const canModify = validCanModify(currUser, user);
+        if (!canModify.valid) {
+          response.status(200).json({ success: false, error: canModify.error });
+          return;
+        }
+
         await User.delete({ id: Number(id) });
         response.status(200).json({ success: true, error: null });
       } catch (e) {
@@ -101,7 +131,7 @@ function adminEndpoints(app) {
 
   app.get(
     "/admin/invites",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (_request, response) => {
       try {
         const invites = await Invite.whereWithUsers();
@@ -115,7 +145,7 @@ function adminEndpoints(app) {
 
   app.get(
     "/admin/invite/new",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const user = await userFromSession(request, response);
@@ -130,7 +160,7 @@ function adminEndpoints(app) {
 
   app.delete(
     "/admin/invite/:id",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const { id } = request.params;
@@ -145,7 +175,7 @@ function adminEndpoints(app) {
 
   app.get(
     "/admin/workspaces",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (_request, response) => {
       try {
         const workspaces = await Workspace.whereWithUsers();
@@ -159,7 +189,7 @@ function adminEndpoints(app) {
 
   app.post(
     "/admin/workspaces/new",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const user = await userFromSession(request, response);
@@ -178,7 +208,7 @@ function adminEndpoints(app) {
 
   app.post(
     "/admin/workspaces/:workspaceId/update-users",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const { workspaceId } = request.params;
@@ -197,7 +227,7 @@ function adminEndpoints(app) {
 
   app.delete(
     "/admin/workspaces/:id",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const { id } = request.params;
@@ -228,7 +258,7 @@ function adminEndpoints(app) {
 
   app.get(
     "/admin/system-preferences",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (_request, response) => {
       try {
         const settings = {
@@ -253,7 +283,7 @@ function adminEndpoints(app) {
 
   app.post(
     "/admin/system-preferences",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const updates = reqBody(request);
@@ -268,7 +298,7 @@ function adminEndpoints(app) {
 
   app.get(
     "/admin/api-keys",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin])],
     async (_request, response) => {
       try {
         const apiKeys = await ApiKey.whereWithUser({});
@@ -288,7 +318,7 @@ function adminEndpoints(app) {
 
   app.post(
     "/admin/generate-api-key",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin])],
     async (request, response) => {
       try {
         const user = await userFromSession(request, response);
@@ -306,7 +336,7 @@ function adminEndpoints(app) {
 
   app.delete(
     "/admin/delete-api-key/:id",
-    [validatedRequest, strictMultiUserRoleValid],
+    [validatedRequest, strictMultiUserRoleValid([ROLES.admin])],
     async (request, response) => {
       try {
         const { id } = request.params;
diff --git a/server/endpoints/api/admin/index.js b/server/endpoints/api/admin/index.js
index ebe662c696..1f2a5bae74 100644
--- a/server/endpoints/api/admin/index.js
+++ b/server/endpoints/api/admin/index.js
@@ -3,6 +3,7 @@ const { SystemSettings } = require("../../../models/systemSettings");
 const { User } = require("../../../models/user");
 const { Workspace } = require("../../../models/workspace");
 const { WorkspaceChats } = require("../../../models/workspaceChats");
+const { canModifyAdmin } = require("../../../utils/helpers/admin");
 const { multiUserMode, reqBody } = require("../../../utils/http");
 const { validApiKey } = require("../../../utils/middleware/validApiKey");
 
@@ -198,23 +199,13 @@ function apiAdminEndpoints(app) {
       const { id } = request.params;
       const updates = reqBody(request);
       const user = await User.get({ id: Number(id) });
+      const validAdminRoleModification = await canModifyAdmin(user, updates);
 
-      // Check to make sure with this update that includes a role change to
-      // something other than admin that we still have at least one admin left.
-      if (
-        updates.hasOwnProperty("role") && // has admin prop to change
-        updates.role !== "admin" && // and we are changing to non-admin
-        user.role === "admin" // and they currently are an admin
-      ) {
-        const adminCount = await User.count({ role: "admin" });
-        if (adminCount - 1 <= 0) {
-          response.status(200).json({
-            success: false,
-            error:
-              "No system admins will remain if you do this. Update failed.",
-          });
-          return;
-        }
+      if (!validAdminRoleModification.valid) {
+        response
+          .status(200)
+          .json({ success: false, error: validAdminRoleModification.error });
+        return;
       }
 
       const { success, error } = await User.update(id, updates);
diff --git a/server/endpoints/chat.js b/server/endpoints/chat.js
index adfec0ec3f..23739084a7 100644
--- a/server/endpoints/chat.js
+++ b/server/endpoints/chat.js
@@ -10,13 +10,17 @@ const {
   writeResponseChunk,
   VALID_CHAT_MODE,
 } = require("../utils/chats/stream");
+const {
+  ROLES,
+  flexUserRoleValid,
+} = require("../utils/middleware/multiUserProtected");
 
 function chatEndpoints(app) {
   if (!app) return;
 
   app.post(
     "/workspace/:slug/stream-chat",
-    [validatedRequest],
+    [validatedRequest, flexUserRoleValid([ROLES.all])],
     async (request, response) => {
       try {
         const user = await userFromSession(request, response);
@@ -52,7 +56,7 @@ function chatEndpoints(app) {
         response.setHeader("Connection", "keep-alive");
         response.flushHeaders();
 
-        if (multiUserMode(response) && user.role !== "admin") {
+        if (multiUserMode(response) && user.role !== ROLES.admin) {
           const limitMessagesSetting = await SystemSettings.get({
             label: "limit_user_messages",
           });
diff --git a/server/endpoints/extensions/index.js b/server/endpoints/extensions/index.js
index 1b3770374b..a2c884a01b 100644
--- a/server/endpoints/extensions/index.js
+++ b/server/endpoints/extensions/index.js
@@ -4,6 +4,7 @@ const {
 } = require("../../utils/files/documentProcessor");
 const {
   flexUserRoleValid,
+  ROLES,
 } = require("../../utils/middleware/multiUserProtected");
 const { validatedRequest } = require("../../utils/middleware/validatedRequest");
 
@@ -12,7 +13,7 @@ function extensionEndpoints(app) {
 
   app.post(
     "/ext/github/branches",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const responseFromProcessor = await forwardExtensionRequest({
@@ -30,7 +31,7 @@ function extensionEndpoints(app) {
 
   app.post(
     "/ext/github/repo",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const responseFromProcessor = await forwardExtensionRequest({
@@ -51,7 +52,7 @@ function extensionEndpoints(app) {
 
   app.post(
     "/ext/youtube/transcript",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const responseFromProcessor = await forwardExtensionRequest({
diff --git a/server/endpoints/system.js b/server/endpoints/system.js
index 3f11bf5e01..14aa22e043 100644
--- a/server/endpoints/system.js
+++ b/server/endpoints/system.js
@@ -39,10 +39,15 @@ const { WelcomeMessages } = require("../models/welcomeMessages");
 const { ApiKey } = require("../models/apiKeys");
 const { getCustomModels } = require("../utils/helpers/customModels");
 const { WorkspaceChats } = require("../models/workspaceChats");
-const { Workspace } = require("../models/workspace");
-const { flexUserRoleValid } = require("../utils/middleware/multiUserProtected");
+const {
+  flexUserRoleValid,
+  ROLES,
+} = require("../utils/middleware/multiUserProtected");
 const { fetchPfp, determinePfpFilepath } = require("../utils/files/pfp");
-const { convertToCSV, convertToJSON, convertToJSONL } = require("./utils");
+const {
+  prepareWorkspaceChatsForExport,
+  exportChatsAsType,
+} = require("../utils/helpers/chat/convertTo");
 
 function systemEndpoints(app) {
   if (!app) return;
@@ -275,15 +280,9 @@ function systemEndpoints(app) {
 
   app.post(
     "/system/update-env",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.admin])],
     async (request, response) => {
       try {
-        const user = await userFromSession(request, response);
-        if (!!user && user.role !== "admin") {
-          response.sendStatus(401).end();
-          return;
-        }
-
         const body = reqBody(request);
         const { newValues, error } = await updateENV(body);
         if (process.env.NODE_ENV === "production") await dumpENV();
@@ -341,7 +340,7 @@ function systemEndpoints(app) {
         const { user, error } = await User.create({
           username,
           password,
-          role: "admin",
+          role: ROLES.admin,
         });
         await SystemSettings.updateSettings({
           multi_user_mode: true,
@@ -374,7 +373,7 @@ function systemEndpoints(app) {
     }
   );
 
-  app.get("/system/multi-user-mode", async (request, response) => {
+  app.get("/system/multi-user-mode", async (_, response) => {
     try {
       const multiUserMode = await SystemSettings.isMultiUserMode();
       response.status(200).json({ multiUserMode });
@@ -384,7 +383,7 @@ function systemEndpoints(app) {
     }
   });
 
-  app.get("/system/logo", async function (request, response) {
+  app.get("/system/logo", async function (_, response) {
     try {
       const defaultFilename = getDefaultFilename();
       const logoPath = await determineLogoFilepath(defaultFilename);
@@ -409,56 +408,61 @@ function systemEndpoints(app) {
     }
   });
 
-  app.get("/system/pfp/:id", async function (request, response) {
-    try {
-      const { id } = request.params;
-      const pfpPath = await determinePfpFilepath(id);
+  app.get(
+    "/system/pfp/:id",
+    [validatedRequest, flexUserRoleValid([ROLES.all])],
+    async function (request, response) {
+      try {
+        const { id } = request.params;
+        const pfpPath = await determinePfpFilepath(id);
 
-      if (!pfpPath) {
-        response.sendStatus(204).end();
-        return;
-      }
+        if (!pfpPath) {
+          response.sendStatus(204).end();
+          return;
+        }
 
-      const { found, buffer, size, mime } = fetchPfp(pfpPath);
-      if (!found) {
-        response.sendStatus(204).end();
+        const { found, buffer, size, mime } = fetchPfp(pfpPath);
+        if (!found) {
+          response.sendStatus(204).end();
+          return;
+        }
+
+        response.writeHead(200, {
+          "Content-Type": mime || "image/png",
+          "Content-Disposition": `attachment; filename=${path.basename(
+            pfpPath
+          )}`,
+          "Content-Length": size,
+        });
+        response.end(Buffer.from(buffer, "base64"));
         return;
+      } catch (error) {
+        console.error("Error processing the logo request:", error);
+        response.status(500).json({ message: "Internal server error" });
       }
-
-      response.writeHead(200, {
-        "Content-Type": mime || "image/png",
-        "Content-Disposition": `attachment; filename=${path.basename(pfpPath)}`,
-        "Content-Length": size,
-      });
-      response.end(Buffer.from(buffer, "base64"));
-      return;
-    } catch (error) {
-      console.error("Error processing the logo request:", error);
-      response.status(500).json({ message: "Internal server error" });
     }
-  });
+  );
 
   app.post(
     "/system/upload-pfp",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.all])],
     handlePfpUploads.single("file"),
     async function (request, response) {
       try {
         const user = await userFromSession(request, response);
         const uploadedFileName = request.randomFileName;
-
         if (!uploadedFileName) {
           return response.status(400).json({ message: "File upload failed." });
         }
 
         const userRecord = await User.get({ id: user.id });
-        const oldPfpFilename = normalizePath(userRecord.pfpFilename);
+        const oldPfpFilename = userRecord.pfpFilename;
 
         console.log("oldPfpFilename", oldPfpFilename);
         if (oldPfpFilename) {
           const oldPfpPath = path.join(
             __dirname,
-            `../storage/assets/pfp/${oldPfpFilename}`
+            `../storage/assets/pfp/${normalizePath(userRecord.pfpFilename)}`
           );
 
           if (fs.existsSync(oldPfpPath)) fs.unlinkSync(oldPfpPath);
@@ -482,17 +486,18 @@ function systemEndpoints(app) {
 
   app.delete(
     "/system/remove-pfp",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.all])],
     async function (request, response) {
       try {
         const user = await userFromSession(request, response);
         const userRecord = await User.get({ id: user.id });
-        const oldPfpFilename = normalizePath(userRecord.pfpFilename);
+        const oldPfpFilename = userRecord.pfpFilename;
+
         console.log("oldPfpFilename", oldPfpFilename);
         if (oldPfpFilename) {
           const oldPfpPath = path.join(
             __dirname,
-            `../storage/assets/pfp/${oldPfpFilename}`
+            `../storage/assets/pfp/${normalizePath(oldPfpFilename)}`
           );
 
           if (fs.existsSync(oldPfpPath)) fs.unlinkSync(oldPfpPath);
@@ -516,7 +521,7 @@ function systemEndpoints(app) {
 
   app.post(
     "/system/upload-logo",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     handleLogoUploads.single("logo"),
     async (request, response) => {
       if (!request.file || !request.file.originalname) {
@@ -550,7 +555,7 @@ function systemEndpoints(app) {
     }
   );
 
-  app.get("/system/is-default-logo", async (request, response) => {
+  app.get("/system/is-default-logo", async (_, response) => {
     try {
       const currentLogoFilename = await SystemSettings.currentLogoFilename();
       const isDefaultLogo = currentLogoFilename === LOGO_FILENAME;
@@ -563,7 +568,7 @@ function systemEndpoints(app) {
 
   app.get(
     "/system/remove-logo",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (_request, response) => {
       try {
         const currentLogoFilename = await SystemSettings.currentLogoFilename();
@@ -594,7 +599,7 @@ function systemEndpoints(app) {
         }
 
         const user = await userFromSession(request, response);
-        if (["admin", "manager"].includes(user?.role)) {
+        if ([ROLES.admin, ROLES.manager].includes(user?.role)) {
           return response.status(200).json({ canDelete: true });
         }
 
@@ -611,21 +616,25 @@ function systemEndpoints(app) {
     }
   );
 
-  app.get("/system/welcome-messages", async function (request, response) {
-    try {
-      const welcomeMessages = await WelcomeMessages.getMessages();
-      response.status(200).json({ success: true, welcomeMessages });
-    } catch (error) {
-      console.error("Error fetching welcome messages:", error);
-      response
-        .status(500)
-        .json({ success: false, message: "Internal server error" });
+  app.get(
+    "/system/welcome-messages",
+    [validatedRequest, flexUserRoleValid([ROLES.all])],
+    async function (_, response) {
+      try {
+        const welcomeMessages = await WelcomeMessages.getMessages();
+        response.status(200).json({ success: true, welcomeMessages });
+      } catch (error) {
+        console.error("Error fetching welcome messages:", error);
+        response
+          .status(500)
+          .json({ success: false, message: "Internal server error" });
+      }
     }
-  });
+  );
 
   app.post(
     "/system/set-welcome-messages",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const { messages = [] } = reqBody(request);
@@ -733,7 +742,7 @@ function systemEndpoints(app) {
 
   app.post(
     "/system/workspace-chats",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const { offset = 0, limit = 20 } = reqBody(request);
@@ -756,7 +765,7 @@ function systemEndpoints(app) {
 
   app.delete(
     "/system/workspace-chats/:id",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const { id } = request.params;
@@ -771,81 +780,14 @@ function systemEndpoints(app) {
 
   app.get(
     "/system/export-chats",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.manager, ROLES.admin])],
     async (request, response) => {
       try {
         const { type = "jsonl" } = request.query;
-        const chats = await WorkspaceChats.whereWithData({}, null, null, {
-          id: "asc",
-        });
-        const workspaceIds = [
-          ...new Set(chats.map((chat) => chat.workspaceId)),
-        ];
-
-        const workspacesWithPrompts = await Promise.all(
-          workspaceIds.map((id) => Workspace.get({ id: Number(id) }))
-        );
-
-        const workspacePromptsMap = workspacesWithPrompts.reduce(
-          (acc, workspace) => {
-            acc[workspace.id] = workspace.openAiPrompt;
-            return acc;
-          },
-          {}
-        );
-
-        const workspaceChatsMap = chats.reduce((acc, chat) => {
-          const { prompt, response, workspaceId } = chat;
-          const responseJson = JSON.parse(response);
-
-          if (!acc[workspaceId]) {
-            acc[workspaceId] = {
-              messages: [
-                {
-                  role: "system",
-                  content:
-                    workspacePromptsMap[workspaceId] ||
-                    "Given the following conversation, relevant context, and a follow up question, reply with an answer to the current question the user is asking. Return only your response to the question given the above information following the users instructions as needed.",
-                },
-              ],
-            };
-          }
-
-          acc[workspaceId].messages.push(
-            {
-              role: "user",
-              content: prompt,
-            },
-            {
-              role: "assistant",
-              content: responseJson.text,
-            }
-          );
-
-          return acc;
-        }, {});
-
-        let output;
-        switch (type.toLowerCase()) {
-          case "json": {
-            response.setHeader("Content-Type", "application/json");
-            output = await convertToJSON(workspaceChatsMap);
-            break;
-          }
-          case "csv": {
-            response.setHeader("Content-Type", "text/csv");
-            output = await convertToCSV(workspaceChatsMap);
-            break;
-          }
-          // JSONL default
-          default: {
-            response.setHeader("Content-Type", "application/jsonl");
-            output = await convertToJSONL(workspaceChatsMap);
-            break;
-          }
-        }
-
-        response.status(200).send(output);
+        const chats = await prepareWorkspaceChatsForExport();
+        const { contentType, data } = await exportChatsAsType(chats, type);
+        response.setHeader("Content-Type", contentType);
+        response.status(200).send(data);
       } catch (e) {
         console.error(e);
         response.sendStatus(500).end();
@@ -853,6 +795,8 @@ function systemEndpoints(app) {
     }
   );
 
+  // Used for when a user in multi-user updates their own profile
+  // from the UI.
   app.post("/system/user", [validatedRequest], async (request, response) => {
     try {
       const sessionUser = await userFromSession(request, response);
diff --git a/server/endpoints/utils.js b/server/endpoints/utils.js
index 3c639b3e56..e9a7d0caa2 100644
--- a/server/endpoints/utils.js
+++ b/server/endpoints/utils.js
@@ -1,5 +1,27 @@
 const { SystemSettings } = require("../models/systemSettings");
 
+function utilEndpoints(app) {
+  if (!app) return;
+
+  app.get("/utils/metrics", async (_, response) => {
+    try {
+      const metrics = {
+        online: true,
+        version: getGitVersion(),
+        mode: (await SystemSettings.isMultiUserMode())
+          ? "multi-user"
+          : "single-user",
+        vectorDB: process.env.VECTOR_DB || "lancedb",
+        storage: await getDiskStorage(),
+      };
+      response.status(200).json(metrics);
+    } catch (e) {
+      console.error(e);
+      response.sendStatus(500).end();
+    }
+  });
+}
+
 function getGitVersion() {
   try {
     return require("child_process")
@@ -32,60 +54,7 @@ async function getDiskStorage() {
   }
 }
 
-async function convertToCSV(workspaceChatsMap) {
-  const rows = ["role,content"];
-  for (const workspaceChats of Object.values(workspaceChatsMap)) {
-    for (const message of workspaceChats.messages) {
-      // Escape double quotes and wrap content in double quotes
-      const escapedContent = `"${message.content
-        .replace(/"/g, '""')
-        .replace(/\n/g, " ")}"`;
-      rows.push(`${message.role},${escapedContent}`);
-    }
-  }
-  return rows.join("\n");
-}
-
-async function convertToJSON(workspaceChatsMap) {
-  const allMessages = [].concat.apply(
-    [],
-    Object.values(workspaceChatsMap).map((workspace) => workspace.messages)
-  );
-  return JSON.stringify(allMessages);
-}
-
-async function convertToJSONL(workspaceChatsMap) {
-  return Object.values(workspaceChatsMap)
-    .map((workspaceChats) => JSON.stringify(workspaceChats))
-    .join("\n");
-}
-
-function utilEndpoints(app) {
-  if (!app) return;
-
-  app.get("/utils/metrics", async (_, response) => {
-    try {
-      const metrics = {
-        online: true,
-        version: getGitVersion(),
-        mode: (await SystemSettings.isMultiUserMode())
-          ? "multi-user"
-          : "single-user",
-        vectorDB: process.env.VECTOR_DB || "lancedb",
-        storage: await getDiskStorage(),
-      };
-      response.status(200).json(metrics);
-    } catch (e) {
-      console.error(e);
-      response.sendStatus(500).end();
-    }
-  });
-}
-
 module.exports = {
   utilEndpoints,
   getGitVersion,
-  convertToCSV,
-  convertToJSON,
-  convertToJSONL,
 };
diff --git a/server/endpoints/workspaces.js b/server/endpoints/workspaces.js
index 7119297f6a..25e391036f 100644
--- a/server/endpoints/workspaces.js
+++ b/server/endpoints/workspaces.js
@@ -13,7 +13,10 @@ const {
 } = require("../utils/files/documentProcessor");
 const { validatedRequest } = require("../utils/middleware/validatedRequest");
 const { Telemetry } = require("../models/telemetry");
-const { flexUserRoleValid } = require("../utils/middleware/multiUserProtected");
+const {
+  flexUserRoleValid,
+  ROLES,
+} = require("../utils/middleware/multiUserProtected");
 const { handleUploads } = setupMulter();
 
 function workspaceEndpoints(app) {
@@ -21,7 +24,7 @@ function workspaceEndpoints(app) {
 
   app.post(
     "/workspace/new",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const user = await userFromSession(request, response);
@@ -50,7 +53,7 @@ function workspaceEndpoints(app) {
 
   app.post(
     "/workspace/:slug/update",
-    [validatedRequest],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const user = await userFromSession(request, response);
@@ -79,6 +82,7 @@ function workspaceEndpoints(app) {
 
   app.post(
     "/workspace/:slug/upload",
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     handleUploads.single("file"),
     async function (request, response) {
       const { originalname } = request.file;
@@ -111,7 +115,7 @@ function workspaceEndpoints(app) {
 
   app.post(
     "/workspace/:slug/upload-link",
-    [validatedRequest],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       const { link = "" } = reqBody(request);
       const processingOnline = await checkProcessorAlive();
@@ -143,7 +147,7 @@ function workspaceEndpoints(app) {
 
   app.post(
     "/workspace/:slug/update-embeddings",
-    [validatedRequest],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const user = await userFromSession(request, response);
@@ -182,7 +186,7 @@ function workspaceEndpoints(app) {
 
   app.delete(
     "/workspace/:slug",
-    [validatedRequest, flexUserRoleValid],
+    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
     async (request, response) => {
       try {
         const { slug = "" } = request.params;
@@ -215,38 +219,46 @@ function workspaceEndpoints(app) {
     }
   );
 
-  app.get("/workspaces", [validatedRequest], async (request, response) => {
-    try {
-      const user = await userFromSession(request, response);
-      const workspaces = multiUserMode(response)
-        ? await Workspace.whereWithUser(user)
-        : await Workspace.where();
+  app.get(
+    "/workspaces",
+    [validatedRequest, flexUserRoleValid([ROLES.all])],
+    async (request, response) => {
+      try {
+        const user = await userFromSession(request, response);
+        const workspaces = multiUserMode(response)
+          ? await Workspace.whereWithUser(user)
+          : await Workspace.where();
 
-      response.status(200).json({ workspaces });
-    } catch (e) {
-      console.log(e.message, e);
-      response.sendStatus(500).end();
+        response.status(200).json({ workspaces });
+      } catch (e) {
+        console.log(e.message, e);
+        response.sendStatus(500).end();
+      }
     }
-  });
+  );
 
-  app.get("/workspace/:slug", [validatedRequest], async (request, response) => {
-    try {
-      const { slug } = request.params;
-      const user = await userFromSession(request, response);
-      const workspace = multiUserMode(response)
-        ? await Workspace.getWithUser(user, { slug })
-        : await Workspace.get({ slug });
+  app.get(
+    "/workspace/:slug",
+    [validatedRequest, flexUserRoleValid([ROLES.all])],
+    async (request, response) => {
+      try {
+        const { slug } = request.params;
+        const user = await userFromSession(request, response);
+        const workspace = multiUserMode(response)
+          ? await Workspace.getWithUser(user, { slug })
+          : await Workspace.get({ slug });
 
-      response.status(200).json({ workspace });
-    } catch (e) {
-      console.log(e.message, e);
-      response.sendStatus(500).end();
+        response.status(200).json({ workspace });
+      } catch (e) {
+        console.log(e.message, e);
+        response.sendStatus(500).end();
+      }
     }
-  });
+  );
 
   app.get(
     "/workspace/:slug/chats",
-    [validatedRequest],
+    [validatedRequest, flexUserRoleValid([ROLES.all])],
     async (request, response) => {
       try {
         const { slug } = request.params;
diff --git a/server/models/workspace.js b/server/models/workspace.js
index 9169d193dd..c8e1247ee4 100644
--- a/server/models/workspace.js
+++ b/server/models/workspace.js
@@ -2,6 +2,7 @@ const prisma = require("../utils/prisma");
 const slugify = require("slugify");
 const { Document } = require("./documents");
 const { WorkspaceUser } = require("./workspaceUsers");
+const { ROLES } = require("../utils/middleware/multiUserProtected");
 
 const Workspace = {
   writable: [
@@ -66,7 +67,8 @@ const Workspace = {
   },
 
   getWithUser: async function (user = null, clause = {}) {
-    if (["admin", "manager"].includes(user.role)) return this.get(clause);
+    if ([ROLES.admin, ROLES.manager].includes(user.role))
+      return this.get(clause);
 
     try {
       const workspace = await prisma.workspaces.findFirst({
@@ -144,7 +146,7 @@ const Workspace = {
     limit = null,
     orderBy = null
   ) {
-    if (["admin", "manager"].includes(user.role))
+    if ([ROLES.admin, ROLES.manager].includes(user.role))
       return await this.where(clause, limit, orderBy);
 
     try {
diff --git a/server/utils/helpers/admin/index.js b/server/utils/helpers/admin/index.js
new file mode 100644
index 0000000000..87a0127841
--- /dev/null
+++ b/server/utils/helpers/admin/index.js
@@ -0,0 +1,52 @@
+const { User } = require("../../../models/user");
+const { ROLES } = require("../../middleware/multiUserProtected");
+
+// When a user is updating or creating a user in multi-user, we need to check if they
+// are allowed to do this and that the new or existing user will be at or below their permission level.
+// the user executing this function should be an admin or manager.
+function validRoleSelection(currentUser = {}, newUserParams = {}) {
+  if (!newUserParams.hasOwnProperty("role"))
+    return { valid: true, error: null }; // not updating role, so skip.
+  if (currentUser.role === ROLES.admin) return { valid: true, error: null };
+  if (currentUser.role === ROLES.manager) {
+    const validRoles = [ROLES.manager, ROLES.default];
+    if (!validRoles.includes(newUserParams.role))
+      return { valid: false, error: "Invalid role selection for user." };
+    return { valid: true, error: null };
+  }
+  return { valid: false, error: "Invalid condition for caller." };
+}
+
+// Check to make sure with this update that includes a role change to an existing admin to a non-admin
+// that we still have at least one admin left or else they will lock themselves out.
+async function canModifyAdmin(userToModify, updates) {
+  // if updates don't include role property or the user being modified isn't an admin currently - skip.
+  if (!updates.hasOwnProperty("role")) return { valid: true, error: null };
+  if (userToModify.role !== ROLES.admin) return { valid: true, error: null };
+
+  const adminCount = await User.count({ role: ROLES.admin });
+  if (adminCount - 1 <= 0)
+    return {
+      valid: false,
+      error: "No system admins will remain if you do this. Update failed.",
+    };
+  return { valid: true, error: null };
+}
+
+function validCanModify(currentUser, existingUser) {
+  if (currentUser.role === ROLES.admin) return { valid: true, error: null };
+  if (currentUser.role === ROLES.manager) {
+    const validRoles = [ROLES.manager, ROLES.default];
+    if (!validRoles.includes(existingUser.role))
+      return { valid: false, error: "Cannot perform that action on user." };
+    return { valid: true, error: null };
+  }
+
+  return { valid: false, error: "Invalid condition for caller." };
+}
+
+module.exports = {
+  validCanModify,
+  validRoleSelection,
+  canModifyAdmin,
+};
diff --git a/server/utils/helpers/chat/convertTo.js b/server/utils/helpers/chat/convertTo.js
new file mode 100644
index 0000000000..4dc3955e91
--- /dev/null
+++ b/server/utils/helpers/chat/convertTo.js
@@ -0,0 +1,113 @@
+// Helpers that convert workspace chats to some supported format
+// for external use by the user.
+
+const { Workspace } = require("../../../models/workspace");
+const { WorkspaceChats } = require("../../../models/workspaceChats");
+
+// Todo: make this more useful for export by adding other columns about workspace, user, time, etc for post-filtering.
+async function convertToCSV(workspaceChatsMap) {
+  const rows = ["role,content"];
+  for (const workspaceChats of Object.values(workspaceChatsMap)) {
+    for (const message of workspaceChats.messages) {
+      // Escape double quotes and wrap content in double quotes
+      const escapedContent = `"${message.content
+        .replace(/"/g, '""')
+        .replace(/\n/g, " ")}"`;
+      rows.push(`${message.role},${escapedContent}`);
+    }
+  }
+  return rows.join("\n");
+}
+
+async function convertToJSON(workspaceChatsMap) {
+  const allMessages = [].concat.apply(
+    [],
+    Object.values(workspaceChatsMap).map((workspace) => workspace.messages)
+  );
+  return JSON.stringify(allMessages);
+}
+
+async function convertToJSONL(workspaceChatsMap) {
+  return Object.values(workspaceChatsMap)
+    .map((workspaceChats) => JSON.stringify(workspaceChats))
+    .join("\n");
+}
+
+async function prepareWorkspaceChatsForExport() {
+  const chats = await WorkspaceChats.whereWithData({}, null, null, {
+    id: "asc",
+  });
+  const workspaceIds = [...new Set(chats.map((chat) => chat.workspaceId))];
+
+  const workspacesWithPrompts = await Promise.all(
+    workspaceIds.map((id) => Workspace.get({ id: Number(id) }))
+  );
+
+  const workspacePromptsMap = workspacesWithPrompts.reduce((acc, workspace) => {
+    acc[workspace.id] = workspace.openAiPrompt;
+    return acc;
+  }, {});
+
+  const workspaceChatsMap = chats.reduce((acc, chat) => {
+    const { prompt, response, workspaceId } = chat;
+    const responseJson = JSON.parse(response);
+
+    if (!acc[workspaceId]) {
+      acc[workspaceId] = {
+        messages: [
+          {
+            role: "system",
+            content:
+              workspacePromptsMap[workspaceId] ||
+              "Given the following conversation, relevant context, and a follow up question, reply with an answer to the current question the user is asking. Return only your response to the question given the above information following the users instructions as needed.",
+          },
+        ],
+      };
+    }
+
+    acc[workspaceId].messages.push(
+      {
+        role: "user",
+        content: prompt,
+      },
+      {
+        role: "assistant",
+        content: responseJson.text,
+      }
+    );
+
+    return acc;
+  }, {});
+
+  return workspaceChatsMap;
+}
+
+const exportMap = {
+  json: {
+    contentType: "application/json",
+    func: convertToJSON,
+  },
+  csv: {
+    contentType: "text/csv",
+    func: convertToCSV,
+  },
+  jsonl: {
+    contentType: "application/jsonl",
+    func: convertToJSONL,
+  },
+};
+
+async function exportChatsAsType(workspaceChatsMap, format = "jsonl") {
+  const { contentType, func } = exportMap.hasOwnProperty(format)
+    ? exportMap[format]
+    : exportMap.jsonl;
+  return {
+    contentType,
+    data: await func(workspaceChatsMap),
+  };
+}
+
+module.exports = {
+  prepareWorkspaceChatsForExport,
+  exportChatsAsType,
+};
diff --git a/server/utils/middleware/multiUserProtected.js b/server/utils/middleware/multiUserProtected.js
index 7de09ac575..f8a28c962b 100644
--- a/server/utils/middleware/multiUserProtected.js
+++ b/server/utils/middleware/multiUserProtected.js
@@ -1,41 +1,71 @@
 const { SystemSettings } = require("../../models/systemSettings");
 const { userFromSession } = require("../http");
-
-const ROLES = ["admin", "manager"];
+const ROLES = {
+  all: "<all>",
+  admin: "admin",
+  manager: "manager",
+  default: "default",
+};
+const DEFAULT_ROLES = [ROLES.admin, ROLES.admin];
 
 // Explicitly check that multi user mode is enabled as well as that the
 // requesting user has the appropriate role to modify or call the URL.
-async function strictMultiUserRoleValid(request, response, next) {
-  const multiUserMode =
-    response.locals?.multiUserMode ?? (await SystemSettings.isMultiUserMode());
-  if (!multiUserMode) return response.sendStatus(401).end();
+function strictMultiUserRoleValid(allowedRoles = DEFAULT_ROLES) {
+  return async (request, response, next) => {
+    // If the access-control is allowable for all - skip validations and continue;
+    if (allowedRoles.includes(ROLES.all)) {
+      next();
+      return;
+    }
 
-  const user =
-    response.locals?.user ?? (await userFromSession(request, response));
-  if (!ROLES.includes(user?.role)) return response.sendStatus(401).end();
+    const multiUserMode =
+      response.locals?.multiUserMode ??
+      (await SystemSettings.isMultiUserMode());
+    if (!multiUserMode) return response.sendStatus(401).end();
 
-  next();
+    const user =
+      response.locals?.user ?? (await userFromSession(request, response));
+    if (allowedRoles.includes(user?.role)) {
+      next();
+      return;
+    }
+    return response.sendStatus(401).end();
+  };
 }
 
 // Apply role permission checks IF the current system is in multi-user mode.
 // This is relevant for routes that are shared between MUM and single-user mode.
 // Checks if the requesting user has the appropriate role to modify or call the URL.
-async function flexUserRoleValid(request, response, next) {
-  const multiUserMode =
-    response.locals?.multiUserMode ?? (await SystemSettings.isMultiUserMode());
-  if (!multiUserMode) {
-    next();
-    return;
-  }
+function flexUserRoleValid(allowedRoles = DEFAULT_ROLES) {
+  return async (request, response, next) => {
+    // If the access-control is allowable for all - skip validations and continue;
+    // It does not matter if multi-user or not.
+    if (allowedRoles.includes(ROLES.all)) {
+      next();
+      return;
+    }
 
-  const user =
-    response.locals?.user ?? (await userFromSession(request, response));
-  if (!ROLES.includes(user?.role)) return response.sendStatus(401).end();
+    // Bypass if not in multi-user mode
+    const multiUserMode =
+      response.locals?.multiUserMode ??
+      (await SystemSettings.isMultiUserMode());
+    if (!multiUserMode) {
+      next();
+      return;
+    }
 
-  next();
+    const user =
+      response.locals?.user ?? (await userFromSession(request, response));
+    if (allowedRoles.includes(user?.role)) {
+      next();
+      return;
+    }
+    return response.sendStatus(401).end();
+  };
 }
 
 module.exports = {
+  ROLES,
   strictMultiUserRoleValid,
   flexUserRoleValid,
 };