🤖 fix: Collaborative Agents are only editable by ADMIN #4659

Co-authored-by: Leon Jünemann <leon.juenemann@maibornwolff.de>
danny-avila · Nov 26, 2024 · 8178ae2 · 8178ae2
1 parent e0a5f87
commit 8178ae2
Showing 1 changed file with 14 additions and 7 deletions.
diff --git a/api/server/controllers/agents/v1.js b/api/server/controllers/agents/v1.js
@@ -111,7 +111,6 @@ const getAgentHandler = async (req, res) => {
         isCollaborative: agent.isCollaborative,
       });
     }
-
     return res.status(200).json(agent);
   } catch (error) {
     logger.error('[/Agents/:id] Error retrieving agent', error);
@@ -132,16 +131,24 @@ const updateAgentHandler = async (req, res) => {
   try {
     const id = req.params.id;
     const { projectIds, removeProjectIds, ...updateData } = req.body;
+    const isAdmin = req.user.role === SystemRoles.ADMIN;
+    const existingAgent = await getAgent({ id });
+    const isAuthor = existingAgent.author.toString() === req.user.id;
 
-    let updatedAgent;
-    const query = { id, author: req.user.id };
-    if (req.user.role === SystemRoles.ADMIN) {
-      delete query.author;
+    if (!existingAgent) {
+      return res.status(404).json({ error: 'Agent not found' });
     }
-    if (Object.keys(updateData).length > 0) {
-      updatedAgent = await updateAgent(query, updateData);
+    const hasEditPermission = existingAgent.isCollaborative || isAdmin || isAuthor;
+
+    if (!hasEditPermission) {
+      return res.status(403).json({
+        error: 'You do not have permission to modify this non-collaborative agent',
+      });
     }
 
+    let updatedAgent =
+      Object.keys(updateData).length > 0 ? await updateAgent({ id }, updateData) : existingAgent;
+
     if (projectIds || removeProjectIds) {
       updatedAgent = await updateAgentProjects({
         user: req.user,