Skip to content

🛡️ fix: Preserve CREATE/SHARE/SHARE_PUBLIC Permissions with Boolean Config#11647

Merged
danny-avila merged 6 commits intodevfrom
fix/persist-perms
Feb 5, 2026
Merged

🛡️ fix: Preserve CREATE/SHARE/SHARE_PUBLIC Permissions with Boolean Config#11647
danny-avila merged 6 commits intodevfrom
fix/persist-perms

Conversation

@danny-avila
Copy link
Owner

@danny-avila danny-avila commented Feb 5, 2026
edited
Loading

Summary

I fixed a critical bug where CREATE, SHARE, and SHARE_PUBLIC permissions were being reset to defaults when using boolean configuration (e.g., agents: true or prompts: true), overwriting admin panel customizations on application restart.

  • Implemented conditional logic to preserve existing CREATE, SHARE, and SHARE_PUBLIC permissions when not explicitly configured in librechat.yaml
  • Aligned permission handling across all types (prompts, agents, mcpServers, remoteAgents) to ensure consistent granular control
  • Added create field support to permission configuration schemas, allowing explicit control over CREATE permissions alongside USE
  • Refactored helper functions to extract create, share, and public values from both boolean and object configurations
  • Ensured boolean configs function as feature toggles (USE only), while object configs provide granular permission control
  • Added three comprehensive regression tests validating boolean config preservation, explicit object config updates, and partial object config preservation
  • Updated existing test assertions to reflect the new permission handling logic with detailed comments explaining behavior
  • Fixed performance issue in ToolService.js by moving domainSeparatorRegex creation outside the loop to avoid redundant regex instantiation

The changes ensure that when agents: true is configured, only the USE permission is updated, treating it as a feature toggle. CREATE, SHARE, and SHARE_PUBLIC remain untouched in the database, preserving admin panel customizations. When agents: { create: false, share: true } is explicitly configured, only the specified permissions are updated, providing granular control over each permission type.

Change Type

  • Bug fix (non-breaking change which fixes an issue)
  • This change requires a documentation update

Testing

I verified the fix by writing and running three new regression tests that cover all permission configuration scenarios:

  1. Boolean config with existing permissions: Validates that prompts: true and agents: true preserve existing CREATE/SHARE/SHARE_PUBLIC database values, only updating USE
  2. Explicit object config: Validates that agents: { use: true, share: true, public: true } updates SHARE and SHARE_PUBLIC as expected
  3. Partial object config: Validates that agents: { use: true, create: false } updates USE and CREATE while preserving existing SHARE/SHARE_PUBLIC values

All tests pass, confirming that admin panel permission changes are no longer overwritten on restart and that boolean configs function as intended feature toggles.

Test Configuration:

  • Tested with mock database containing existing CREATE/SHARE/SHARE_PUBLIC permissions set to true
  • Tested with boolean config: interface.agents: true (only USE updated)
  • Tested with full object config: interface.agents: { use: true, share: true, public: true } (all specified permissions updated)
  • Tested with partial object config: interface.agents: { use: true, create: false } (only USE and CREATE updated, SHARE/SHARE_PUBLIC preserved)
  • Verified behavior on first-time setup (no existing permissions) defaults to schema values

Checklist

  • My code adheres to this project's style guidelines
  • I have performed a self-review of my own code
  • I have commented in any complex areas of my code
  • My changes do not introduce new warnings
  • I have written tests demonstrating that my changes are effective or that my feature works
  • Local unit tests pass with my changes

Relevant updated docs: LibreChat-AI/librechat.ai#497

@danny-avila
🔧 refactor: Update permissions handling in updateInterfacePermissions…
b8115f3 
… function

- Removed explicit SHARE and SHARE_PUBLIC permissions for PROMPTS when prompts are true, simplifying the permission logic.
- Adjusted the permissions structure to conditionally include SHARE and SHARE_PUBLIC based on the type of interface configuration, enhancing maintainability and clarity in permission management.
- Updated related tests to reflect the changes in permission handling for consistency and accuracy.
@danny-avila
🔧 refactor: Enhance permission configuration in updateInterfacePermis…
8ff4e66 
…sions

- Introduced a new `create` property in the permission configuration object to improve flexibility in permission management.
- Updated helper functions to accommodate the new `create` property, ensuring backward compatibility with existing boolean configurations.
- Adjusted default values for prompts and agents to include the new `create` property, enhancing the overall permission structure.
@danny-avila
🧪 test: Add regression tests for SHARE/SHARE_PUBLIC permission handling
28f51a4 
- Introduced tests to ensure existing SHARE and SHARE_PUBLIC values are preserved when using boolean configuration for agents.
- Added validation to confirm that SHARE and SHARE_PUBLIC are included in the update payload when using object configuration, enhancing the accuracy of permission management.
- These tests address potential regressions and improve the robustness of the permission handling logic in the updateInterfacePermissions function.
@danny-avila danny-avila requested a review from Copilot February 5, 2026 13:29
@danny-avila
fix: accessing undefined regex
2375853 
- Moved the creation of the domainSeparatorRegex to the beginning of the loadToolDefinitionsWrapper function for improved clarity and performance.
- Removed redundant regex initialization within the function's loop, enhancing code efficiency and maintainability.
Copilot AI reviewed Feb 5, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes permission persistence issues by ensuring that SHARE and SHARE_PUBLIC permissions set via the admin panel are preserved when using boolean configuration for prompts and agents. It also adds the create permission field to the schema for better granular control.

Changes:

  • Added create permission to prompts and agents configuration schemas and defaults
  • Modified permission update logic to conditionally include SHARE/SHARE_PUBLIC based on config type and existing permissions
  • Updated tests to reflect new behavior and added regression tests for permission preservation

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
packages/data-provider/src/config.ts Added create field to prompts and agents schemas and set defaults to true
packages/api/src/app/permissions.ts Refactored permission update logic to conditionally spread SHARE/SHARE_PUBLIC permissions based on config type and existence of existing permissions, and added support for configurable CREATE permissions
packages/api/src/app/permissions.spec.ts Updated test expectations to reflect new behavior where SHARE/SHARE_PUBLIC are omitted for boolean configs with existing permissions, and added two new tests for regression coverage

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@danny-avila
🧪 test: Enhance regression tests for SHARE/SHARE_PUBLIC permission ha…
48d7858 
…ndling

- Added a new test to ensure that SHARE and SHARE_PUBLIC permissions are preserved when using object configuration without explicit share/public keys.
- Updated existing tests to validate the inclusion of SHARE and SHARE_PUBLIC in the update payload when using object configuration, improving the robustness of permission management.
- Adjusted the updateInterfacePermissions function to conditionally include SHARE and SHARE_PUBLIC based on the presence of share/public keys in the configuration, enhancing clarity and maintainability.
@danny-avila danny-avila changed the title Fix/persist perms 🛡️ fix: Preserve SHARE/SHARE_PUBLIC Permissions with Boolean Config Feb 5, 2026
@danny-avila
🔧 refactor: Update permission handling in updateInterfacePermissions
8748d74 
- Simplified the logic for including CREATE, SHARE, and SHARE_PUBLIC permissions in the update payload based on the presence of corresponding keys in the configuration object.
- Adjusted tests to reflect the changes, ensuring that only the USE permission is updated when existing permissions are present, preserving the database values for CREATE, SHARE, and SHARE_PUBLIC.
- Enhanced clarity in comments to better explain the permission management logic.
@danny-avila danny-avila changed the title 🛡️ fix: Preserve SHARE/SHARE_PUBLIC Permissions with Boolean Config 🛡️ fix: Preserve CREATE/SHARE/SHARE_PUBLIC Permissions with Boolean Config Feb 5, 2026
@danny-avila danny-avila merged commit 8cf5ae7 into dev Feb 5, 2026
6 checks passed
@danny-avila danny-avila deleted the fix/persist-perms branch February 5, 2026 14:06
PreciousOritsedere pushed a commit to solid/LibreChat that referenced this pull request Feb 10, 2026
@danny-avila @PreciousOritsedere
🛡️ fix: Preserve CREATE/SHARE/SHARE_PUBLIC Permissions with Boolean C…
79e1c37 
…onfig (danny-avila#11647)

* 🔧 refactor: Update permissions handling in updateInterfacePermissions function

- Removed explicit SHARE and SHARE_PUBLIC permissions for PROMPTS when prompts are true, simplifying the permission logic.
- Adjusted the permissions structure to conditionally include SHARE and SHARE_PUBLIC based on the type of interface configuration, enhancing maintainability and clarity in permission management.
- Updated related tests to reflect the changes in permission handling for consistency and accuracy.

* 🔧 refactor: Enhance permission configuration in updateInterfacePermissions

- Introduced a new `create` property in the permission configuration object to improve flexibility in permission management.
- Updated helper functions to accommodate the new `create` property, ensuring backward compatibility with existing boolean configurations.
- Adjusted default values for prompts and agents to include the new `create` property, enhancing the overall permission structure.

* 🧪 test: Add regression tests for SHARE/SHARE_PUBLIC permission handling

- Introduced tests to ensure existing SHARE and SHARE_PUBLIC values are preserved when using boolean configuration for agents.
- Added validation to confirm that SHARE and SHARE_PUBLIC are included in the update payload when using object configuration, enhancing the accuracy of permission management.
- These tests address potential regressions and improve the robustness of the permission handling logic in the updateInterfacePermissions function.

* fix: accessing undefined regex

- Moved the creation of the domainSeparatorRegex to the beginning of the loadToolDefinitionsWrapper function for improved clarity and performance.
- Removed redundant regex initialization within the function's loop, enhancing code efficiency and maintainability.

* 🧪 test: Enhance regression tests for SHARE/SHARE_PUBLIC permission handling

- Added a new test to ensure that SHARE and SHARE_PUBLIC permissions are preserved when using object configuration without explicit share/public keys.
- Updated existing tests to validate the inclusion of SHARE and SHARE_PUBLIC in the update payload when using object configuration, improving the robustness of permission management.
- Adjusted the updateInterfacePermissions function to conditionally include SHARE and SHARE_PUBLIC based on the presence of share/public keys in the configuration, enhancing clarity and maintainability.

* 🔧 refactor: Update permission handling in updateInterfacePermissions

- Simplified the logic for including CREATE, SHARE, and SHARE_PUBLIC permissions in the update payload based on the presence of corresponding keys in the configuration object.
- Adjusted tests to reflect the changes, ensuring that only the USE permission is updated when existing permissions are present, preserving the database values for CREATE, SHARE, and SHARE_PUBLIC.
- Enhanced clarity in comments to better explain the permission management logic.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@danny-avila