Use requestedGroupIds column for conversation and agent_configurati…

…ons (#8540)
dust-tt · Nov 8, 2024 · 9ff9f95 · 9ff9f95
1 parent c7cebf0
commit 9ff9f95
Show file tree

Hide file tree

Showing 4 changed files with 23 additions and 21 deletions.
diff --git a/front/lib/api/assistant/configuration.ts b/front/lib/api/assistant/configuration.ts
@@ -577,7 +577,9 @@ export async function getAgentConfigurations<V extends "light" | "full">({
         .flat()
         .filter((a) =>
           auth.canRead(
-            Authenticator.createResourcePermissionsFromGroupIds(a.groupIds)
+            Authenticator.createResourcePermissionsFromGroupIds(
+              a.requestedGroupIds
+            )
           )
         );
 

diff --git a/front/lib/api/assistant/conversation.ts b/front/lib/api/assistant/conversation.ts
@@ -2170,12 +2170,12 @@ export function canAccessConversation(
 ): boolean {
   const owner = auth.getNonNullableWorkspace();
 
-  const groupIds =
+  const requestedGroupIds =
     conversation instanceof Conversation
-      ? getConversationGroupIdsFromModel(owner, conversation)
-      : conversation.groupIds;
+      ? getConversationRequestedGroupIdsFromModel(owner, conversation)
+      : conversation.requestedGroupIds;
 
   return auth.canRead(
-    Authenticator.createResourcePermissionsFromGroupIds(groupIds)
+    Authenticator.createResourcePermissionsFromGroupIds(requestedGroupIds)
   );
 }
diff --git a/front/lib/api/assistant/messages.ts b/front/lib/api/assistant/messages.ts
@@ -434,7 +434,7 @@ export async function fetchConversationMessages(
 export function canReadMessage(auth: Authenticator, message: AgentMessageType) {
   return auth.canRead(
     Authenticator.createResourcePermissionsFromGroupIds(
-      message.configuration.groupIds
+      message.configuration.requestedGroupIds
     )
   );
 }
diff --git a/front/lib/auth.ts b/front/lib/auth.ts
@@ -100,18 +100,20 @@ export class Authenticator {
   }
 
   /**
-   * Converts an array of group sIDs (string identifiers) into ResourcePermission objects.
+   * Converts an array of arrays of group sIDs into ResourcePermission objects.
+   *
    * This utility method creates standard read/write permissions for each group.
    *
-   * The resulting permissions enforce a conjunction (AND) between groups. A user must belong to
-   * ALL groups to access the resource, as each group is placed in a separate ResourcePermission
-   * entry.
+   * Permission logic:
+   * - A user must belong to AT LEAST ONE group from EACH sub-array.
+   *   Each sub-array creates a ResourcePermission entry that can be satisfied by ANY of its groups.
+   *   Example: [[1,2], [3,4]] means (1 OR 2) AND (3 OR 4)
    *
-   * @param groupIds - Array of group string identifiers
-   * @returns Array of ResourcePermission objects, one per group, requiring membership in all groups
+   * @param groupIds - Array of arrays of group string identifiers
+   * @returns Array of ResourcePermission objects, one entry per sub-array
    */
   static createResourcePermissionsFromGroupIds(
-    groupIds: string[]
+    groupIds: string[][]
   ): ResourcePermission[] {
     const getIdFromSIdOrThrow = (groupId: string) => {
       const id = getResourceIdFromSId(groupId);
@@ -121,14 +123,12 @@ export class Authenticator {
       return id;
     };
 
-    // Each group in separate entry enforces AND relationship.
-    return groupIds.map((groupId) => ({
-      groups: [
-        {
-          id: getIdFromSIdOrThrow(groupId),
-          permissions: ["read", "write"],
-        },
-      ],
+    // Each group in the same entry enforces OR relationship.
+    return groupIds.map((group) => ({
+      groups: group.map((groupId) => ({
+        id: getIdFromSIdOrThrow(groupId),
+        permissions: ["read", "write"],
+      })),
     }));
   }