3b2cb3a699
The /instance/scheduler-heartbeats endpoint was filtering agents by the requesting user's company memberships, which meant non-member companies (like donchitos) were hidden. Since this is an instance-level admin page, it should show all agents across all companies. - Added assertInstanceAdmin to authz.ts for reuse - Replaced assertBoard + company filter with assertInstanceAdmin - Removed the companyIds-based WHERE clause since instance admins see all Co-Authored-By: Paperclip <noreply@paperclip.ing>
52 lines
1.5 KiB
TypeScript
52 lines
1.5 KiB
TypeScript
import type { Request } from "express";
|
|
import { forbidden, unauthorized } from "../errors.js";
|
|
|
|
export function assertBoard(req: Request) {
|
|
if (req.actor.type !== "board") {
|
|
throw forbidden("Board access required");
|
|
}
|
|
}
|
|
|
|
export function assertInstanceAdmin(req: Request) {
|
|
assertBoard(req);
|
|
if (req.actor.source === "local_implicit" || req.actor.isInstanceAdmin) {
|
|
return;
|
|
}
|
|
throw forbidden("Instance admin access required");
|
|
}
|
|
|
|
export function assertCompanyAccess(req: Request, companyId: string) {
|
|
if (req.actor.type === "none") {
|
|
throw unauthorized();
|
|
}
|
|
if (req.actor.type === "agent" && req.actor.companyId !== companyId) {
|
|
throw forbidden("Agent key cannot access another company");
|
|
}
|
|
if (req.actor.type === "board" && req.actor.source !== "local_implicit" && !req.actor.isInstanceAdmin) {
|
|
const allowedCompanies = req.actor.companyIds ?? [];
|
|
if (!allowedCompanies.includes(companyId)) {
|
|
throw forbidden("User does not have access to this company");
|
|
}
|
|
}
|
|
}
|
|
|
|
export function getActorInfo(req: Request) {
|
|
if (req.actor.type === "none") {
|
|
throw unauthorized();
|
|
}
|
|
if (req.actor.type === "agent") {
|
|
return {
|
|
actorType: "agent" as const,
|
|
actorId: req.actor.agentId ?? "unknown-agent",
|
|
agentId: req.actor.agentId ?? null,
|
|
runId: req.actor.runId ?? null,
|
|
};
|
|
}
|
|
|
|
return {
|
|
actorType: "user" as const,
|
|
actorId: req.actor.userId ?? "board",
|
|
agentId: null,
|
|
runId: req.actor.runId ?? null,
|
|
};
|
|
}
|