Add Permission Checks to Vector Store API's (#6045)

* Add Permission Checks to Vector Store API's

* Update packages/server/src/routes/openai-assistants-vector-store/index.ts

Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>

---------

Co-authored-by: christopherholland-workday <christopher.holland+evisort@workday.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Co-authored-by: yau-wd <yau.ong@workday.com>

Author: 4 people

packages/server/src/routes/openai-assistants-vector-store/index.ts

@@ -1,28 +1,38 @@
 import express from 'express'
 import openaiAssistantsVectorStoreController from '../../controllers/openai-assistants-vector-store'
 import { getMulterStorage } from '../../utils'
+import { checkPermission, checkAnyPermission } from '../../enterprise/rbac/PermissionCheck'
 
 const router = express.Router()
 
 // CREATE
-router.post('/', openaiAssistantsVectorStoreController.createAssistantVectorStore)
+router.post('/', checkPermission('assistants:create'), openaiAssistantsVectorStoreController.createAssistantVectorStore)
 
 // READ
-router.get('/:id', openaiAssistantsVectorStoreController.getAssistantVectorStore)
+router.get('/:id', checkPermission('assistants:view'), openaiAssistantsVectorStoreController.getAssistantVectorStore)
 
 // LIST
-router.get('/', openaiAssistantsVectorStoreController.listAssistantVectorStore)
+router.get('/', checkPermission('assistants:view'), openaiAssistantsVectorStoreController.listAssistantVectorStore)
 
 // UPDATE
-router.put(['/', '/:id'], openaiAssistantsVectorStoreController.updateAssistantVectorStore)
+router.put(
+    ['/', '/:id'],
+    checkAnyPermission('assistants:create,assistants:update'),
+    openaiAssistantsVectorStoreController.updateAssistantVectorStore
+)
 
 // DELETE
-router.delete(['/', '/:id'], openaiAssistantsVectorStoreController.deleteAssistantVectorStore)
-
-// POST
-router.post('/:id', getMulterStorage().array('files'), openaiAssistantsVectorStoreController.uploadFilesToAssistantVectorStore)
-
-// DELETE
-router.patch(['/', '/:id'], openaiAssistantsVectorStoreController.deleteFilesFromAssistantVectorStore)
+router.delete(['/', '/:id'], checkPermission('assistants:delete'), openaiAssistantsVectorStoreController.deleteAssistantVectorStore)
+
+// UPLOAD FILES — permission check must precede multer to reject unauthorized requests before file parsing
+router.post(
+    '/:id',
+    checkAnyPermission('assistants:create,assistants:update'),
+    getMulterStorage().array('files'),
+    openaiAssistantsVectorStoreController.uploadFilesToAssistantVectorStore
+)
+
+// DELETE FILES
+router.patch(['/', '/:id'], checkPermission('assistants:update'), openaiAssistantsVectorStoreController.deleteFilesFromAssistantVectorStore)
 
 export default router

packages/server/src/routes/openai-assistants/index.ts

@@ -1,12 +1,14 @@
 import express from 'express'
 import openaiAssistantsController from '../../controllers/openai-assistants'
+import { checkPermission } from '../../enterprise/rbac/PermissionCheck'
+
 const router = express.Router()
 
 // CREATE
 
 // READ
-router.get('/', openaiAssistantsController.getAllOpenaiAssistants)
-router.get(['/', '/:id'], openaiAssistantsController.getSingleOpenaiAssistant)
+router.get('/', checkPermission('assistants:view'), openaiAssistantsController.getAllOpenaiAssistants)
+router.get(['/', '/:id'], checkPermission('assistants:view'), openaiAssistantsController.getSingleOpenaiAssistant)
 
 // UPDATE