feat: add search space API access controls

surfsense_backend/app/routes/search_spaces_routes.py

@@ -5,6 +5,7 @@ from sqlalchemy import func
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.future import select
 
+from app.auth.context import AuthContext
 from app.db import (
     Permission,
     SearchSpace,
@@ -15,12 +16,13 @@ from app.db import (
     get_default_roles_config,
 )
 from app.schemas import (
+    SearchSpaceApiAccessUpdate,
     SearchSpaceCreate,
     SearchSpaceRead,
     SearchSpaceUpdate,
     SearchSpaceWithStats,
 )
-from app.users import current_active_user
+from app.users import get_auth_context
 from app.utils.rbac import check_permission, check_search_space_access
 
 logger = logging.getLogger(__name__)
@@ -74,8 +76,9 @@ async def create_default_roles_and_membership(
 async def create_search_space(
     search_space: SearchSpaceCreate,
     session: AsyncSession = Depends(get_async_session),
-    user: User = Depends(current_active_user),
+    auth: AuthContext = Depends(get_auth_context),
 ):
+    user = auth.user
     try:
         search_space_data = search_space.model_dump()
 
@@ -108,8 +111,9 @@ async def read_search_spaces(
     limit: int = 200,
     owned_only: bool = False,
     session: AsyncSession = Depends(get_async_session),
-    user: User = Depends(current_active_user),
+    auth: AuthContext = Depends(get_auth_context),
 ):
+    user = auth.user
     """
     Get all search spaces the user has access to, with member count and ownership info.
 
@@ -123,11 +127,17 @@ async def read_search_spaces(
         # Exclude spaces that are pending background deletion
         not_deleting = ~SearchSpace.name.startswith("[DELETING] ")
 
+        api_access_filter = (
+            SearchSpace.api_access_enabled == True  # noqa: E712
+            if auth.is_gated
+            else True
+        )
+
         if owned_only:
             # Return only search spaces where user is the original creator (user_id)
             result = await session.execute(
                 select(SearchSpace)
-                .filter(SearchSpace.user_id == user.id, not_deleting)
+                .filter(SearchSpace.user_id == user.id, not_deleting, api_access_filter)
                 .order_by(SearchSpace.id.asc())
                 .offset(skip)
                 .limit(limit)
@@ -137,7 +147,11 @@ async def read_search_spaces(
             result = await session.execute(
                 select(SearchSpace)
                 .join(SearchSpaceMembership)
-                .filter(SearchSpaceMembership.user_id == user.id, not_deleting)
+                .filter(
+                    SearchSpaceMembership.user_id == user.id,
+                    not_deleting,
+                    api_access_filter,
+                )
                 .order_by(SearchSpace.id.asc())
                 .offset(skip)
                 .limit(limit)
@@ -174,6 +188,7 @@ async def read_search_spaces(
                     created_at=space.created_at,
                     user_id=space.user_id,
                     citations_enabled=space.citations_enabled,
+                    api_access_enabled=space.api_access_enabled,
                     qna_custom_instructions=space.qna_custom_instructions,
                     ai_file_sort_enabled=space.ai_file_sort_enabled,
                     member_count=member_count,
@@ -192,15 +207,16 @@ async def read_search_spaces(
 async def read_search_space(
     search_space_id: int,
     session: AsyncSession = Depends(get_async_session),
-    user: User = Depends(current_active_user),
+    auth: AuthContext = Depends(get_auth_context),
 ):
+    user = auth.user
     """
     Get a specific search space by ID.
     Requires SETTINGS_VIEW permission or membership.
     """
     try:
         # Check if user has access (is a member)
-        await check_search_space_access(session, user, search_space_id)
+        await check_search_space_access(session, auth, search_space_id)
 
         result = await session.execute(
             select(SearchSpace).filter(SearchSpace.id == search_space_id)
@@ -225,8 +241,9 @@ async def update_search_space(
     search_space_id: int,
     search_space_update: SearchSpaceUpdate,
     session: AsyncSession = Depends(get_async_session),
-    user: User = Depends(current_active_user),
+    auth: AuthContext = Depends(get_auth_context),
 ):
+    user = auth.user
     """
     Update a search space.
     Requires SETTINGS_UPDATE permission.
@@ -235,7 +252,7 @@ async def update_search_space(
         # Check permission
         await check_permission(
             session,
-            user,
+            auth,
             search_space_id,
             Permission.SETTINGS_UPDATE.value,
             "You don't have permission to update this search space",
@@ -265,17 +282,66 @@ async def update_search_space(
         ) from e
 
 
+@router.put("/searchspaces/{search_space_id}/api-access", response_model=SearchSpaceRead)
+async def update_search_space_api_access(
+    search_space_id: int,
+    body: SearchSpaceApiAccessUpdate,
+    session: AsyncSession = Depends(get_async_session),
+    auth: AuthContext = Depends(get_auth_context),
+):
+    user = auth.user
+    """
+    Toggle programmatic API/PAT access for a search space.
+    Requires API_ACCESS_MANAGE permission.
+    """
+    try:
+        if not auth.is_session:
+            raise HTTPException(
+                status_code=403,
+                detail="This action requires an interactive session",
+            )
+
+        await check_permission(
+            session,
+            auth,
+            search_space_id,
+            Permission.API_ACCESS_MANAGE.value,
+            "You don't have permission to manage API access for this search space",
+        )
+
+        result = await session.execute(
+            select(SearchSpace).filter(SearchSpace.id == search_space_id)
+        )
+        db_search_space = result.scalars().first()
+
+        if not db_search_space:
+            raise HTTPException(status_code=404, detail="Search space not found")
+
+        db_search_space.api_access_enabled = body.api_access_enabled
+        await session.commit()
+        await session.refresh(db_search_space)
+        return db_search_space
+    except HTTPException:
+        raise
+    except Exception as e:
+        await session.rollback()
+        raise HTTPException(
+            status_code=500, detail=f"Failed to update API access: {e!s}"
+        ) from e
+
+
 @router.post("/searchspaces/{search_space_id}/ai-sort")
 async def trigger_ai_sort(
     search_space_id: int,
     session: AsyncSession = Depends(get_async_session),
-    user: User = Depends(current_active_user),
+    auth: AuthContext = Depends(get_auth_context),
 ):
+    user = auth.user
     """Trigger a full AI file sort for all documents in the search space."""
     try:
         await check_permission(
             session,
-            user,
+            auth,
             search_space_id,
             Permission.SETTINGS_UPDATE.value,
             "You don't have permission to trigger AI sort on this search space",
@@ -305,8 +371,9 @@ async def trigger_ai_sort(
 async def delete_search_space(
     search_space_id: int,
     session: AsyncSession = Depends(get_async_session),
-    user: User = Depends(current_active_user),
+    auth: AuthContext = Depends(get_auth_context),
 ):
+    user = auth.user
     """
     Delete a search space.
     Requires SETTINGS_DELETE permission (only owners have this by default).
@@ -318,7 +385,7 @@ async def delete_search_space(
         # Check permission - only those with SETTINGS_DELETE can delete
         await check_permission(
             session,
-            user,
+            auth,
             search_space_id,
             Permission.SETTINGS_DELETE.value,
             "You don't have permission to delete this search space",
@@ -374,8 +441,9 @@ async def delete_search_space(
 async def list_search_space_snapshots(
     search_space_id: int,
     session: AsyncSession = Depends(get_async_session),
-    user: User = Depends(current_active_user),
+    auth: AuthContext = Depends(get_auth_context),
 ):
+    user = auth.user
     """
     List all public chat snapshots for a search space.
 

surfsense_backend/app/schemas/search_space.py

@@ -24,11 +24,16 @@ class SearchSpaceUpdate(BaseModel):
     ai_file_sort_enabled: bool | None = None
 
 
+class SearchSpaceApiAccessUpdate(BaseModel):
+    api_access_enabled: bool
+
+
 class SearchSpaceRead(SearchSpaceBase, IDModel, TimestampModel):
     id: int
     created_at: datetime
     user_id: uuid.UUID
     citations_enabled: bool
+    api_access_enabled: bool = False
     qna_custom_instructions: str | None = None
     shared_memory_md: str | None = None
     ai_file_sort_enabled: bool = False