feat: add permission checks for public sharing

This commit is contained in:
CREDO23 2026-02-02 14:18:17 +02:00
parent 17c7b34e44
commit f18ba8e045

View file

@ -25,12 +25,14 @@ from app.db import (
ChatVisibility, ChatVisibility,
NewChatMessage, NewChatMessage,
NewChatThread, NewChatThread,
Permission,
Podcast, Podcast,
PodcastStatus, PodcastStatus,
PublicChatSnapshot, PublicChatSnapshot,
SearchSpaceMembership, SearchSpaceMembership,
User, User,
) )
from app.utils.rbac import check_permission
UI_TOOLS = { UI_TOOLS = {
"display_image", "display_image",
@ -177,11 +179,13 @@ async def create_snapshot(
if not thread: if not thread:
raise HTTPException(status_code=404, detail="Thread not found") raise HTTPException(status_code=404, detail="Thread not found")
if thread.created_by_id != user.id: await check_permission(
raise HTTPException( session,
status_code=403, user,
detail="Only the creator of this chat can create public snapshots", thread.search_space_id,
) Permission.PUBLIC_SHARING_CREATE.value,
"You don't have permission to create public share links",
)
# Build snapshot data # Build snapshot data
user_cache: dict[UUID, dict] = {} user_cache: dict[UUID, dict] = {}
@ -412,11 +416,13 @@ async def delete_snapshot(
if not snapshot: if not snapshot:
raise HTTPException(status_code=404, detail="Snapshot not found") raise HTTPException(status_code=404, detail="Snapshot not found")
if snapshot.thread.created_by_id != user.id: await check_permission(
raise HTTPException( session,
status_code=403, user,
detail="Only the creator can delete snapshots", snapshot.thread.search_space_id,
) Permission.PUBLIC_SHARING_DELETE.value,
"You don't have permission to delete public share links",
)
await session.delete(snapshot) await session.delete(snapshot)
await session.commit() await session.commit()