[PR #576] [MERGED] prevent manager in multi-user from updatingENV via HTTP #3403

Closed
opened 2026-02-22 18:33:42 -05:00 by yindo · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/Mintplex-Labs/anything-llm/pull/576
Author: @timothycarambat
Created: 1/11/2024
Status: Merged
Merged: 1/11/2024
Merged by: @timothycarambat

Base: masterHead: security/manager-perm-env-check


📝 Commits (2)

  • 2dfdac5 prevent manager in multi-user from updatingENV via HTTP
  • fdffa5d remove unneeded args

📊 Changes

2 files changed (+8 additions, -0 deletions)

View changed files

📝 server/endpoints/system.js (+6 -0)
📝 server/utils/http/index.js (+2 -0)

📄 Description

Pull Request Type

  • feat
  • 🐛 fix
  • ♻️ refactor
  • 💄 style
  • 🔨 chore
  • 📝 docs

What is in this change?

Managers could in theory send and HTTP request to update the LLM,Embedder, etc with their token and still update the envs. This was originally just a UI hide until we decided manager role should be fully scoped to stop this. Now it is just enforced in the backend as well.

Developer Validations

  • I ran yarn lint from the root of the repo & committed changes
  • Relevant documentation has been updated
  • I have tested my code functionality
  • Docker build succeeds locally

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/Mintplex-Labs/anything-llm/pull/576 **Author:** [@timothycarambat](https://github.com/timothycarambat) **Created:** 1/11/2024 **Status:** ✅ Merged **Merged:** 1/11/2024 **Merged by:** [@timothycarambat](https://github.com/timothycarambat) **Base:** `master` ← **Head:** `security/manager-perm-env-check` --- ### 📝 Commits (2) - [`2dfdac5`](https://github.com/Mintplex-Labs/anything-llm/commit/2dfdac5a3eed93cd0151c6931a631c80e99fb1c5) prevent manager in multi-user from updatingENV via HTTP - [`fdffa5d`](https://github.com/Mintplex-Labs/anything-llm/commit/fdffa5d28f89dbf260c1758cac2c5aa0e47a8f4d) remove unneeded args ### 📊 Changes **2 files changed** (+8 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `server/endpoints/system.js` (+6 -0) 📝 `server/utils/http/index.js` (+2 -0) </details> ### 📄 Description ### Pull Request Type <!-- For change type, change [ ] to [x]. --> - [ ] ✨ feat - [x] 🐛 fix - [ ] ♻️ refactor - [ ] 💄 style - [ ] 🔨 chore - [ ] 📝 docs ### What is in this change? Managers _could_ in theory send and HTTP request to update the LLM,Embedder, etc with their token and still update the envs. This was originally just a UI hide until we decided manager role should be fully scoped to stop this. Now it is just enforced in the backend as well. ### Developer Validations <!-- All of the applicable items should be checked. --> - [x] I ran `yarn lint` from the root of the repo & committed changes - [x] Relevant documentation has been updated - [x] I have tested my code functionality - [x] Docker build succeeds locally --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
yindo added the pull-request label 2026-02-22 18:33:42 -05:00
yindo closed this issue 2026-02-22 18:33:42 -05:00
yindo changed title from [PR #576] prevent manager in multi-user from updatingENV via HTTP to [PR #576] [MERGED] prevent manager in multi-user from updatingENV via HTTP 2026-06-05 15:13:14 -04:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Mintplex-Labs/anything-llm#3403