Implement Permissions for Conversations #1545
Conversation
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?s=60&v=4){kind=small}
There was a problem hiding this comment.
❌ Changes requested. Reviewed everything up to 49c87ee in 1 minute and 54 seconds
More details
- Looked at
357lines of code in4files - Skipped
0files when reviewing. - Skipped posting
2drafted comments based on config settings.
1. py/core/providers/logger/r2r_logger.py:267
- Draft comment:
Ensure thatuser_idsare consistently treated asTEXTin the database queries to avoid type mismatches. - Reason this comment was not posted:
Comment did not seem useful.
2. py/core/main/services/management_service.py:677
-
Draft comment:
This function is a duplicate of an existing function inr2r_logger.py. Consider using the existing function directly instead of creating a new wrapper. -
Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable:
The comment claims duplication, but I cannot verify this without seeing the other file. The function is newly added in this diff, so the comment is about a change. However, without strong evidence of duplication, the comment may not be useful. The comment could be speculative if the duplication is not confirmed.
I might be missing the context from the other file, which could confirm the duplication. Without seeing the other file, I cannot be certain if the comment is correct.
Given the rules, I should only keep comments with strong evidence of correctness. Without access to the other file, I cannot confirm the duplication claim.
Delete the comment due to lack of strong evidence confirming the duplication claim.
Workflow ID: wflow_Qk6GyBj4HIt4dAUY
Want Ellipsis to fix these issues? Tag @ellipsis-dev in a comment. You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.
| @@ -832,6 +868,8 @@ | |||
| message: str = Body(..., description="New content"), | |||
| auth_user=Depends(self.service.providers.auth.auth_wrapper), | |||
| ) -> dict: | |||
| # TODO: Add a check to see if the user has access to the message | |||
There was a problem hiding this comment.
Add a check to verify if the user has access to edit the message. This is crucial for maintaining security and preventing unauthorized edits.
| # TODO: Add a check to see if the user has access to the message | |
| if not await self.service.verify_message_access(message_id, auth_user.id): raise R2RException("You do not have access to edit this message.", 403) |
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
1 Skipped Deployment
|
There was a problem hiding this comment.
👍 Looks good to me! Incremental review on 5874be4 in 15 seconds
More details
- Looked at
13lines of code in1files - Skipped
0files when reviewing. - Skipped posting
1drafted comments based on config settings.
1. py/core/main/api/management_router.py:788
- Draft comment:
The change fromuser_ids = auth_user.idtouser_ids = [auth_user.id]is correct. Theconversations_overviewfunction expects a list of user IDs, not a single ID. - Reason this comment was not posted:
Confidence changes required:0%
The change fromuser_ids = auth_user.idtouser_ids = [auth_user.id]is correct because theconversations_overviewfunction expects a list of user IDs, not a single ID.
Workflow ID: wflow_g3SdFT6RUDxcWplL
You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.
Important
Implement permission checks for conversation operations, restricting non-superusers from accessing or modifying conversations they do not own, and update database schema to include user ownership.
management_router.pyfor conversation-related endpoints, restricting non-superusers from accessing or modifying conversations they do not own.conversationstable inr2r_logger.pyto includeuser_idandnamecolumns.verify_conversation_access()inr2r_logger.pyto check user access to conversations.verify_conversation_access()inmanagement_service.pyto delegate access checks to the logging provider.create_conversation(),get_conversation(),add_message(), andedit_message()inmanagement_service.pyto include user ID in operations.This description was created by
for 5874be4. It will automatically update as commits are pushed.