Align Manager API access with frontend access

GHSA-wfq3-65gm-3g2p
2026-04-25 17:15:37 +02:00 · 2026-03-13 09:46:37 -07:00
parent e7ebeb47fc
commit 732eac6fa8
2 changed files with 42 additions and 1 deletions
--- a/frontend/src/components/SettingsSidebar/index.jsx
+++ b/frontend/src/components/SettingsSidebar/index.jsx
@@ -316,6 +316,7 @@ const SidebarOptions = ({ user = null, t }) => (
              className="h-5 w-5 flex-shrink-0 light:invert"
            />
          }
+          user={user}
          childOptions={[
            {
              btnText: t("settings.community-hub.trending"),
--- a/server/endpoints/admin.js
+++ b/server/endpoints/admin.js
@@ -324,6 +324,7 @@ function adminEndpoints(app) {
    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
    async (request, response) => {
      try {
+        const user = await userFromSession(request, response);
        const requestedSettings = {};
        const labels = request.query.labels?.split(",") || [];
        const needEmbedder = [
@@ -339,10 +340,27 @@ function adminEndpoints(app) {
          "meta_page_favicon",
        ];

+        // Managers can only read a limited set of settings.
+        // These match the ManagerRoute pages in the frontend.
+        const managerAllowedFields = [
+          "custom_app_name",
+          "footer_data",
+          "support_email",
+          "meta_page_title",
+          "meta_page_favicon",
+        ];
+
        for (const label of labels) {
          // Skip any settings that are not explicitly defined as public
          if (!SystemSettings.publicFields.includes(label)) continue;

+          // Managers can only read manager-allowed fields
+          if (
+            user?.role === ROLES.manager &&
+            !managerAllowedFields.includes(label)
+          )
+            continue;
+
          // Only get the embedder if the setting actually needs it
          let embedder = needEmbedder.includes(label)
            ? getEmbeddingEngineSelection()
@@ -419,7 +437,29 @@ function adminEndpoints(app) {
    [validatedRequest, flexUserRoleValid([ROLES.admin, ROLES.manager])],
    async (request, response) => {
      try {
-        const updates = reqBody(request);
+        const user = await userFromSession(request, response);
+        let updates = reqBody(request);
+
+        // Managers can only update a limited set of settings.
+        // These match the ManagerRoute pages in the frontend.
+        // Admin users can update all supportedFields without restriction.
+        if (user?.role === ROLES.manager) {
+          const managerAllowedFields = [
+            "custom_app_name",
+            "footer_data",
+            "support_email",
+            "meta_page_title",
+            "meta_page_favicon",
+          ];
+          const filteredUpdates = {};
+          for (const key of Object.keys(updates)) {
+            if (managerAllowedFields.includes(key)) {
+              filteredUpdates[key] = updates[key];
+            }
+          }
+          updates = filteredUpdates;
+        }
+
        await SystemSettings.updateSettings(updates);
        response.status(200).json({ success: true, error: null });
      } catch (e) {