feat: add permission checks for public sharing

2026-05-05 23:42:21 +00:00 · 2026-02-02 14:18:17 +02:00 · 2026-02-02 14:18:17 +02:00 · f18ba8e045
commit f18ba8e045
parent 17c7b34e44
1 changed files with 16 additions and 10 deletions
--- a/surfsense_backend/app/services/public_chat_service.py
+++ b/surfsense_backend/app/services/public_chat_service.py
@ -25,12 +25,14 @@ from app.db import (
    ChatVisibility,
    NewChatMessage,
    NewChatThread,
+    Permission,
    Podcast,
    PodcastStatus,
    PublicChatSnapshot,
    SearchSpaceMembership,
    User,
 )
+from app.utils.rbac import check_permission

 UI_TOOLS = {
    "display_image",
@ -177,11 +179,13 @@ async def create_snapshot(
    if not thread:
        raise HTTPException(status_code=404, detail="Thread not found")

-    if thread.created_by_id != user.id:
-        raise HTTPException(
-            status_code=403,
-            detail="Only the creator of this chat can create public snapshots",
-        )
+    await check_permission(
+        session,
+        user,
+        thread.search_space_id,
+        Permission.PUBLIC_SHARING_CREATE.value,
+        "You don't have permission to create public share links",
+    )

    # Build snapshot data
    user_cache: dict[UUID, dict] = {}
@ -412,11 +416,13 @@ async def delete_snapshot(
    if not snapshot:
        raise HTTPException(status_code=404, detail="Snapshot not found")

-    if snapshot.thread.created_by_id != user.id:
-        raise HTTPException(
-            status_code=403,
-            detail="Only the creator can delete snapshots",
-        )
+    await check_permission(
+        session,
+        user,
+        snapshot.thread.search_space_id,
+        Permission.PUBLIC_SHARING_DELETE.value,
+        "You don't have permission to delete public share links",
+    )

    await session.delete(snapshot)
    await session.commit()