* Resolve knowledge-base access for a user, gated by read or write permission. * * Read (`requireWrite: false`) grants on any workspace permission; write * (`requireWrite: true`) requires `write`/`admin`. Legacy non-workspace KBs grant * to the owning user in both modes.
( knowledgeBaseId: string, userId: string, requireWrite: boolean )
| 160 | * to the owning user in both modes. |
| 161 | */ |
| 162 | async function resolveKnowledgeBaseAccess( |
| 163 | knowledgeBaseId: string, |
| 164 | userId: string, |
| 165 | requireWrite: boolean |
| 166 | ): Promise<KnowledgeBaseAccessCheck> { |
| 167 | const kb = await db |
| 168 | .select({ |
| 169 | id: knowledgeBase.id, |
| 170 | userId: knowledgeBase.userId, |
| 171 | workspaceId: knowledgeBase.workspaceId, |
| 172 | name: knowledgeBase.name, |
| 173 | embeddingModel: knowledgeBase.embeddingModel, |
| 174 | }) |
| 175 | .from(knowledgeBase) |
| 176 | .where(and(eq(knowledgeBase.id, knowledgeBaseId), isNull(knowledgeBase.deletedAt))) |
| 177 | .limit(1) |
| 178 | |
| 179 | if (kb.length === 0) { |
| 180 | return { hasAccess: false, notFound: true } |
| 181 | } |
| 182 | |
| 183 | const kbData = kb[0] |
| 184 | |
| 185 | if (kbData.workspaceId) { |
| 186 | // Workspace KB: use workspace permissions only |
| 187 | const userPermission = await getUserEntityPermissions(userId, 'workspace', kbData.workspaceId) |
| 188 | const permitted = requireWrite |
| 189 | ? userPermission === 'write' || userPermission === 'admin' |
| 190 | : userPermission !== null |
| 191 | return permitted ? { hasAccess: true, knowledgeBase: kbData } : { hasAccess: false } |
| 192 | } |
| 193 | |
| 194 | // Legacy non-workspace KB: allow owner access |
| 195 | if (kbData.userId === userId) { |
| 196 | return { hasAccess: true, knowledgeBase: kbData } |
| 197 | } |
| 198 | |
| 199 | return { hasAccess: false } |
| 200 | } |
| 201 | |
| 202 | /** |
| 203 | * Check if a user has read access to a knowledge base. |
no test coverage detected