feat: add ACLs for client & backend

References #36

Author: theboxer

_build/gpm.yaml

@@ -7,6 +7,7 @@ menus:
   - action: home
     text: modai.admin.menu.home
     description: modai.admin.menu.home_desc
+    permission: modai_admin
 
 plugins:
   - name: modAI
@@ -180,6 +181,7 @@ systemSettings:
 build:
   scriptsBefore:
     - custom_events.gpm.php
+    - acls.gpm.php
   scriptsAfter:
     - lit.gpm.php
     - seed.gpm.php

_build/js/src/index.ts

@@ -3,9 +3,12 @@ import { executor } from './executor';
 import { globalState } from './globalState';
 import { history } from './history';
 import { lng } from './lng';
+import { checkPermissions } from './permissions';
 import { initOnResource } from './resource';
 import { ui } from './ui';
 
+import type { Permissions } from './permissions';
+
 export type AvailableAgent = {
   id: string;
   name: string;
@@ -19,6 +22,7 @@ export type Config = {
   cssURL: string;
   translateFn?: (key: string, params?: Record<string, string>) => string;
   availableAgents: Record<string, AvailableAgent>;
+  permissions: Record<Permissions, 1 | 0>;
 };
 
 export const init = (config: Config) => {
@@ -31,5 +35,6 @@ export const init = (config: Config) => {
     ui,
     lng,
     initOnResource,
+    checkPermissions,
   };
 };

_build/js/src/permissions.ts

@@ -0,0 +1,14 @@
+import { globalState } from './globalState';
+
+export type Permissions =
+  | 'modai_client'
+  | 'modai_client_chat_text'
+  | 'modai_client_chat_image'
+  | 'modai_client_text'
+  | 'modai_client_vision';
+
+export const checkPermissions = (permissions: Permissions[]) => {
+  return permissions.every((permission) => {
+    return globalState.config.permissions[permission];
+  });
+};

_build/js/src/resource.ts

@@ -39,7 +39,9 @@ const attachImagePlus = (imgPlusPanel: Element, fieldName: string) => {
     },
   });
 
-  altTextWand.style.marginTop = '6px';
+  if (altTextWand) {
+    altTextWand.style.marginTop = '6px';
+  }
 
   imagePlus.altTextField.el.dom.style.display = 'flex';
   imagePlus.altTextField.el.dom.style.justifyItems = 'center';

_build/js/src/ui/generateButton/index.ts

@@ -1,6 +1,7 @@
 import { executor } from '../../executor';
 import { history } from '../../history';
 import { lng } from '../../lng';
+import { checkPermissions } from '../../permissions';
 import { confirmDialog } from '../cofirmDialog';
 import { button } from '../dom/button';
 import { icon } from '../dom/icon';
@@ -114,8 +115,12 @@ type Target = {
 };
 
 const createLocalChat = (config: LocalChatConfig & Target) => {
+  if (!ui.localChat.verifyPermissions(config)) {
+    return;
+  }
+
   const { shadow } = createWandEl(() => {
-    ui.localChat(config);
+    ui.localChat.createModal(config);
   });
 
   config.targetEl.appendChild(shadow);
@@ -138,6 +143,10 @@ const createForcedTextPrompt = ({
   field,
   ...rest
 }: ForcedTextConfig) => {
+  if (!checkPermissions(['modai_client', 'modai_client_text'])) {
+    return;
+  }
+
   const { shadow, generate } = createWandEl<HistoryElement>(async () => {
     const done = createLoadingOverlay(input);
 
@@ -232,6 +241,10 @@ type VisionConfig = {
 };
 
 const createVisionPrompt = (config: VisionConfig & Target) => {
+  if (!checkPermissions(['modai_client', 'modai_client_vision'])) {
+    return;
+  }
+
   const { shadow } = createWandEl(async () => {
     const canvas = document.createElement('canvas');
     const ctx = canvas.getContext('2d');

_build/js/src/ui/index.ts

@@ -1,9 +1,22 @@
 import { createGenerateButton } from './generateButton';
-import { createModal } from './localChat';
+import { createModal, verifyPermissions } from './localChat';
+import { LocalChatConfig } from './localChat/types';
 import { createLoadingOverlay } from './overlay';
 
+type LocalChat = {
+  /**
+   * @deprecated use the ui.localChat.createModal instead
+   */
+  (config: LocalChatConfig): ReturnType<typeof createModal>;
+  createModal: typeof createModal;
+  verifyPermissions: typeof verifyPermissions;
+};
+
 export const ui = {
   createLoadingOverlay,
-  localChat: createModal,
+  localChat: Object.assign({}, createModal, {
+    createModal: createModal,
+    verifyPermissions,
+  }) as LocalChat,
   generateButton: createGenerateButton,
 };

_build/js/src/ui/localChat/index.ts

@@ -2,6 +2,7 @@ import { closeModal, sendMessage } from './modalActions';
 import { buildModal } from './modalBuilder';
 import { globalState } from '../../globalState';
 import { lng } from '../../lng';
+import { checkPermissions } from '../../permissions';
 
 import type { LocalChatConfig } from './types';
 
@@ -33,17 +34,13 @@ export const createModal = (config: LocalChatConfig) => {
   }
 
   if (!config.type) {
-    config.type = 'text';
-  }
-
-  if (!config.availableTypes) {
-    config.availableTypes = [config.type];
+    alert(lng('modai.error.type_required'));
+    return;
   }
 
-  config.availableTypes = config.availableTypes.filter((type) => modalTypes.includes(type));
-
-  if (config.availableTypes.length > 0 && !config.availableTypes.includes(config.type)) {
-    config.availableTypes.unshift(config.type);
+  const hasPermissions = verifyPermissions(config);
+  if (!hasPermissions) {
+    return;
   }
 
   const modal = buildModal(config);
@@ -65,3 +62,36 @@ export const createModal = (config: LocalChatConfig) => {
 
   return modal;
 };
+
+export const verifyPermissions = (config: LocalChatConfig) => {
+  if (!checkPermissions(['modai_client'])) {
+    return false;
+  }
+
+  if (
+    !checkPermissions(['modai_client_chat_image']) &&
+    !checkPermissions(['modai_client_chat_text'])
+  ) {
+    return false;
+  }
+
+  if (!config.availableTypes) {
+    config.availableTypes = [config.type];
+  }
+
+  config.availableTypes = config.availableTypes
+    .filter((type) => modalTypes.includes(type))
+    .filter((type) =>
+      checkPermissions([type === 'text' ? 'modai_client_chat_text' : 'modai_client_chat_image']),
+    );
+
+  if (config.availableTypes.length > 0 && !config.availableTypes.includes(config.type)) {
+    config.type = config.availableTypes[0];
+  }
+
+  if (config.availableTypes.length === 0 || !config.availableTypes.includes(config.type)) {
+    return false;
+  }
+
+  return true;
+};

_build/js/src/ui/localChat/types.ts

@@ -43,7 +43,7 @@ export type Modal = HTMLDivElement & {
 
 export type LocalChatConfig = {
   key: string;
-  type?: ModalType;
+  type: ModalType;
   availableTypes?: ModalType[];
   namespace?: string;
   /**

_build/scripts/acls.gpm.php

@@ -0,0 +1,134 @@
+<?php
+
+use MODX\Revolution\modAccessContext;
+use MODX\Revolution\modAccessPermission;
+use MODX\Revolution\modAccessPolicy;
+use MODX\Revolution\modAccessPolicyTemplate;
+use MODX\Revolution\modAccessPolicyTemplateGroup;
+use MODX\Revolution\modContext;
+use MODX\Revolution\modUserGroup;
+
+return new class() {
+    /**
+     * @var \MODX\Revolution\modX
+     */
+    private $modx;
+
+    /**
+     * @var int
+     */
+    private $action;
+
+    /**
+    * @param \MODX\Revolution\modX $modx
+    * @param int $action
+    * @return bool
+    */
+    public function __invoke(&$modx, $action)
+    {
+        $this->modx =& $modx;
+        $this->action = $action;
+
+        if ($this->action === \xPDO\Transport\xPDOTransport::ACTION_UNINSTALL) {
+            return true;
+        }
+
+        $group = $modx->getObject(modAccessPolicyTemplateGroup::class, ['name' => 'Administrator']);
+        if (!$group) {
+            return;
+        }
+
+        /** @var modAccessPolicyTemplate $template */
+        $template = $modx->getObject(modAccessPolicyTemplate::class, ['name' => 'modAI', 'template_group' => $group->get('id')]);
+        if (!$template) {
+            $template = $modx->newObject(modAccessPolicyTemplate::class);
+            $template->set('name', 'modAI');
+            $template->set('template_group', $group->get('id'));
+            $template->set('description', 'A policy template to for modAI');
+            $template->set('lexicon', 'modai:permissions');
+            $template->save();
+        }
+
+        $permissions = [
+            'modai_admin',
+            'modai_admin_tools',
+            'modai_admin_tool_save',
+            'modai_admin_tool_delete',
+            'modai_admin_context_providers',
+            'modai_admin_context_provider_save',
+            'modai_admin_context_provider_delete',
+            'modai_admin_agents',
+            'modai_admin_agent_save',
+            'modai_admin_agent_delete',
+            'modai_admin_agent_tool_save',
+            'modai_admin_agent_tool_delete',
+            'modai_admin_agent_context_provider_save',
+            'modai_admin_agent_context_provider_delete',
+            'modai_admin_related_agent_save',
+            'modai_admin_related_agent_delete',
+
+            'modai_client',
+            'modai_client_text',
+            'modai_client_vision',
+            'modai_client_chat_text',
+            'modai_client_chat_image',
+        ];
+
+        foreach ($permissions as $permission) {
+            /** @var modAccessPermission $obj */
+            $obj = $modx->getObject(modAccessPermission::class, [
+                'template' => $template->get('id'),
+                'name' => $permission
+            ]);
+
+            if (!$obj) {
+                $obj = $modx->newObject(modAccessPermission::class);
+                $obj->set('template', $template->get('id'));
+                $obj->set('name', $permission);
+            }
+
+            $obj->set('description', "modai.permissions.$permission");
+            $obj->save();
+        }
+
+        /** @var modAccessPolicy $adminPolicy */
+        $adminPolicy = $modx->getObject(modAccessPolicy::class, ['name' => 'modAI Admin']);
+        if (!$adminPolicy) {
+            $adminPolicy = $modx->newObject(modAccessPolicy::class);
+            $adminPolicy->set('name', 'modAI Admin');
+            $adminPolicy->set('description', 'Administrator policy for modAI.');
+            $adminPolicy->set('template', $template->get('id'));
+            $adminPolicy->set('lexicon', $template->get('lexicon'));
+        }
+
+        $data = [];
+
+        foreach ($permissions as $permission) {
+            $data[$permission] = true;
+        }
+
+        $adminPolicy->set('data', $data);
+        $adminPolicy->save();
+
+        /** @var modUserGroup $adminUserGroup */
+        $adminUserGroup = $modx->getObject(modUserGroup::class, ['id' => 1]);
+        if ($adminUserGroup) {
+            /** @var modContext[] $contexts */
+            $contexts = $modx->getIterator(modContext::class);
+            foreach ($contexts as $context) {
+                $contextAccess = $modx->getObject(modAccessContext::Class, ['target' => $context->get('key'), 'principal_class' => modUserGroup::class, 'principal' => 1, 'policy' => $adminPolicy->get('id')]);
+                if (!$contextAccess) {
+                    $contextAccess = $modx->newObject(modAccessContext::class);
+                    $contextAccess->set('target', $context->get('key'));
+                    $contextAccess->set('principal_class', modUserGroup::class);
+                    $contextAccess->set('principal', 1);
+                    $contextAccess->set('policy', $adminPolicy->get('id'));
+                    $contextAccess->set('authority', 0);
+                    $contextAccess->save();
+                }
+            }
+        }
+
+        return true;
+    }
+};