feat: add permissions check to tools

theboxer · theboxer · commit 74d2337daea7 · 2025-04-14T10:53:35.000+02:00
diff --git a/core/components/modai/src/Model/Tool.php b/core/components/modai/src/Model/Tool.php
@@ -55,6 +55,20 @@ public static function getAvailableTools(modX $modx, ?int $agentId = null): arra
         $tools = $modx->getIterator(self::class, $c);
 
         foreach ($tools as $tool) {
+            $className = $tool->get('class');
+            if (!class_exists($className)) {
+                continue;
+            }
+
+            if (!is_subclass_of($className, ToolInterface::class, true)) {
+                continue;
+            }
+
+            $hasPermissions = $className::checkPermissions($modx);
+            if (!$hasPermissions) {
+                continue;
+            }
+
             $output[$tool->get('name')] = $tool;
         }
 
diff --git a/core/components/modai/src/Tools/CreateCategory.php b/core/components/modai/src/Tools/CreateCategory.php
@@ -70,8 +70,12 @@ public function __construct(modX $modx, array $config)
      */
     public function runTool($parameters): string
     {
+        if (!self::checkPermissions($this->modx)) {
+            return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);
+        }
+
         if (empty($parameters)) {
-            throw new \Exception('Parameters are required.');
+            return json_encode(['success' => false, 'message' => 'Parameters are required.']);
         }
 
         $output = [];
@@ -106,4 +110,9 @@ public function runTool($parameters): string
 
         return json_encode($output);
     }
+
+    public static function checkPermissions(modX $modx): bool
+    {
+        return $modx->hasPermission('save_category');
+    }
 }
diff --git a/core/components/modai/src/Tools/CreateChunk.php b/core/components/modai/src/Tools/CreateChunk.php
@@ -71,8 +71,12 @@ public function __construct(modX $modx, array $config)
      */
     public function runTool($parameters): string
     {
+        if (!self::checkPermissions($this->modx)) {
+            return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);
+        }
+
         if (empty($parameters)) {
-            throw new \Exception('Parameters are required.');
+            return json_encode(['success' => false, 'message' => 'Parameters are required.']);
         }
 
         $output = [];
@@ -94,4 +98,9 @@ public function runTool($parameters): string
 
         return json_encode($output);
     }
+
+    public static function checkPermissions(modX $modx): bool
+    {
+        return $modx->hasPermission('save_chunk');
+    }
 }
diff --git a/core/components/modai/src/Tools/CreateResource.php b/core/components/modai/src/Tools/CreateResource.php
@@ -71,8 +71,12 @@ public function __construct(modX $modx, array $config)
      */
     public function runTool($parameters): string
     {
+        if (!self::checkPermissions($this->modx)) {
+            return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);
+        }
+
         if (empty($parameters)) {
-            throw new \Exception('Parameters are required.');
+            return json_encode(['success' => false, 'message' => 'Parameters are required.']);
         }
 
         $output = [];
@@ -119,4 +123,9 @@ public function runTool($parameters): string
 
         return json_encode($output);
     }
+
+    public static function checkPermissions(modX $modx): bool
+    {
+        return $modx->hasPermission('save_document');
+    }
 }
diff --git a/core/components/modai/src/Tools/CreateTemplate.php b/core/components/modai/src/Tools/CreateTemplate.php
@@ -71,8 +71,12 @@ public function __construct(modX $modx, array $config)
      */
     public function runTool($parameters): string
     {
+        if (!self::checkPermissions($this->modx)) {
+            return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);
+        }
+
         if (empty($parameters)) {
-            throw new \Exception('Parameters are required.');
+            return json_encode(['success' => false, 'message' => 'Parameters are required.']);
         }
 
         $output = [];
@@ -94,4 +98,9 @@ public function runTool($parameters): string
 
         return json_encode($output);
     }
+
+    public static function checkPermissions(modX $modx): bool
+    {
+        return $modx->hasPermission('save_template');
+    }
 }
diff --git a/core/components/modai/src/Tools/DeleteChunks.php b/core/components/modai/src/Tools/DeleteChunks.php
@@ -52,12 +52,21 @@ public function __construct(modX $modx, array $config)
      */
     public function runTool($parameters): string
     {
+        if (!self::checkPermissions($this->modx)) {
+            return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);
+        }
+
         if (empty($parameters) || empty($parameters['ids'])) {
-            throw new \Exception("Missing parameters");
+            return json_encode(['success' => false, 'message' => 'Parameters are required.']);
         }
 
         $this->modx->removeCollection(modChunk::class, ['id:IN' => $parameters['ids']]);
 
         return json_encode(["success" => true]);
     }
+
+    public static function checkPermissions(modX $modx): bool
+    {
+        return $modx->hasPermission('delete_chunks');
+    }
 }
diff --git a/core/components/modai/src/Tools/GetCategories.php b/core/components/modai/src/Tools/GetCategories.php
@@ -40,6 +40,10 @@ public function __construct(modX $modx, array $config)
      */
     public function runTool($parameters): string
     {
+        if (!self::checkPermissions($this->modx)) {
+            return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);
+        }
+
         /** @var modCategory[] $chunks */
         $categories = $this->modx->getIterator(modCategory::class);
         foreach ($categories as $category) {
@@ -53,4 +57,9 @@ public function runTool($parameters): string
 
         return json_encode($output);
     }
+
+    public static function checkPermissions(modX $modx): bool
+    {
+        return true;
+    }
 }
diff --git a/core/components/modai/src/Tools/GetChunks.php b/core/components/modai/src/Tools/GetChunks.php
@@ -72,6 +72,10 @@ public function __construct(modX $modx, array $config)
      */
     public function runTool($parameters): string
     {
+        if (!self::checkPermissions($this->modx)) {
+            return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);
+        }
+
         $where = [];
 
         if (is_array($parameters)) {
@@ -127,4 +131,9 @@ public function runTool($parameters): string
 
         return json_encode($output);
     }
+
+    public static function checkPermissions(modX $modx): bool
+    {
+        return true;
+    }
 }
diff --git a/core/components/modai/src/Tools/GetResourceDetail.php b/core/components/modai/src/Tools/GetResourceDetail.php
@@ -54,6 +54,10 @@ public function __construct(modX $modx, array $config)
      */
     public function runTool($parameters): string
     {
+        if (!self::checkPermissions($this->modx)) {
+            return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);
+        }
+
         if (empty($parameters)) {
             return json_encode(['success' => false, 'message' => 'Parameters are required.']);
         }
@@ -87,4 +91,9 @@ public function runTool($parameters): string
 
         return json_encode($output);
     }
+
+    public static function checkPermissions(modX $modx): bool
+    {
+        return true;
+    }
 }
diff --git a/core/components/modai/src/Tools/GetResources.php b/core/components/modai/src/Tools/GetResources.php
@@ -58,6 +58,10 @@ public function __construct(modX $modx, array $config)
      */
     public function runTool($parameters): string
     {
+        if (!self::checkPermissions($this->modx)) {
+            return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);
+        }
+
         $where = [];
 
         if (is_array($parameters)) {
@@ -100,4 +104,9 @@ public function runTool($parameters): string
 
         return json_encode($output);
     }
+
+    public static function checkPermissions(modX $modx): bool
+    {
+        return true;
+    }
 }
diff --git a/core/components/modai/src/Tools/GetTemplates.php b/core/components/modai/src/Tools/GetTemplates.php
@@ -72,6 +72,10 @@ public function __construct(modX $modx, array $config)
      */
     public function runTool($parameters): string
     {
+        if (!self::checkPermissions($this->modx)) {
+            return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);
+        }
+
         $where = [];
 
         if (is_array($parameters)) {
@@ -127,4 +131,9 @@ public function runTool($parameters): string
 
         return json_encode($output);
     }
+
+    public static function checkPermissions(modX $modx): bool
+    {
+        return true;
+    }
 }
diff --git a/core/components/modai/src/Tools/GetWeather.php b/core/components/modai/src/Tools/GetWeather.php
@@ -6,6 +6,8 @@
 
 class GetWeather implements ToolInterface
 {
+    private $modx;
+
     public static function getSuggestedName(): string
     {
         return 'get_weather';
@@ -39,6 +41,7 @@ public static function getConfig(): array
 
     public function __construct(modX $modx, array $config)
     {
+        $this->modx = $modx;
     }
 
     /**
@@ -47,6 +50,10 @@ public function __construct(modX $modx, array $config)
      */
     public function runTool($parameters): string
     {
+        if (!self::checkPermissions($this->modx)) {
+            return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);
+        }
+
         try {
             $res = file_get_contents(
                 "https://api.open-meteo.com/v1/forecast?latitude={$parameters['latitude']}&longitude={$parameters['longitude']}&current=temperature_2m,relative_humidity_2m,apparent_temperature,is_day,precipitation,rain,showers,snowfall,cloud_cover,pressure_msl,surface_pressure,wind_speed_10m,wind_direction_10m,wind_gusts_10m&timezone=auto&forecast_days=1"
@@ -63,7 +70,12 @@ public function runTool($parameters): string
 
             return json_encode($output, JSON_THROW_ON_ERROR);
         } catch (\Throwable $e) {
-            return "Received an error looking up the weather: {$e->getMessage()}";
+            return json_encode(['success' => false, "message" => "Received an error looking up the weather: {$e->getMessage()}"]);
         }
     }
+
+    public static function checkPermissions(modX $modx): bool
+    {
+        return true;
+    }
 }
diff --git a/core/components/modai/src/Tools/ToolInterface.php b/core/components/modai/src/Tools/ToolInterface.php
@@ -35,7 +35,13 @@ public static function getSuggestedName(): string;
      */
     public static function getDescription(): string;
 
-    public static function checkPermissions(): bool;
+    /**
+     * Checks if user has permissions to run this tool.
+     *
+     * @param modX $modx
+     * @return bool
+     */
+    public static function checkPermissions(modX $modx): bool;
 
     /**
      * Set the parameters that the LLM should or must provide when calling your function. Has to return valid JSON-schema.

Original file line number	Diff line number	Diff line change
`@@ -70,8 +70,12 @@ public function __construct(modX $modx, array $config)`
`70`	`70`	`*/`
`71`	`71`	`public function runTool($parameters): string`
`72`	`72`	`{`
	`73`	`+ if (!self::checkPermissions($this->modx)) {`
	`74`	`+ return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);`
	`75`	`+ }`
	`76`	`+`
`73`	`77`	`if (empty($parameters)) {`
`74`		`- throw new \Exception('Parameters are required.');`
	`78`	`+ return json_encode(['success' => false, 'message' => 'Parameters are required.']);`
`75`	`79`	`}`
`76`	`80`
`77`	`81`	`$output = [];`
`@@ -106,4 +110,9 @@ public function runTool($parameters): string`
`106`	`110`
`107`	`111`	`return json_encode($output);`
`108`	`112`	`}`
	`113`	`+`
	`114`	`+ public static function checkPermissions(modX $modx): bool`
	`115`	`+ {`
	`116`	`+ return $modx->hasPermission('save_category');`
	`117`	`+ }`
`109`	`118`	`}`
Original file line number	Diff line number	Diff line change
`@@ -71,8 +71,12 @@ public function __construct(modX $modx, array $config)`
`71`	`71`	`*/`
`72`	`72`	`public function runTool($parameters): string`
`73`	`73`	`{`
	`74`	`+ if (!self::checkPermissions($this->modx)) {`
	`75`	`+ return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);`
	`76`	`+ }`
	`77`	`+`
`74`	`78`	`if (empty($parameters)) {`
`75`		`- throw new \Exception('Parameters are required.');`
	`79`	`+ return json_encode(['success' => false, 'message' => 'Parameters are required.']);`
`76`	`80`	`}`
`77`	`81`
`78`	`82`	`$output = [];`
`@@ -94,4 +98,9 @@ public function runTool($parameters): string`
`94`	`98`
`95`	`99`	`return json_encode($output);`
`96`	`100`	`}`
	`101`	`+`
	`102`	`+ public static function checkPermissions(modX $modx): bool`
	`103`	`+ {`
	`104`	`+ return $modx->hasPermission('save_chunk');`
	`105`	`+ }`
`97`	`106`	`}`
Original file line number	Diff line number	Diff line change
`@@ -52,12 +52,21 @@ public function __construct(modX $modx, array $config)`
`52`	`52`	`*/`
`53`	`53`	`public function runTool($parameters): string`
`54`	`54`	`{`
	`55`	`+ if (!self::checkPermissions($this->modx)) {`
	`56`	`+ return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);`
	`57`	`+ }`
	`58`	`+`
`55`	`59`	`if (empty($parameters) \|\| empty($parameters['ids'])) {`
`56`		`- throw new \Exception("Missing parameters");`
	`60`	`+ return json_encode(['success' => false, 'message' => 'Parameters are required.']);`
`57`	`61`	`}`
`58`	`62`
`59`	`63`	`$this->modx->removeCollection(modChunk::class, ['id:IN' => $parameters['ids']]);`
`60`	`64`
`61`	`65`	`return json_encode(["success" => true]);`
`62`	`66`	`}`
	`67`	`+`
	`68`	`+ public static function checkPermissions(modX $modx): bool`
	`69`	`+ {`
	`70`	`+ return $modx->hasPermission('delete_chunks');`
	`71`	`+ }`
`63`	`72`	`}`
Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,10 @@ public function __construct(modX $modx, array $config)`
`40`	`40`	`*/`
`41`	`41`	`public function runTool($parameters): string`
`42`	`42`	`{`
	`43`	`+ if (!self::checkPermissions($this->modx)) {`
	`44`	`+ return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);`
	`45`	`+ }`
	`46`	`+`
`43`	`47`	`/** @var modCategory[] $chunks */`
`44`	`48`	`$categories = $this->modx->getIterator(modCategory::class);`
`45`	`49`	`foreach ($categories as $category) {`
`@@ -53,4 +57,9 @@ public function runTool($parameters): string`
`53`	`57`
`54`	`58`	`return json_encode($output);`
`55`	`59`	`}`
	`60`	`+`
	`61`	`+ public static function checkPermissions(modX $modx): bool`
	`62`	`+ {`
	`63`	`+ return true;`
	`64`	`+ }`
`56`	`65`	`}`
Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,10 @@ public function __construct(modX $modx, array $config)`
`72`	`72`	`*/`
`73`	`73`	`public function runTool($parameters): string`
`74`	`74`	`{`
	`75`	`+ if (!self::checkPermissions($this->modx)) {`
	`76`	`+ return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);`
	`77`	`+ }`
	`78`	`+`
`75`	`79`	`$where = [];`
`76`	`80`
`77`	`81`	`if (is_array($parameters)) {`
`@@ -127,4 +131,9 @@ public function runTool($parameters): string`
`127`	`131`
`128`	`132`	`return json_encode($output);`
`129`	`133`	`}`
	`134`	`+`
	`135`	`+ public static function checkPermissions(modX $modx): bool`
	`136`	`+ {`
	`137`	`+ return true;`
	`138`	`+ }`
`130`	`139`	`}`
Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,10 @@ public function __construct(modX $modx, array $config)`
`54`	`54`	`*/`
`55`	`55`	`public function runTool($parameters): string`
`56`	`56`	`{`
	`57`	`+ if (!self::checkPermissions($this->modx)) {`
	`58`	`+ return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);`
	`59`	`+ }`
	`60`	`+`
`57`	`61`	`if (empty($parameters)) {`
`58`	`62`	`return json_encode(['success' => false, 'message' => 'Parameters are required.']);`
`59`	`63`	`}`
`@@ -87,4 +91,9 @@ public function runTool($parameters): string`
`87`	`91`
`88`	`92`	`return json_encode($output);`
`89`	`93`	`}`
	`94`	`+`
	`95`	`+ public static function checkPermissions(modX $modx): bool`
	`96`	`+ {`
	`97`	`+ return true;`
	`98`	`+ }`
`90`	`99`	`}`
Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,10 @@ public function __construct(modX $modx, array $config)`
`58`	`58`	`*/`
`59`	`59`	`public function runTool($parameters): string`
`60`	`60`	`{`
	`61`	`+ if (!self::checkPermissions($this->modx)) {`
	`62`	`+ return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);`
	`63`	`+ }`
	`64`	`+`
`61`	`65`	`$where = [];`
`62`	`66`
`63`	`67`	`if (is_array($parameters)) {`
`@@ -100,4 +104,9 @@ public function runTool($parameters): string`
`100`	`104`
`101`	`105`	`return json_encode($output);`
`102`	`106`	`}`
	`107`	`+`
	`108`	`+ public static function checkPermissions(modX $modx): bool`
	`109`	`+ {`
	`110`	`+ return true;`
	`111`	`+ }`
`103`	`112`	`}`
Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,8 @@`
`6`	`6`
`7`	`7`	`class GetWeather implements ToolInterface`
`8`	`8`	`{`
	`9`	`+ private $modx;`
	`10`	`+`
`9`	`11`	`public static function getSuggestedName(): string`
`10`	`12`	`{`
`11`	`13`	`return 'get_weather';`
`@@ -39,6 +41,7 @@ public static function getConfig(): array`
`39`	`41`
`40`	`42`	`public function __construct(modX $modx, array $config)`
`41`	`43`	`{`
	`44`	`+ $this->modx = $modx;`
`42`	`45`	`}`
`43`	`46`
`44`	`47`	`/**`
`@@ -47,6 +50,10 @@ public function __construct(modX $modx, array $config)`
`47`	`50`	`*/`
`48`	`51`	`public function runTool($parameters): string`
`49`	`52`	`{`
	`53`	`+ if (!self::checkPermissions($this->modx)) {`
	`54`	`+ return json_encode(['success' => false, "message" => "You do not have permission to use this tool."]);`
	`55`	`+ }`
	`56`	`+`
`50`	`57`	`try {`
`51`	`58`	`$res = file_get_contents(`
`52`	`59`	`"https://api.open-meteo.com/v1/forecast?latitude={$parameters['latitude']}&longitude={$parameters['longitude']}&current=temperature_2m,relative_humidity_2m,apparent_temperature,is_day,precipitation,rain,showers,snowfall,cloud_cover,pressure_msl,surface_pressure,wind_speed_10m,wind_direction_10m,wind_gusts_10m&timezone=auto&forecast_days=1"`
`@@ -63,7 +70,12 @@ public function runTool($parameters): string`
`63`	`70`
`64`	`71`	`return json_encode($output, JSON_THROW_ON_ERROR);`
`65`	`72`	`} catch (\Throwable $e) {`
`66`		`- return "Received an error looking up the weather: {$e->getMessage()}";`
	`73`	`+ return json_encode(['success' => false, "message" => "Received an error looking up the weather: {$e->getMessage()}"]);`
`67`	`74`	`}`
`68`	`75`	`}`
	`76`	`+`
	`77`	`+ public static function checkPermissions(modX $modx): bool`
	`78`	`+ {`
	`79`	`+ return true;`
	`80`	`+ }`
`69`	`81`	`}`