Skip to content

feat: improved permissions and CVE-2025-64712 fix #773

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
MODSetter merged 20 commits into from
Feb 3, 2026
Merged

feat: improved permissions and CVE-2025-64712 fix #773

MODSetter merged 20 commits into from
Feb 3, 2026

Conversation

@MODSetter
Copy link
Owner

@MODSetter MODSetter commented Feb 3, 2026
edited by recurseml bot
Loading

Description

Motivation and Context

FIX #

Screenshots

API Changes

  • This PR includes API changes

Change Type

  • Bug fix
  • New feature
  • Performance improvement
  • Refactoring
  • Documentation
  • Dependency/Build system
  • Breaking change
  • Other (specify):

Testing Performed

  • Tested locally
  • Manual/QA verification

Checklist

  • Follows project coding standards and conventions
  • Documentation updated as needed
  • Dependencies updated as needed
  • No lint/build errors or new warnings
  • All relevant tests are passing

High-level PR Summary

This PR implements a role-based access control (RBAC) system for public chat sharing with new public_sharing:view, public_sharing:create, and public_sharing:delete permissions. The changes include a database migration to add these permissions to existing Editor and Viewer roles, refactoring of the public chat snapshot service to enforce permission checks using RBAC instead of ownership-only checks, a new settings page for managing public chat snapshots at the search space level, and a comprehensive frontend implementation with permission-aware UI components. Additionally, the PR updates unstructured and unstructured-client dependencies and renames API schemas from Snapshot* to PublicChatSnapshot* for improved clarity.

⏱️ Estimated Review Time: 30-90 minutes

💡 Review Order Suggestion
Order File Path
1 surfsense_backend/alembic/versions/90_add_public_sharing_permissions_to_roles.py
2 surfsense_backend/app/db.py
3 surfsense_backend/app/services/public_chat_service.py
4 surfsense_backend/app/routes/new_chat_routes.py
5 surfsense_backend/app/routes/search_spaces_routes.py
6 surfsense_backend/app/schemas/new_chat.py
7 surfsense_backend/pyproject.toml
8 surfsense_web/lib/query-client/cache-keys.ts
9 surfsense_web/contracts/types/chat-threads.types.ts
10 surfsense_web/lib/apis/chat-threads-api.service.ts
11 surfsense_web/atoms/public-chat-snapshots/public-chat-snapshots-query.atoms.ts
12 surfsense_web/atoms/public-chat-snapshots/public-chat-snapshots-mutation.atoms.ts
13 surfsense_web/atoms/chat/chat-thread-mutation.atoms.ts
14 surfsense_web/components/public-chat-snapshots/public-chat-snapshots-empty-state.tsx
15 surfsense_web/components/public-chat-snapshots/public-chat-snapshot-row.tsx
16 surfsense_web/components/public-chat-snapshots/public-chat-snapshots-list.tsx
17 surfsense_web/components/public-chat-snapshots/public-chat-snapshots-manager.tsx
18 surfsense_web/components/public-chat/public-chat-not-found.tsx
19 surfsense_web/components/public-chat/public-chat-view.tsx
20 surfsense_web/components/new-chat/chat-share-button.tsx
21 surfsense_web/app/dashboard/[search_space_id]/settings/page.tsx
22 surfsense_web/app/dashboard/[search_space_id]/team/page.tsx
23 surfsense_web/messages/en.json
24 surfsense_web/messages/zh.json
⚠️ Inconsistent Changes Detected
File Path Warning
surfsense_backend/pyproject.toml Dependency version updates for unstructured packages seem unrelated to the permissions and security fix described in the PR title

Need help? Join our Discord

Analyze latest changes

CREDO23 and others added 19 commits February 2, 2026 14:09
@CREDO23
feat: add public_sharing permissions
17c7b34
@CREDO23
feat: add permission checks for public sharing
f18ba8e
@CREDO23
feat: add migration for public_sharing permissions
148daa2
@CREDO23
feat: hide public link option based on permission
a80dd25
@CREDO23
feat: add Public Chat Sharing permission category
0bcd750
@CREDO23
feat: use frontend URL for public share links
3821630
@CREDO23
feat: add search space snapshots list endpoint
ab343b5
@CREDO23
feat: add search space snapshots frontend API
47b7bef
@CREDO23
feat: add snapshots cache key and query atom
e62e4fa
@CREDO23
refactor: rename snapshot types to PublicChatSnapshot prefix
d890c56
@CREDO23
feat: add public chat snapshots components
ea2dd20
@CREDO23
feat: add public chat links settings page
67f7972
@CREDO23
refactor: consolidate public chat snapshot mutations with cache inval…
ee56334 
…idation
@CREDO23
fix: organize imports
3cf8647
@CREDO23
feat: add graceful public chat not found page
8d9dfc7
@CREDO23
Merge remote-tracking branch 'upstream/dev' into dev
6033062
@CREDO23
fix: renumber migration to avoid version conflict with upstream
b221e8c
@MODSetter
Merge pull request #767 from CREDO23/sur-129-feat-add-a-sharing-page
be6b532 
[Feat] Add public chat sharing permissions, sharing page, and graceful 404
@MODSetter
security: CVE-2025-64712 fix
2b1d33d 
- Removed outdated dependencies: unstructured-client and langchain-unstructured.
- Added new versions for unstructured-client (0.42.3), unstructured[all-docs] (0.18.31), and langchain-unstructured (1.0.1).
@vercel
Copy link

vercel bot commented Feb 3, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
surf-sense-frontend Ready Ready Preview, Comment Feb 3, 2026 9:33pm

Request Review

@MODSetter MODSetter merged commit a17c05b into main Feb 3, 2026
4 of 6 checks passed
recurseml[bot]
recurseml bot reviewed Feb 3, 2026
View reviewed changes
Copy link

@recurseml recurseml bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review by RecurseML

🔍 Review performed on e172983..2b1d33d

✨ No bugs found, your code is sparkling clean

✅ Files analyzed, no issues (24)

surfsense_backend/alembic/versions/90_add_public_sharing_permissions_to_roles.py
surfsense_backend/app/db.py
surfsense_backend/app/routes/new_chat_routes.py
surfsense_backend/app/routes/search_spaces_routes.py
surfsense_backend/app/schemas/new_chat.py
surfsense_backend/app/services/public_chat_service.py
surfsense_backend/pyproject.toml
surfsense_web/app/dashboard/[search_space_id]/settings/page.tsx
surfsense_web/app/dashboard/[search_space_id]/team/page.tsx
surfsense_web/atoms/chat/chat-thread-mutation.atoms.ts
surfsense_web/atoms/public-chat-snapshots/public-chat-snapshots-mutation.atoms.ts
surfsense_web/atoms/public-chat-snapshots/public-chat-snapshots-query.atoms.ts
surfsense_web/components/new-chat/chat-share-button.tsx
surfsense_web/components/public-chat-snapshots/public-chat-snapshot-row.tsx
surfsense_web/components/public-chat-snapshots/public-chat-snapshots-empty-state.tsx
surfsense_web/components/public-chat-snapshots/public-chat-snapshots-list.tsx
surfsense_web/components/public-chat-snapshots/public-chat-snapshots-manager.tsx
surfsense_web/components/public-chat/public-chat-not-found.tsx
surfsense_web/components/public-chat/public-chat-view.tsx
surfsense_web/contracts/types/chat-threads.types.ts
surfsense_web/lib/apis/chat-threads-api.service.ts
surfsense_web/lib/query-client/cache-keys.ts
surfsense_web/messages/en.json
surfsense_web/messages/zh.json

⏭️ Files skipped (1)
  Locations  
surfsense_backend/uv.lock

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@recurseml recurseml[bot] recurseml[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MODSetter @CREDO23