@fieldwangai/agentflow 0.1.55 → 0.1.57

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -113,11 +113,27 @@ function manifestOwnerUserId(manifest) {
113
113
  return String(manifest?.ownerUserId || manifest?.createdBy || "").trim();
114
114
  }
115
115
 
116
- function canAccessMarketplaceNode(manifest, opts = {}) {
116
+ function isAdminRequest(opts = {}) {
117
+ return Boolean(opts?.isAdmin);
118
+ }
119
+
120
+ function canAccessMarketplaceOwner(ownerUserId, opts = {}) {
117
121
  const requestedUserId = String(opts.userId || "").trim();
118
122
  if (!requestedUserId) return true;
123
+ if (isAdminRequest(opts)) return true;
124
+ return Boolean(ownerUserId) && ownerUserId === requestedUserId;
125
+ }
126
+
127
+ function canManageMarketplaceOwner(ownerUserId, opts = {}) {
128
+ const requestedUserId = String(opts.userId || "").trim();
129
+ if (!requestedUserId) return false;
130
+ if (isAdminRequest(opts)) return true;
131
+ return Boolean(ownerUserId) && ownerUserId === requestedUserId;
132
+ }
133
+
134
+ function canAccessMarketplaceNode(manifest, opts = {}) {
119
135
  if ((manifest?.source || "marketplace") !== "marketplace") return true;
120
- return manifestOwnerUserId(manifest) === requestedUserId;
136
+ return canAccessMarketplaceOwner(manifestOwnerUserId(manifest), opts);
121
137
  }
122
138
 
123
139
  function sortVersionsDesc(versions) {
@@ -422,7 +438,7 @@ export function listMarketplaceFlowSnippets(workspaceRoot, opts = {}) {
422
438
  if (!manifest) continue;
423
439
  const snippet = manifest.snippet && typeof manifest.snippet === "object" ? manifest.snippet : {};
424
440
  const ownerUserId = String(manifest.ownerUserId || manifest.createdBy || "").trim();
425
- if (requestedUserId && ownerUserId !== requestedUserId) continue;
441
+ if (requestedUserId && !canAccessMarketplaceOwner(ownerUserId, opts)) continue;
426
442
  snippets.push({
427
443
  id: manifest.id || entry.name,
428
444
  version: manifest.version || version,
@@ -454,8 +470,7 @@ export function deleteMarketplaceNodePackage(workspaceRoot, id, version, opts =
454
470
  return { ok: false, error: `Marketplace node package not found: ${id}@${version}` };
455
471
  }
456
472
  const manifest = normalizeManifest(readYamlObject(manifestPath), packageDir, "marketplace");
457
- const requestedUserId = String(opts.userId || "").trim();
458
- if (!requestedUserId || !manifest || manifestOwnerUserId(manifest) !== requestedUserId) {
473
+ if (!manifest || !canManageMarketplaceOwner(manifestOwnerUserId(manifest), opts)) {
459
474
  return { ok: false, error: "Marketplace node permission denied" };
460
475
  }
461
476
  const usage = listMarketplaceNodeUsages(workspaceRoot, id, version, opts);
@@ -483,8 +498,7 @@ export function deleteMarketplaceFlowSnippetPackage(workspaceRoot, id, version,
483
498
  }
484
499
  const manifest = readYamlObject(manifestPath) || {};
485
500
  const ownerUserId = String(manifest.ownerUserId || manifest.createdBy || "").trim();
486
- const requestedUserId = String(opts.userId || "").trim();
487
- if (!requestedUserId || ownerUserId !== requestedUserId) {
501
+ if (!canManageMarketplaceOwner(ownerUserId, opts)) {
488
502
  return { ok: false, error: "Flow snippet permission denied" };
489
503
  }
490
504
  fs.rmSync(packageDir, { recursive: true, force: true });
@@ -719,7 +733,7 @@ export function publishNodeFromInstance(workspaceRoot, payload = {}, options = {
719
733
  const existingManifest = readYamlObject(path.join(dest, NODE_MANIFEST));
720
734
  if (existingManifest) {
721
735
  const existingOwner = manifestOwnerUserId(existingManifest);
722
- if (existingOwner !== ownerUserId) return { ok: false, error: "Marketplace node permission denied" };
736
+ if (!canManageMarketplaceOwner(existingOwner, options)) return { ok: false, error: "Marketplace node permission denied" };
723
737
  }
724
738
  const now = new Date().toISOString();
725
739
  fs.mkdirSync(path.dirname(dest), { recursive: true });
@@ -797,7 +811,7 @@ export function publishFlowSnippet(workspaceRoot, payload = {}, opts = {}) {
797
811
  const existingManifest = readYamlObject(path.join(dest, FLOW_SNIPPET_MANIFEST));
798
812
  if (existingManifest) {
799
813
  const existingOwner = String(existingManifest.ownerUserId || existingManifest.createdBy || "").trim();
800
- if (existingOwner !== ownerUserId) return { ok: false, error: "Flow snippet permission denied" };
814
+ if (!canManageMarketplaceOwner(existingOwner, opts)) return { ok: false, error: "Flow snippet permission denied" };
801
815
  }
802
816
  fs.mkdirSync(path.dirname(dest), { recursive: true });
803
817
  fs.rmSync(dest, { recursive: true, force: true });
@@ -3271,7 +3271,7 @@ export function startUiServer({
3271
3271
  }
3272
3272
 
3273
3273
  const authUser = getAuthUserFromRequest(req);
3274
- const userCtx = authUser ? { userId: authUser.userId } : {};
3274
+ const userCtx = authUser ? { userId: authUser.userId, isAdmin: Boolean(authUser.isAdmin) } : {};
3275
3275
  if (req.method === "GET" && url.pathname === "/api/display/share") {
3276
3276
  try {
3277
3277
  const id = String(url.searchParams.get("id") || "").trim();