Skip to content

Commit 83851de

Browse files
authored
Merge branch 'main' into fix/tavily-api-key-param
2 parents 0f100b7 + b7a2005 commit 83851de

2 files changed

Lines changed: 63 additions & 54 deletions

File tree

packages/components/models.json

Lines changed: 44 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -1678,36 +1678,36 @@
16781678
"label": "command-a-03-2025",
16791679
"name": "command-a-03-2025",
16801680
"description": "Command A – most performant; tool use, RAG, multilingual",
1681-
"input_cost": 0.0025,
1682-
"output_cost": 0.01
1681+
"input_cost": 0.0000025,
1682+
"output_cost": 0.00001
16831683
},
16841684
{
16851685
"label": "command-r7b-12-2024",
16861686
"name": "command-r7b-12-2024",
16871687
"description": "Small, fast; RAG, tool use, agents",
1688-
"input_cost": 0.000037,
1689-
"output_cost": 0.00015
1688+
"input_cost": 0.000000037,
1689+
"output_cost": 0.00000015
16901690
},
16911691
{
16921692
"label": "command-a-reasoning-08-2025",
16931693
"name": "command-a-reasoning-08-2025",
16941694
"description": "Command A Reasoning – nuanced problem-solving, agents",
1695-
"input_cost": 0.0025,
1696-
"output_cost": 0.01
1695+
"input_cost": 0.0000025,
1696+
"output_cost": 0.00001
16971697
},
16981698
{
16991699
"label": "command-r-08-2024",
17001700
"name": "command-r-08-2024",
17011701
"description": "Command R – RAG, tool use, multilingual",
1702-
"input_cost": 0.00015,
1703-
"output_cost": 0.0006
1702+
"input_cost": 0.00000015,
1703+
"output_cost": 0.0000006
17041704
},
17051705
{
17061706
"label": "command-r-plus-08-2024",
17071707
"name": "command-r-plus-08-2024",
17081708
"description": "Command R+ – complex RAG, multi-step tool use",
1709-
"input_cost": 0.0025,
1710-
"output_cost": 0.01
1709+
"input_cost": 0.0000025,
1710+
"output_cost": 0.00001
17111711
}
17121712
]
17131713
},
@@ -2199,104 +2199,104 @@
21992199
{
22002200
"label": "open-mistral-nemo",
22012201
"name": "open-mistral-nemo",
2202-
"input_cost": 0.00015,
2203-
"output_cost": 0.00015
2202+
"input_cost": 0.00000015,
2203+
"output_cost": 0.00000015
22042204
},
22052205
{
22062206
"label": "open-mistral-7b",
22072207
"name": "open-mistral-7b",
2208-
"input_cost": 0.00025,
2209-
"output_cost": 0.00025
2208+
"input_cost": 0.00000025,
2209+
"output_cost": 0.00000025
22102210
},
22112211
{
22122212
"label": "mistral-tiny-2312",
22132213
"name": "mistral-tiny-2312",
2214-
"input_cost": 0.0007,
2215-
"output_cost": 0.0007
2214+
"input_cost": 0.0000007,
2215+
"output_cost": 0.0000007
22162216
},
22172217
{
22182218
"label": "mistral-tiny",
22192219
"name": "mistral-tiny",
2220-
"input_cost": 0.0007,
2221-
"output_cost": 0.0007
2220+
"input_cost": 0.0000007,
2221+
"output_cost": 0.0000007
22222222
},
22232223
{
22242224
"label": "open-mixtral-8x7b",
22252225
"name": "open-mixtral-8x7b",
2226-
"input_cost": 0.0007,
2227-
"output_cost": 0.0007
2226+
"input_cost": 0.0000007,
2227+
"output_cost": 0.0000007
22282228
},
22292229
{
22302230
"label": "open-mixtral-8x22b",
22312231
"name": "open-mixtral-8x22b",
2232-
"input_cost": 0.002,
2233-
"output_cost": 0.006
2232+
"input_cost": 0.000002,
2233+
"output_cost": 0.000006
22342234
},
22352235
{
22362236
"label": "mistral-small-2312",
22372237
"name": "mistral-small-2312",
2238-
"input_cost": 0.0001,
2239-
"output_cost": 0.0003
2238+
"input_cost": 0.0000001,
2239+
"output_cost": 0.0000003
22402240
},
22412241
{
22422242
"label": "mistral-small",
22432243
"name": "mistral-small",
2244-
"input_cost": 0.0001,
2245-
"output_cost": 0.0003
2244+
"input_cost": 0.0000001,
2245+
"output_cost": 0.0000003
22462246
},
22472247
{
22482248
"label": "mistral-small-2402",
22492249
"name": "mistral-small-2402",
2250-
"input_cost": 0.0001,
2251-
"output_cost": 0.0003
2250+
"input_cost": 0.0000001,
2251+
"output_cost": 0.0000003
22522252
},
22532253
{
22542254
"label": "mistral-small-latest",
22552255
"name": "mistral-small-latest",
2256-
"input_cost": 0.0001,
2257-
"output_cost": 0.0003
2256+
"input_cost": 0.0000001,
2257+
"output_cost": 0.0000003
22582258
},
22592259
{
22602260
"label": "mistral-medium-latest",
22612261
"name": "mistral-medium-latest",
2262-
"input_cost": 0.001,
2263-
"output_cost": 0.003
2262+
"input_cost": 0.000001,
2263+
"output_cost": 0.000003
22642264
},
22652265
{
22662266
"label": "mistral-medium-2312",
22672267
"name": "mistral-medium-2312",
2268-
"input_cost": 0.001,
2269-
"output_cost": 0.003
2268+
"input_cost": 0.000001,
2269+
"output_cost": 0.000003
22702270
},
22712271
{
22722272
"label": "mistral-medium",
22732273
"name": "mistral-medium",
2274-
"input_cost": 0.001,
2275-
"output_cost": 0.003
2274+
"input_cost": 0.000001,
2275+
"output_cost": 0.000003
22762276
},
22772277
{
22782278
"label": "mistral-large-latest",
22792279
"name": "mistral-large-latest",
2280-
"input_cost": 0.002,
2281-
"output_cost": 0.006
2280+
"input_cost": 0.000002,
2281+
"output_cost": 0.000006
22822282
},
22832283
{
22842284
"label": "mistral-large-2402",
22852285
"name": "mistral-large-2402",
2286-
"input_cost": 0.002,
2287-
"output_cost": 0.006
2286+
"input_cost": 0.000002,
2287+
"output_cost": 0.000006
22882288
},
22892289
{
22902290
"label": "codestral-latest",
22912291
"name": "codestral-latest",
2292-
"input_cost": 0.0002,
2293-
"output_cost": 0.0006
2292+
"input_cost": 0.0000002,
2293+
"output_cost": 0.0000006
22942294
},
22952295
{
22962296
"label": "devstral-small-2505",
22972297
"name": "devstral-small-2505",
2298-
"input_cost": 0.0001,
2299-
"output_cost": 0.0003
2298+
"input_cost": 0.0000001,
2299+
"output_cost": 0.0000003
23002300
}
23012301
]
23022302
},

packages/server/src/enterprise/controllers/workspace-user.controller.ts

Lines changed: 19 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ import { getRunningExpressApp } from '../../utils/getRunningExpressApp'
77
import { WorkspaceUser } from '../database/entities/workspace-user.entity'
88
import { WorkspaceUserService } from '../services/workspace-user.service'
99
import {
10+
assertMayReadTargetUser,
1011
assertQueryOrganizationMatchesActiveOrg,
1112
assertWorkspaceIdAccessibleToUser,
1213
getLoggedInUser,
@@ -35,35 +36,43 @@ export class WorkspaceUserController {
3536

3637
let workspaceUser: any
3738
if (query.workspaceId && query.userId) {
39+
// Caller must have access to the workspace (own, assigned, or org admin within their org).
3840
await assertWorkspaceIdAccessibleToUser(user, query.workspaceId, queryRunner)
3941
workspaceUser = await workspaceUserService.readWorkspaceUserByWorkspaceIdUserId(
4042
query.workspaceId,
4143
query.userId,
4244
queryRunner
4345
)
4446
} else if (query.workspaceId) {
47+
// Caller must have access to the workspace (own, assigned, or org admin within their org).
4548
await assertWorkspaceIdAccessibleToUser(user, query.workspaceId, queryRunner)
4649
workspaceUser = await workspaceUserService.readWorkspaceUserByWorkspaceId(query.workspaceId, queryRunner)
4750
} else if (query.organizationId && query.userId) {
51+
// organizationId must match the caller's active org to prevent cross-org access.
52+
// Caller must be the target user or an org user manager whose target belongs to the same org (IDOR guard).
4853
assertQueryOrganizationMatchesActiveOrg(user, query.organizationId)
49-
if (query.userId !== user.id && !userMayManageOrgUsers(user)) {
50-
throw new InternalFlowiseError(StatusCodes.FORBIDDEN, GeneralErrorMessage.FORBIDDEN)
51-
}
54+
await assertMayReadTargetUser(user, query.userId, queryRunner)
5255
workspaceUser = await workspaceUserService.readWorkspaceUserByOrganizationIdUserId(
5356
query.organizationId,
5457
query.userId,
5558
queryRunner
5659
)
5760
} else if (query.userId) {
58-
if (query.userId !== user.id && !userMayManageOrgUsers(user)) {
59-
throw new InternalFlowiseError(StatusCodes.FORBIDDEN, GeneralErrorMessage.FORBIDDEN)
61+
if (query.userId === user.id) {
62+
// Self-lookup: return memberships across all orgs so the user can switch to an invited org/workspace.
63+
workspaceUser = await workspaceUserService.readWorkspaceUserByUserId(query.userId, queryRunner)
64+
} else {
65+
// Non-self: caller must be an org user manager and the target must belong to the caller's active org (IDOR guard).
66+
// Results are scoped to the caller's active org to prevent cross-org data leakage.
67+
await assertMayReadTargetUser(user, query.userId, queryRunner)
68+
workspaceUser = await workspaceUserService.readWorkspaceUserByOrganizationIdUserId(
69+
user.activeOrganizationId,
70+
query.userId,
71+
queryRunner
72+
)
6073
}
61-
workspaceUser = await workspaceUserService.readWorkspaceUserByOrganizationIdUserId(
62-
user.activeOrganizationId,
63-
query.userId,
64-
queryRunner
65-
)
6674
} else if (query.roleId) {
75+
// Only org user managers may list workspace members by role.
6776
if (!userMayManageOrgUsers(user)) {
6877
throw new InternalFlowiseError(StatusCodes.FORBIDDEN, GeneralErrorMessage.FORBIDDEN)
6978
}

0 commit comments

Comments
 (0)