Skip to content

Fix Mass Assignment in Assistants Endpoints #6052

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
christopherholland-workday wants to merge 2 commits into from
Closed

Fix Mass Assignment in Assistants Endpoints #6052

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
9f7474f
Fix Mass Assignment in Assistants Endpoints
Mar 24, 2026
c9f3a90
Fix Mass Assignment in Assistants Endpoints#6052
Mar 24, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 1 addition & 2 deletions packages/server/src/controllers/assistants/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,7 @@ const createAssistant = async (req: Request, res: Response, next: NextFunction)
const newAssistantCount = 1
await checkUsageLimit('flows', subscriptionId, getRunningExpressApp().usageCacheManager, existingAssistantCount + newAssistantCount)

body.workspaceId = workspaceId
const apiResponse = await assistantsService.createAssistant(body, orgId)
const apiResponse = await assistantsService.createAssistant(body, orgId, workspaceId)

return res.json(apiResponse)
} catch (error) {
Expand Down
57 changes: 38 additions & 19 deletions packages/server/src/services/assistants/index.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import { Assistant } from '../../database/entities/Assistant'
import { Credential } from '../../database/entities/Credential'
import { DocumentStore } from '../../database/entities/DocumentStore'
import { Workspace } from '../../enterprise/database/entities/workspace.entity'
import { WorkspaceService } from '../../enterprise/services/workspace.service'
import { getWorkspaceSearchOptions } from '../../enterprise/utils/ControllerServiceUtils'
import { InternalFlowiseError } from '../../errors/internalFlowiseError'
import { getErrorMessage } from '../../errors/utils'
Expand All @@ -20,7 +21,37 @@ import { ASSISTANT_PROMPT_GENERATOR } from '../../utils/prompt'
import { checkUsageLimit } from '../../utils/quotaUsage'
import nodesService from '../nodes'

const createAssistant = async (requestBody: any, orgId: string): Promise<Assistant> => {
const findAccessibleCredential = async (credentialId: string, workspaceId: string): Promise<Credential | null> => {
const appServer = getRunningExpressApp()
const credential = await appServer.AppDataSource.getRepository(Credential).findOneBy({
id: credentialId,
workspaceId
})
if (credential) return credential

const workspaceService = new WorkspaceService()
const sharedItems = (await workspaceService.getSharedItemsForWorkspace(workspaceId, 'credential')) as Credential[]
if (sharedItems.some((item) => item.id === credentialId)) {
return await appServer.AppDataSource.getRepository(Credential).findOneBy({ id: credentialId })
}
return null
}

function applyAssistantCreateFields(entity: Assistant, body: any, workspaceId: string): void {
entity.details = body.details
entity.credential = body.credential
entity.iconSrc = body.iconSrc
entity.type = body.type
entity.workspaceId = workspaceId
}

function applyAssistantUpdateFields(entity: Assistant, details: string, body: any): void {
entity.details = details
entity.credential = body.credential
entity.iconSrc = body.iconSrc
}

const createAssistant = async (requestBody: any, orgId: string, workspaceId: string): Promise<Assistant> => {
try {
const appServer = getRunningExpressApp()
if (!requestBody.details) {
Expand All @@ -30,7 +61,7 @@ const createAssistant = async (requestBody: any, orgId: string): Promise<Assista

if (requestBody.type === 'CUSTOM') {
const newAssistant = new Assistant()
Object.assign(newAssistant, requestBody)
Copy link
Copy Markdown
Contributor

@0xi4o 0xi4o Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If we just want to overwrite workspaceId, we can simple do:

Object.assign(newAssistant, requestBody, {
  workspaceId,
})

Copy link
Copy Markdown
Contributor Author

@christopherholland-workday christopherholland-workday Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

However, there are other fields as well that we don't want to allow update for through the request, e.g. updatedTime. I think it could get more complicated with this?

Copy link
Copy Markdown
Contributor

@0xi4o 0xi4o Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can use the stripProtectedFields in packages/server/src/utils/ for this. This function removes all server-managed fields from request body.

applyAssistantCreateFields(newAssistant, requestBody, workspaceId)

const assistant = appServer.AppDataSource.getRepository(Assistant).create(newAssistant)
const dbResponse = await appServer.AppDataSource.getRepository(Assistant).save(assistant)
Expand All @@ -50,9 +81,7 @@ const createAssistant = async (requestBody: any, orgId: string): Promise<Assista
}

try {
const credential = await appServer.AppDataSource.getRepository(Credential).findOneBy({
id: requestBody.credential
})
const credential = await findAccessibleCredential(requestBody.credential, workspaceId)

if (!credential) {
throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Credential ${requestBody.credential} not found`)
Expand Down Expand Up @@ -135,7 +164,7 @@ const createAssistant = async (requestBody: any, orgId: string): Promise<Assista
throw new InternalFlowiseError(StatusCodes.INTERNAL_SERVER_ERROR, `Error creating new assistant - ${getErrorMessage(error)}`)
}
const newAssistant = new Assistant()
Object.assign(newAssistant, requestBody)
Copy link
Copy Markdown
Contributor

@0xi4o 0xi4o Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as the above comment

applyAssistantCreateFields(newAssistant, requestBody, workspaceId)

const assistant = appServer.AppDataSource.getRepository(Assistant).create(newAssistant)
const dbResponse = await appServer.AppDataSource.getRepository(Assistant).save(assistant)
Expand Down Expand Up @@ -298,11 +327,7 @@ const updateAssistant = async (assistantId: string, requestBody: any, workspaceI
}

if (assistant.type === 'CUSTOM') {
const body = requestBody
const updateAssistant = new Assistant()
Object.assign(updateAssistant, body)

appServer.AppDataSource.getRepository(Assistant).merge(assistant, updateAssistant)
applyAssistantUpdateFields(assistant, requestBody.details, requestBody)
Copy link
Copy Markdown
Contributor

@0xi4o 0xi4o Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure what's happening here. The applyAssistantUpdateFields overwrites the details field but the value passed for details comes from requestBody. Is this change needed?

const dbResponse = await appServer.AppDataSource.getRepository(Assistant).save(assistant)
return dbResponse
}
Expand All @@ -311,9 +336,7 @@ const updateAssistant = async (assistantId: string, requestBody: any, workspaceI
const openAIAssistantId = JSON.parse(assistant.details)?.id
const body = requestBody
const assistantDetails = JSON.parse(body.details)
const credential = await appServer.AppDataSource.getRepository(Credential).findOneBy({
id: body.credential
})
const credential = await findAccessibleCredential(body.credential, workspaceId)

if (!credential) {
throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Credential ${body.credential} not found`)
Expand Down Expand Up @@ -376,11 +399,7 @@ const updateAssistant = async (assistantId: string, requestBody: any, workspaceI
}
if (savedToolResources) newAssistantDetails.tool_resources = savedToolResources

const updateAssistant = new Assistant()
body.details = JSON.stringify(newAssistantDetails)
Object.assign(updateAssistant, body)

appServer.AppDataSource.getRepository(Assistant).merge(assistant, updateAssistant)
applyAssistantUpdateFields(assistant, JSON.stringify(newAssistantDetails), body)
Copy link
Copy Markdown
Contributor

@0xi4o 0xi4o Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as the above comment

const dbResponse = await appServer.AppDataSource.getRepository(Assistant).save(assistant)
return dbResponse
} catch (error) {
Expand Down
Loading