@@ -13,7 +13,7 @@ import {
1313import { SecurityError , SecurityErrorType } from 'shared/types/errors' ;
1414import { ApiResponse , ControllerResponse } from '../types' ;
1515import { RouteContext } from '../../types/route-context' ;
16- import { ModelConfigService } from '../../../database' ;
16+ import { AppService , ModelConfigService } from '../../../database' ;
1717import { ModelConfig , credentialsToRuntimeOverrides } from '../../../agents/inferutils/config.types' ;
1818import { RateLimitService } from '../../../services/rate-limit/rateLimits' ;
1919import { validateWebSocketOrigin } from '../../../middleware/security/websocket' ;
@@ -338,6 +338,21 @@ export class CodingAgentController extends BaseController {
338338 return CodingAgentController . createErrorResponse < AgentPreviewResponse > ( 'Missing agent ID parameter' , 400 ) ;
339339 }
340340
341+ const appService = new AppService ( env ) ;
342+ const appResult = await appService . getAppDetails ( agentId ) ;
343+
344+ if ( ! appResult ) {
345+ return CodingAgentController . createErrorResponse < AgentPreviewResponse > ( 'App not found' , 404 ) ;
346+ }
347+
348+ // Check if app is public
349+ if ( appResult . visibility !== 'public' ) {
350+ // If user is logged in and is the owner, allow preview deployment
351+ const user = context . user ;
352+ if ( ! user || user . id !== appResult . userId ) {
353+ return CodingAgentController . createErrorResponse < AgentPreviewResponse > ( 'App is not public. Preview deployment is only available for public apps.' , 403 ) ;
354+ }
355+ }
341356 this . logger . info ( `Deploying preview for agent: ${ agentId } ` ) ;
342357
343358 try {
0 commit comments