🧬 fix: Backfill Missing SHARE Permissions and Migrate Legacy SHARED_GLOBAL Fields (#11854)

danny-avila · web-flow · commit 50a48efa43c3 · 2026-02-18T12:48:33.000-05:00
* chore: Migrate legacy SHARED_GLOBAL permissions to SHARE and clean up orphaned fields

- Implemented migration logic to convert legacy SHARED_GLOBAL permissions to SHARE for PROMPTS and AGENTS, preserving user intent.
- Added cleanup process to remove orphaned SHARED_GLOBAL fields from the database after the schema change.
- Enhanced unit tests to verify migration and cleanup functionality, ensuring correct behavior for existing roles and permissions.

* fix: Enhance migration of SHARED_GLOBAL to SHARE permissions

- Updated the `updateAccessPermissions` function to ensure that SHARED_GLOBAL values are inherited into SHARE when SHARE is absent from both the database and the update payload.
- Implemented logic to prevent overwriting explicit SHARE values provided in the update, preserving user intent.
- Enhanced unit tests to cover various scenarios, including migration from SHARED_GLOBAL to SHARE and ensuring orphaned SHARED_GLOBAL fields are cleaned up appropriately.
diff --git a/api/models/Role.js b/api/models/Role.js
@@ -114,6 +114,28 @@ async function updateAccessPermissions(roleName, permissionsUpdate, roleData) {
       }
     }
 
+    // Migrate legacy SHARED_GLOBAL → SHARE for PROMPTS and AGENTS.
+    // SHARED_GLOBAL was removed in favour of SHARE in PR #11283. If the DB still has
+    // SHARED_GLOBAL but not SHARE, inherit the value so sharing intent is preserved.
+    const legacySharedGlobalTypes = ['PROMPTS', 'AGENTS'];
+    for (const legacyPermType of legacySharedGlobalTypes) {
+      const existingTypePerms = currentPermissions[legacyPermType];
+      if (
+        existingTypePerms &&
+        'SHARED_GLOBAL' in existingTypePerms &&
+        !('SHARE' in existingTypePerms) &&
+        updates[legacyPermType] &&
+        // Don't override an explicit SHARE value the caller already provided
+        !('SHARE' in updates[legacyPermType])
+      ) {
+        const inheritedValue = existingTypePerms['SHARED_GLOBAL'];
+        updates[legacyPermType]['SHARE'] = inheritedValue;
+        logger.info(
+          `Migrating '${roleName}' role ${legacyPermType}.SHARED_GLOBAL=${inheritedValue} → SHARE`,
+        );
+      }
+    }
+
     for (const [permissionType, permissions] of Object.entries(updates)) {
       const currentTypePermissions = currentPermissions[permissionType] || {};
       updatedPermissions[permissionType] = { ...currentTypePermissions };
@@ -129,6 +151,32 @@ async function updateAccessPermissions(roleName, permissionsUpdate, roleData) {
       }
     }
 
+    // Clean up orphaned SHARED_GLOBAL fields left in DB after the schema rename.
+    // Since we $set the full permissions object, deleting from updatedPermissions
+    // is sufficient to remove the field from MongoDB.
+    for (const legacyPermType of legacySharedGlobalTypes) {
+      const existingTypePerms = currentPermissions[legacyPermType];
+      if (existingTypePerms && 'SHARED_GLOBAL' in existingTypePerms) {
+        if (!updates[legacyPermType]) {
+          // permType wasn't in the update payload so the migration block above didn't run.
+          // Create a writable copy and handle the SHARED_GLOBAL → SHARE inheritance here
+          // to avoid removing SHARED_GLOBAL without writing SHARE (data loss).
+          updatedPermissions[legacyPermType] = { ...existingTypePerms };
+          if (!('SHARE' in existingTypePerms)) {
+            updatedPermissions[legacyPermType]['SHARE'] = existingTypePerms['SHARED_GLOBAL'];
+            logger.info(
+              `Migrating '${roleName}' role ${legacyPermType}.SHARED_GLOBAL=${existingTypePerms['SHARED_GLOBAL']} → SHARE`,
+            );
+          }
+        }
+        delete updatedPermissions[legacyPermType]['SHARED_GLOBAL'];
+        hasChanges = true;
+        logger.info(
+          `Removed legacy SHARED_GLOBAL field from '${roleName}' role ${legacyPermType} permissions`,
+        );
+      }
+    }
+
     if (hasChanges) {
       const updateObj = { permissions: updatedPermissions };
 
diff --git a/api/models/Role.spec.js b/api/models/Role.spec.js
@@ -233,6 +233,112 @@ describe('updateAccessPermissions', () => {
     expect(updatedRole.permissions[PermissionTypes.MULTI_CONVO]).toEqual({ USE: true });
   });
 
+  it('should inherit SHARED_GLOBAL value into SHARE when SHARE is absent from both DB and update', async () => {
+    // Simulates the startup backfill path: caller sends SHARE_PUBLIC but not SHARE;
+    // migration should inherit SHARED_GLOBAL to preserve the deployment's sharing intent.
+    await Role.collection.insertOne({
+      name: SystemRoles.USER,
+      permissions: {
+        [PermissionTypes.PROMPTS]: { USE: true, CREATE: true, SHARED_GLOBAL: true },
+        [PermissionTypes.AGENTS]: { USE: true, CREATE: true, SHARED_GLOBAL: false },
+      },
+    });
+
+    await updateAccessPermissions(SystemRoles.USER, {
+      // No explicit SHARE — migration should inherit from SHARED_GLOBAL
+      [PermissionTypes.PROMPTS]: { SHARE_PUBLIC: false },
+      [PermissionTypes.AGENTS]: { SHARE_PUBLIC: false },
+    });
+
+    const updatedRole = await getRoleByName(SystemRoles.USER);
+
+    // SHARED_GLOBAL=true → SHARE=true (inherited)
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARE).toBe(true);
+    // SHARED_GLOBAL=false → SHARE=false (inherited)
+    expect(updatedRole.permissions[PermissionTypes.AGENTS].SHARE).toBe(false);
+    // SHARED_GLOBAL cleaned up
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARED_GLOBAL).toBeUndefined();
+    expect(updatedRole.permissions[PermissionTypes.AGENTS].SHARED_GLOBAL).toBeUndefined();
+  });
+
+  it('should respect explicit SHARE in update payload and not override it with SHARED_GLOBAL', async () => {
+    // Caller explicitly passes SHARE: false even though SHARED_GLOBAL=true in DB.
+    // The explicit intent must win; migration must not silently overwrite it.
+    await Role.collection.insertOne({
+      name: SystemRoles.USER,
+      permissions: {
+        [PermissionTypes.PROMPTS]: { USE: true, SHARED_GLOBAL: true },
+      },
+    });
+
+    await updateAccessPermissions(SystemRoles.USER, {
+      [PermissionTypes.PROMPTS]: { SHARE: false }, // explicit false — should be preserved
+    });
+
+    const updatedRole = await getRoleByName(SystemRoles.USER);
+
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARE).toBe(false);
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARED_GLOBAL).toBeUndefined();
+  });
+
+  it('should migrate SHARED_GLOBAL to SHARE even when the permType is not in the update payload', async () => {
+    // Bug #2 regression: cleanup block removes SHARED_GLOBAL but migration block only
+    // runs when the permType is in the update payload. Without the fix, SHARE would be
+    // lost when any other permType (e.g. MULTI_CONVO) is the only thing being updated.
+    await Role.collection.insertOne({
+      name: SystemRoles.USER,
+      permissions: {
+        [PermissionTypes.PROMPTS]: {
+          USE: true,
+          SHARED_GLOBAL: true, // legacy — NO SHARE present
+        },
+        [PermissionTypes.MULTI_CONVO]: { USE: false },
+      },
+    });
+
+    // Only update MULTI_CONVO — PROMPTS is intentionally absent from the payload
+    await updateAccessPermissions(SystemRoles.USER, {
+      [PermissionTypes.MULTI_CONVO]: { USE: true },
+    });
+
+    const updatedRole = await getRoleByName(SystemRoles.USER);
+
+    // SHARE should have been inherited from SHARED_GLOBAL, not silently dropped
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARE).toBe(true);
+    // SHARED_GLOBAL should be removed
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARED_GLOBAL).toBeUndefined();
+    // Original USE should be untouched
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS].USE).toBe(true);
+    // The actual update should have applied
+    expect(updatedRole.permissions[PermissionTypes.MULTI_CONVO].USE).toBe(true);
+  });
+
+  it('should remove orphaned SHARED_GLOBAL when SHARE already exists and permType is not in update', async () => {
+    // Safe cleanup case: SHARE already set, SHARED_GLOBAL is just orphaned noise.
+    // SHARE must not be changed; SHARED_GLOBAL must be removed.
+    await Role.collection.insertOne({
+      name: SystemRoles.USER,
+      permissions: {
+        [PermissionTypes.PROMPTS]: {
+          USE: true,
+          SHARE: true, // already migrated
+          SHARED_GLOBAL: true, // orphaned
+        },
+        [PermissionTypes.MULTI_CONVO]: { USE: false },
+      },
+    });
+
+    await updateAccessPermissions(SystemRoles.USER, {
+      [PermissionTypes.MULTI_CONVO]: { USE: true },
+    });
+
+    const updatedRole = await getRoleByName(SystemRoles.USER);
+
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARED_GLOBAL).toBeUndefined();
+    expect(updatedRole.permissions[PermissionTypes.PROMPTS].SHARE).toBe(true);
+    expect(updatedRole.permissions[PermissionTypes.MULTI_CONVO].USE).toBe(true);
+  });
+
   it('should not update MULTI_CONVO permissions when no changes are needed', async () => {
     await new Role({
       name: SystemRoles.USER,
diff --git a/packages/api/src/app/permissions.spec.ts b/packages/api/src/app/permissions.spec.ts
@@ -776,11 +776,19 @@ describe('updateInterfacePermissions - permissions', () => {
   });
 
   it('should only update permissions that do not exist when no config provided', async () => {
-    // Mock that some permissions already exist
+    // Mock that some permissions already exist (with SHARE/SHARE_PUBLIC as they would be post-#11283)
     mockGetRoleByName.mockResolvedValue({
       permissions: {
-        [PermissionTypes.PROMPTS]: { [Permissions.USE]: false },
-        [PermissionTypes.AGENTS]: { [Permissions.USE]: true },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.USE]: false,
+          [Permissions.SHARE]: false,
+          [Permissions.SHARE_PUBLIC]: false,
+        },
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: true,
+          [Permissions.SHARE]: false,
+          [Permissions.SHARE_PUBLIC]: false,
+        },
       },
     });
 
@@ -892,30 +900,38 @@ describe('updateInterfacePermissions - permissions', () => {
       SystemRoles.USER,
       expectedPermissionsForUser,
       expect.objectContaining({
-        permissions: {
-          [PermissionTypes.PROMPTS]: { [Permissions.USE]: false },
-          [PermissionTypes.AGENTS]: { [Permissions.USE]: true },
-        },
+        permissions: expect.objectContaining({
+          [PermissionTypes.PROMPTS]: expect.objectContaining({ [Permissions.USE]: false }),
+          [PermissionTypes.AGENTS]: expect.objectContaining({ [Permissions.USE]: true }),
+        }),
       }),
     );
     expect(mockUpdateAccessPermissions).toHaveBeenCalledWith(
       SystemRoles.ADMIN,
       expectedPermissionsForAdmin,
       expect.objectContaining({
-        permissions: {
-          [PermissionTypes.PROMPTS]: { [Permissions.USE]: false },
-          [PermissionTypes.AGENTS]: { [Permissions.USE]: true },
-        },
+        permissions: expect.objectContaining({
+          [PermissionTypes.PROMPTS]: expect.objectContaining({ [Permissions.USE]: false }),
+          [PermissionTypes.AGENTS]: expect.objectContaining({ [Permissions.USE]: true }),
+        }),
       }),
     );
   });
 
   it('should override existing permissions when explicitly configured', async () => {
-    // Mock that some permissions already exist
+    // Mock that some permissions already exist (with SHARE/SHARE_PUBLIC as they would be post-#11283)
     mockGetRoleByName.mockResolvedValue({
       permissions: {
-        [PermissionTypes.PROMPTS]: { [Permissions.USE]: false },
-        [PermissionTypes.AGENTS]: { [Permissions.USE]: false },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.USE]: false,
+          [Permissions.SHARE]: false,
+          [Permissions.SHARE_PUBLIC]: false,
+        },
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: false,
+          [Permissions.SHARE]: false,
+          [Permissions.SHARE_PUBLIC]: false,
+        },
         [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: false },
       },
     });
@@ -1340,8 +1356,13 @@ describe('updateInterfacePermissions - permissions', () => {
 
   it('should leave all existing permissions unchanged when nothing is configured', async () => {
     // Mock existing permissions with values that differ from defaults
+    // SHARE/SHARE_PUBLIC included as they would be in a post-#11283 DB document
     const existingUserPermissions = {
-      [PermissionTypes.PROMPTS]: { [Permissions.USE]: false },
+      [PermissionTypes.PROMPTS]: {
+        [Permissions.USE]: false,
+        [Permissions.SHARE]: false,
+        [Permissions.SHARE_PUBLIC]: false,
+      },
       [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: false },
       [PermissionTypes.MEMORIES]: { [Permissions.USE]: false },
       [PermissionTypes.PEOPLE_PICKER]: {
@@ -1400,10 +1421,14 @@ describe('updateInterfacePermissions - permissions', () => {
   });
 
   it('should only update explicitly configured permissions and leave others unchanged', async () => {
-    // Mock existing permissions
+    // Mock existing permissions (with SHARE/SHARE_PUBLIC as they would be post-#11283)
     mockGetRoleByName.mockResolvedValue({
       permissions: {
-        [PermissionTypes.PROMPTS]: { [Permissions.USE]: false },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.USE]: false,
+          [Permissions.SHARE]: false,
+          [Permissions.SHARE_PUBLIC]: false,
+        },
         [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: false },
         [PermissionTypes.MEMORIES]: { [Permissions.USE]: false },
         [PermissionTypes.PEOPLE_PICKER]: {
@@ -1729,8 +1754,12 @@ describe('updateInterfacePermissions - permissions', () => {
           [Permissions.UPDATE]: true,
           [Permissions.OPT_OUT]: true,
         },
-        // Other existing permissions
-        [PermissionTypes.PROMPTS]: { [Permissions.USE]: true },
+        // Other existing permissions (with SHARE/SHARE_PUBLIC as they would be post-#11283)
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.USE]: true,
+          [Permissions.SHARE]: false,
+          [Permissions.SHARE_PUBLIC]: false,
+        },
         [PermissionTypes.BOOKMARKS]: { [Permissions.USE]: true },
       },
     });
@@ -2005,4 +2034,70 @@ describe('updateInterfacePermissions - permissions', () => {
     expect(userCall[1][PermissionTypes.PROMPTS]).not.toHaveProperty(Permissions.SHARE);
     expect(userCall[1][PermissionTypes.PROMPTS]).not.toHaveProperty(Permissions.SHARE_PUBLIC);
   });
+
+  it('should backfill SHARE/SHARE_PUBLIC when missing from an existing permission type (PR #11283 migration)', async () => {
+    // Simulates an existing deployment that has PROMPTS/AGENTS permissions from before PR #11283
+    // introduced SHARE/SHARE_PUBLIC. SHARED_GLOBAL existed previously; after the schema change
+    // the DB document has neither SHARE nor SHARE_PUBLIC set.
+    mockGetRoleByName.mockResolvedValue({
+      permissions: {
+        [PermissionTypes.AGENTS]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          // SHARE and SHARE_PUBLIC intentionally absent — legacy pre-#11283 document
+        },
+        [PermissionTypes.PROMPTS]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          // SHARE and SHARE_PUBLIC intentionally absent — legacy pre-#11283 document
+        },
+        [PermissionTypes.MCP_SERVERS]: {
+          [Permissions.USE]: true,
+          [Permissions.CREATE]: true,
+          [Permissions.SHARE]: false,
+          // SHARE_PUBLIC intentionally absent — added later
+        },
+      },
+    });
+
+    // Boolean configs — these should NOT override the backfilled values
+    const config = {
+      interface: {
+        agents: true,
+        prompts: true,
+      },
+    };
+    const configDefaults = {
+      interface: { agents: true, prompts: true },
+    } as TConfigDefaults;
+    const interfaceConfig = await loadDefaultInterface({ config, configDefaults });
+    const appConfig = { config, interfaceConfig } as unknown as AppConfig;
+
+    await updateInterfacePermissions({
+      appConfig,
+      getRoleByName: mockGetRoleByName,
+      updateAccessPermissions: mockUpdateAccessPermissions,
+    });
+
+    const userCall = mockUpdateAccessPermissions.mock.calls.find(
+      (call) => call[0] === SystemRoles.USER,
+    );
+
+    // AGENTS: SHARE and SHARE_PUBLIC should be backfilled with USER role defaults
+    expect(userCall[1][PermissionTypes.AGENTS]).toHaveProperty(Permissions.SHARE);
+    expect(userCall[1][PermissionTypes.AGENTS]).toHaveProperty(Permissions.SHARE_PUBLIC);
+    // USER role default for SHARE is false
+    expect(userCall[1][PermissionTypes.AGENTS][Permissions.SHARE]).toBe(false);
+    expect(userCall[1][PermissionTypes.AGENTS][Permissions.SHARE_PUBLIC]).toBe(false);
+
+    // PROMPTS: same backfill behaviour
+    expect(userCall[1][PermissionTypes.PROMPTS]).toHaveProperty(Permissions.SHARE);
+    expect(userCall[1][PermissionTypes.PROMPTS]).toHaveProperty(Permissions.SHARE_PUBLIC);
+    expect(userCall[1][PermissionTypes.PROMPTS][Permissions.SHARE]).toBe(false);
+    expect(userCall[1][PermissionTypes.PROMPTS][Permissions.SHARE_PUBLIC]).toBe(false);
+
+    // MCP_SERVERS: SHARE already exists, only SHARE_PUBLIC should be backfilled
+    expect(userCall[1][PermissionTypes.MCP_SERVERS]).toHaveProperty(Permissions.SHARE_PUBLIC);
+    expect(userCall[1][PermissionTypes.MCP_SERVERS]).not.toHaveProperty(Permissions.SHARE);
+  });
 });
diff --git a/packages/api/src/app/permissions.ts b/packages/api/src/app/permissions.ts
