fix(agent): fix agent visibility defaults and permission model

- Change DB default for agent visibility from 'workspace' to 'private' - Fix canManageAgent: workspace agents are now manageable by all members, private agents remain restricted to owner/admin - Add private agent visibility check to BatchAssigneePicker (was missing)
2026-03-31 14:34:04 +08:00 · 2026-03-31 14:34:04 +08:00 · bedf4a05c8
commit bedf4a05c8
parent 2152fec4ee
4 changed files with 46 additions and 25 deletions
--- a/server/internal/handler/agent.go
+++ b/server/internal/handler/agent.go
@ -326,24 +326,23 @@ type UpdateAgentRequest struct {
 }

 // canManageAgent checks whether the current user can update or delete an agent.
-// Workspace-visible agents require owner/admin role. Private agents additionally
-// require the user to be the agent's owner (or a workspace owner/admin).
+// Workspace-visible agents can be managed by any workspace member.
+// Private agents can only be managed by their owner or workspace owner/admin.
 func (h *Handler) canManageAgent(w http.ResponseWriter, r *http.Request, agent db.Agent) bool {
 	wsID := uuidToString(agent.WorkspaceID)
 	member, ok := h.requireWorkspaceRole(w, r, wsID, "agent not found", "owner", "admin", "member")
 	if !ok {
 		return false
 	}
+	if agent.Visibility != "private" {
+		return true
+	}
 	isAdmin := roleAllowed(member.Role, "owner", "admin")
 	isAgentOwner := uuidToString(agent.OwnerID) == requestUserID(r)
-	if agent.Visibility == "private" && !isAdmin && !isAgentOwner {
+	if !isAdmin && !isAgentOwner {
 		writeError(w, http.StatusForbidden, "only the agent owner can manage this private agent")
 		return false
 	}
-	if agent.Visibility != "private" && !isAdmin && !isAgentOwner {
-		writeError(w, http.StatusForbidden, "insufficient permissions")
-		return false
-	}
 	return true
 }