feat: add view-only configuration permissions for chatflows and agentflows

[vellanki-santhosh]

Description

Enable read-only access to chatflow and agentflow configuration settings through new view-only permissions.

Changes

• Add new permissions: chatflows:config:view and agentflows:config:view
• Update menu items to display configuration option for both edit and view-only users
• Add read-only mode support to all 12+ configuration components
• Disable all input controls and hide save buttons when in read-only mode
• Implement permission checks in ChatflowConfigurationDialog to gate access

Components Updated

• Permissions system (server-side)
• Menu items (settings.js, agentsettings.js)
• ChatflowConfigurationDialog (gateway component)
• All configuration sub-components:
  • StarterPrompts
  • AllowedDomains
  • RateLimit
  • Security (container)
  • OverrideConfig
  • SpeechToText
  • TextToSpeech
  • ChatFeedback
  • FileUpload
  • Leads
  • FollowUpPrompts
  • AnalyseFlow
  • PostProcessing

Use Case

Organizations can now create read-only users/roles that can view chatflow and agentflow configurations without being able to modify them. This allows team members to monitor and review configurations while preventing accidental or unauthorized changes.

Testing

• Create a role with only chatflows:config:view and agentflows:config:view permissions
• Verify configuration menu appears for read-only users
• Verify all input fields are disabled and cannot be modified
• Verify save buttons are not visible

[gemini-code-assist]

Summary of Changes

Hello @vellanki-santhosh, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the access control system by introducing granular view-only permissions for chatflow and agentflow configurations. It ensures that users with these new permissions can inspect all relevant settings without the ability to make changes, improving security and operational oversight. Concurrently, the PR upgrades the analytics capabilities by integrating detailed LLM usage metadata and refines the Composio tool's connection management for a more robust and user-friendly experience.

Highlights

• View-Only Configuration Permissions: Introduced new permissions (chatflows:config:view and agentflows:config:view) to allow read-only access to chatflow and agentflow configuration settings, enabling users to monitor configurations without modification.
• UI Read-Only Mode Implementation: Updated the UI across all 12+ configuration components (e.g., StarterPrompts, AllowedDomains, RateLimit, Security, SpeechToText, TextToSpeech, Leads, FileUpload, PostProcessing, AnalyseFlow, FollowUpPrompts) to support a read-only mode. This disables input controls and hides save buttons when a user only has view permissions.
• Enhanced Analytics Tracking: Modified the onLLMEnd and onLLMError analytic handlers to accept and process usageMetadata (including input/output/total tokens and cost) for LLM calls, providing more comprehensive tracking for Langfuse.
• Composio Tool Integration Improvement: Refactored the Composio tool to better handle multiple connected accounts. The 'Auth Status' field is now 'Connected Account', allowing users to select specific active connections, and the tool's getTools method now correctly utilizes the selected connection's entity ID for authenticated apps.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces view-only permissions for chatflow and agentflow configurations, a valuable feature for enhancing access control. The changes are extensive, touching backend permissions, analytics handling, and numerous frontend components to support a new readOnly mode. The implementation is mostly solid, but I've identified opportunities to improve code maintainability by addressing duplication in the analytics and agent logic, and to enhance type safety in the Composio tool implementation. My feedback focuses on these areas to help strengthen the codebase.

I am having trouble creating individual review comments. Click here to see my feedback.

packages/components/nodes/agents/OpenAIAssistant/OpenAIAssistant.ts (937-950)

This block of code to extract usage metadata is duplicated from lines 628-641 in this same file. To improve maintainability and reduce redundancy, consider extracting this logic into a shared helper function.

For example, you could create a function like this:

async function getUsageMetadata(openai: OpenAI, threadId: string, runThreadId: string): Promise<any> {
    try {
        const completedRun = await openai.beta.threads.runs.retrieve(threadId, runThreadId);
        if (completedRun.usage) {
            return {
                input_tokens: completedRun.usage.prompt_tokens,
                output_tokens: completedRun.usage.completion_tokens,
                total_tokens: completedRun.usage.total_tokens,
            };
        }
    } catch (error) {
        console.error('Error retrieving run usage:', error);
    }
    return undefined;
}

Then you can replace the duplicated blocks with a single call:

const usageMetadata = await getUsageMetadata(openai, threadId, runThreadId);

packages/components/nodes/tools/Composio/Composio.ts (208)

Using any for the connection object c weakens type safety. It's better to define an interface for the connection object to ensure properties like status, clientUniqueUserId, id, and createdAt are correctly typed. This improves code readability and helps prevent potential runtime errors.

Consider defining an interface like this:

interface IComposioConnection {
    id: string;
    clientUniqueUserId?: string;
    status: 'ACTIVE' | 'INACTIVE'; // Or other possible statuses
    createdAt: string; // Or Date
}

And then use it in the filter:

const activeConnections = connections.items?.filter((c: IComposioConnection) => c.status === 'ACTIVE') || []

This practice should be applied to other uses of any in this file as well.

packages/components/src/handler.ts (1537-1567)

This block for processing usageMetadata is nearly identical to the one in onLLMEnd (lines 1421-1461). To avoid code duplication and improve maintainability, this logic should be extracted into a private helper method.

Here's a suggested refactoring:

1. Create a helper method to handle token mapping:

   private _prepareLangfuseUsage(usageMetadata: any): any | undefined {
       if (!usageMetadata) return undefined;
   
       const usage: any = { unit: 'TOKENS' };
   
       // Handle modern and legacy token formats
       usage.input = usageMetadata.input_tokens ?? usageMetadata.promptTokens;
       usage.output = usageMetadata.output_tokens ?? usageMetadata.completionTokens;
       usage.total = usageMetadata.total_tokens ?? usageMetadata.totalTokens;
   
       // Filter out undefined values
       Object.keys(usage).forEach(key => usage[key] === undefined && delete usage[key]);
       
       return Object.keys(usage).length > 1 ? usage : undefined;
   }

2. Use this helper in both onLLMEnd and onLLMError:

   In onLLMEnd:

   if (usageMetadata) {
       const usage = this._prepareLangfuseUsage(usageMetadata);
       if (usage) {
           // Add cost data if available
           if (usageMetadata.inputCost !== undefined) usage.inputCost = usageMetadata.inputCost;
           if (usageMetadata.outputCost !== undefined) usage.outputCost = usageMetadata.outputCost;
           if (usageMetadata.totalCost !== undefined) usage.totalCost = usageMetadata.totalCost;
           endParams.usage = usage;
       }
   }

   In onLLMError (this block):

   if (usageMetadata) {
       const usage = this._prepareLangfuseUsage(usageMetadata);
       if (usage) {
           endParams.usage = usage;
       }
   }

[vellanki-santhosh]

Thanks for the summary, Gemini!
I’ve verified that all configuration components correctly support read-only mode, and I’ve tested with roles limited to chatflows:config:view and agentflows:config:view.
Inputs are disabled and save buttons hidden as expected.

I’ll wait for reviewer feedback before merging, but since there are no conflicts, this PR is ready for approval.

[HenryHengZJ]

We already have the view only permissions: chatflows:view, agentflows:view etc