From 24dd7ea3a8efdadb80c157242edeaf05f54f19bf Mon Sep 17 00:00:00 2001
From: Wu Tianwei <30284043+WTW0313@users.noreply.github.com>
Date: Wed, 24 Jun 2026 12:18:59 +0800
Subject: [PATCH] fix: add RBAC feature toggle to environment configuration
 (#37853)

---
 web/.env.example                              |  1 +
 web/__tests__/env.spec.ts                     | 30 +++++++++++++++++++
 web/docker/entrypoint.sh                      |  1 +
 web/env.ts                                    |  2 ++
 .../__tests__/system-features.spec.ts         |  4 +++
 web/features/system-features/config.ts        |  1 +
 6 files changed, 39 insertions(+)

diff --git a/web/.env.example b/web/.env.example
index 112232e529c..7363ce628f3 100644
--- a/web/.env.example
+++ b/web/.env.example
@@ -116,3 +116,4 @@ NEXT_PUBLIC_ENABLE_CHANGE_EMAIL=true
 NEXT_PUBLIC_CREATORS_PLATFORM_FEATURES_ENABLED=true
 NEXT_PUBLIC_ENABLE_TRIAL_APP=true
 NEXT_PUBLIC_ENABLE_EXPLORE_BANNER=true
+NEXT_PUBLIC_RBAC_ENABLED=false
diff --git a/web/__tests__/env.spec.ts b/web/__tests__/env.spec.ts
index 89781d32685..419dcadf030 100644
--- a/web/__tests__/env.spec.ts
+++ b/web/__tests__/env.spec.ts
@@ -1,5 +1,6 @@
 describe('env runtime transport', () => {
   const originalAgentV2Env = process.env.NEXT_PUBLIC_ENABLE_AGENT_V2
+  const originalRbacEnv = process.env.NEXT_PUBLIC_RBAC_ENABLED
 
   beforeEach(() => {
     vi.clearAllMocks()
@@ -7,7 +8,9 @@ describe('env runtime transport', () => {
     vi.doUnmock('../utils/client')
     document.body.removeAttribute('data-enable-agent-v2')
     document.body.removeAttribute('data-enable-agent-v-2')
+    document.body.removeAttribute('data-rbac-enabled')
     delete process.env.NEXT_PUBLIC_ENABLE_AGENT_V2
+    delete process.env.NEXT_PUBLIC_RBAC_ENABLED
   })
 
   afterAll(() => {
@@ -15,6 +18,11 @@ describe('env runtime transport', () => {
       delete process.env.NEXT_PUBLIC_ENABLE_AGENT_V2
     else
       process.env.NEXT_PUBLIC_ENABLE_AGENT_V2 = originalAgentV2Env
+
+    if (originalRbacEnv === undefined)
+      delete process.env.NEXT_PUBLIC_RBAC_ENABLED
+    else
+      process.env.NEXT_PUBLIC_RBAC_ENABLED = originalRbacEnv
   })
 
   it('should read NEXT_PUBLIC_ENABLE_AGENT_V2 from the browser runtime dataset key', async () => {
@@ -25,6 +33,14 @@ describe('env runtime transport', () => {
     expect(env.NEXT_PUBLIC_ENABLE_AGENT_V2).toBe(true)
   })
 
+  it('should read NEXT_PUBLIC_RBAC_ENABLED from the browser runtime dataset key', async () => {
+    document.body.setAttribute('data-rbac-enabled', 'true')
+
+    const { env } = await import('../env')
+
+    expect(env.NEXT_PUBLIC_RBAC_ENABLED).toBe(true)
+  })
+
   it('should emit the Agent v2 runtime dataset attribute from getDatasetMap on the server', async () => {
     process.env.NEXT_PUBLIC_ENABLE_AGENT_V2 = 'true'
 
@@ -39,4 +55,18 @@ describe('env runtime transport', () => {
     expect(datasetMap['data-enable-agent-v2']).toBe(true)
     expect(datasetMap['data-enable-agent-v-2']).toBeUndefined()
   })
+
+  it('should emit the RBAC runtime dataset attribute from getDatasetMap on the server', async () => {
+    process.env.NEXT_PUBLIC_RBAC_ENABLED = 'true'
+
+    vi.doMock('../utils/client', () => ({
+      isClient: false,
+      isServer: true,
+    }))
+
+    const { getDatasetMap } = await import('../env')
+    const datasetMap = getDatasetMap()
+
+    expect(datasetMap['data-rbac-enabled']).toBe(true)
+  })
 })
diff --git a/web/docker/entrypoint.sh b/web/docker/entrypoint.sh
index 31872154d70..48600464f69 100755
--- a/web/docker/entrypoint.sh
+++ b/web/docker/entrypoint.sh
@@ -42,6 +42,7 @@ export NEXT_PUBLIC_ENABLE_CHANGE_EMAIL=${NEXT_PUBLIC_ENABLE_CHANGE_EMAIL:-${ENAB
 export NEXT_PUBLIC_CREATORS_PLATFORM_FEATURES_ENABLED=${NEXT_PUBLIC_CREATORS_PLATFORM_FEATURES_ENABLED:-${CREATORS_PLATFORM_FEATURES_ENABLED}}
 export NEXT_PUBLIC_ENABLE_TRIAL_APP=${NEXT_PUBLIC_ENABLE_TRIAL_APP:-${ENABLE_TRIAL_APP}}
 export NEXT_PUBLIC_ENABLE_EXPLORE_BANNER=${NEXT_PUBLIC_ENABLE_EXPLORE_BANNER:-${ENABLE_EXPLORE_BANNER}}
+export NEXT_PUBLIC_RBAC_ENABLED=${NEXT_PUBLIC_RBAC_ENABLED:-${RBAC_ENABLED}}
 
 export NEXT_PUBLIC_TEXT_GENERATION_TIMEOUT_MS=${TEXT_GENERATION_TIMEOUT_MS}
 export NEXT_PUBLIC_CSP_WHITELIST=${CSP_WHITELIST}
diff --git a/web/env.ts b/web/env.ts
index 01610267b6d..30f32aa2a4a 100644
--- a/web/env.ts
+++ b/web/env.ts
@@ -87,6 +87,7 @@ const clientSchema = {
   NEXT_PUBLIC_CREATORS_PLATFORM_FEATURES_ENABLED: coercedBoolean.default(true),
   NEXT_PUBLIC_ENABLE_TRIAL_APP: coercedBoolean.default(true),
   NEXT_PUBLIC_ENABLE_EXPLORE_BANNER: coercedBoolean.default(true),
+  NEXT_PUBLIC_RBAC_ENABLED: coercedBoolean.default(false),
 
   /**
    * Enable inline LaTeX rendering with single dollar signs ($...$)
@@ -216,6 +217,7 @@ export const env = createEnv({
     NEXT_PUBLIC_CREATORS_PLATFORM_FEATURES_ENABLED: isServer ? process.env.NEXT_PUBLIC_CREATORS_PLATFORM_FEATURES_ENABLED : getRuntimeEnvFromBody('creatorsPlatformFeaturesEnabled'),
     NEXT_PUBLIC_ENABLE_TRIAL_APP: isServer ? process.env.NEXT_PUBLIC_ENABLE_TRIAL_APP : getRuntimeEnvFromBody('enableTrialApp'),
     NEXT_PUBLIC_ENABLE_EXPLORE_BANNER: isServer ? process.env.NEXT_PUBLIC_ENABLE_EXPLORE_BANNER : getRuntimeEnvFromBody('enableExploreBanner'),
+    NEXT_PUBLIC_RBAC_ENABLED: isServer ? process.env.NEXT_PUBLIC_RBAC_ENABLED : getRuntimeEnvFromBody('rbacEnabled'),
 
     NEXT_PUBLIC_ENABLE_SINGLE_DOLLAR_LATEX: isServer ? process.env.NEXT_PUBLIC_ENABLE_SINGLE_DOLLAR_LATEX : getRuntimeEnvFromBody('enableSingleDollarLatex'),
     NEXT_PUBLIC_ENABLE_WEBSITE_FIRECRAWL: isServer ? process.env.NEXT_PUBLIC_ENABLE_WEBSITE_FIRECRAWL : getRuntimeEnvFromBody('enableWebsiteFirecrawl'),
diff --git a/web/features/system-features/__tests__/system-features.spec.ts b/web/features/system-features/__tests__/system-features.spec.ts
index fa0938fb12e..78b94cc94f6 100644
--- a/web/features/system-features/__tests__/system-features.spec.ts
+++ b/web/features/system-features/__tests__/system-features.spec.ts
@@ -22,6 +22,7 @@ const defaultCloudEnv = {
   NEXT_PUBLIC_ENABLE_SOCIAL_OAUTH_LOGIN: true,
   NEXT_PUBLIC_ENABLE_TRIAL_APP: true,
   NEXT_PUBLIC_IS_EMAIL_SETUP: true,
+  NEXT_PUBLIC_RBAC_ENABLED: false,
 }
 
 const queryKey = ['console', 'systemFeatures'] as const
@@ -139,6 +140,7 @@ describe('systemFeaturesQueryOptions', () => {
       enable_email_password_login: false,
       enable_social_oauth_login: true,
       enable_trial_app: true,
+      rbac_enabled: false,
     })
   })
 
@@ -151,6 +153,7 @@ describe('systemFeaturesQueryOptions', () => {
         NEXT_PUBLIC_ENABLE_COLLABORATION_MODE: true,
         NEXT_PUBLIC_ALLOW_REGISTER: false,
         NEXT_PUBLIC_ENABLE_EXPLORE_BANNER: false,
+        NEXT_PUBLIC_RBAC_ENABLED: true,
       },
     })
 
@@ -163,6 +166,7 @@ describe('systemFeaturesQueryOptions', () => {
       enable_collaboration_mode: true,
       is_allow_register: false,
       enable_explore_banner: false,
+      rbac_enabled: true,
       branding: {
         enabled: false,
         application_title: '',
diff --git a/web/features/system-features/config.ts b/web/features/system-features/config.ts
index 1b0c88a9ea2..0c5d91af5bf 100644
--- a/web/features/system-features/config.ts
+++ b/web/features/system-features/config.ts
@@ -101,4 +101,5 @@ export const cloudSystemFeatures = {
   enable_creators_platform: env.NEXT_PUBLIC_CREATORS_PLATFORM_FEATURES_ENABLED,
   enable_trial_app: env.NEXT_PUBLIC_ENABLE_TRIAL_APP,
   enable_explore_banner: env.NEXT_PUBLIC_ENABLE_EXPLORE_BANNER,
+  rbac_enabled: env.NEXT_PUBLIC_RBAC_ENABLED,
 } satisfies GetSystemFeaturesResponse