address bugbot comments

2026-02-15 08:55:05 -05:00 · 2026-02-14 12:27:03 -08:00
parent cd1ccf1f1f
commit 41cdca20d6
2 changed files with 18 additions and 11 deletions
--- a/apps/sim/app/api/credentials/[id]/members/route.ts
+++ b/apps/sim/app/api/credentials/[id]/members/route.ts
@@ -5,6 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'

 const logger = createLogger('CredentialMembersAPI')

@@ -37,7 +38,7 @@ export async function GET(_request: NextRequest, context: RouteContext) {
    const { id: credentialId } = await context.params

    const [cred] = await db
-      .select({ id: credential.id })
+      .select({ id: credential.id, workspaceId: credential.workspaceId })
      .from(credential)
      .where(eq(credential.id, credentialId))
      .limit(1)
@@ -46,6 +47,15 @@ export async function GET(_request: NextRequest, context: RouteContext) {
      return NextResponse.json({ members: [] }, { status: 200 })
    }

+    const callerPerm = await getUserEntityPermissions(
+      session.user.id,
+      'workspace',
+      cred.workspaceId
+    )
+    if (callerPerm === null) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
    const members = await db
      .select({
        id: credentialMember.id,
--- a/apps/sim/lib/auth/credential-access.ts
+++ b/apps/sim/lib/auth/credential-access.ts
@@ -39,6 +39,8 @@ export async function authorizeCredentialUse(
    return { ok: false, error: auth.error || 'Authentication required' }
  }

+  const actingUserId = auth.authType === 'internal_jwt' ? callerUserId : auth.userId
+
  const [workflowContext] = workflowId
    ? await db
        .select({ workspaceId: workflowTable.workspaceId })
@@ -81,12 +83,9 @@ export async function authorizeCredentialUse(
      return { ok: false, error: 'Credential account not found' }
    }

-    const effectiveCallerId =
-      callerUserId || (auth.authType !== 'internal_jwt' ? auth.userId : null)
-
-    if (effectiveCallerId) {
+    if (actingUserId) {
      const requesterPerm = await getUserEntityPermissions(
-        effectiveCallerId,
+        actingUserId,
        'workspace',
        platformCredential.workspaceId
      )
@@ -97,7 +96,7 @@ export async function authorizeCredentialUse(
        .where(
          and(
            eq(credentialMember.credentialId, platformCredential.id),
-            eq(credentialMember.userId, effectiveCallerId),
+            eq(credentialMember.userId, actingUserId),
            eq(credentialMember.status, 'active')
          )
        )
@@ -167,16 +166,14 @@ export async function authorizeCredentialUse(
      return { ok: false, error: 'Credential account not found' }
    }

-    const legacyCallerId = callerUserId || (auth.authType !== 'internal_jwt' ? auth.userId : null)
-
-    if (legacyCallerId) {
+    if (actingUserId) {
      const [membership] = await db
        .select({ id: credentialMember.id })
        .from(credentialMember)
        .where(
          and(
            eq(credentialMember.credentialId, workspaceCredential.id),
-            eq(credentialMember.userId, legacyCallerId),
+            eq(credentialMember.userId, actingUserId),
            eq(credentialMember.status, 'active')
          )
        )