mirror of
https://github.com/simstudioai/sim.git
synced 2026-04-06 03:00:16 -04:00
fix tables auth
This commit is contained in:
Vikhyath Mondreti
@@ -162,17 +162,18 @@ export async function checkKnowledgeBaseAccess(
|
||||
|
||||
const kbData = kb[0]
|
||||
|
||||
// Case 1: User owns the knowledge base directly
|
||||
if (kbData.userId === userId) {
|
||||
return { hasAccess: true, knowledgeBase: kbData }
|
||||
}
|
||||
|
||||
// Case 2: Knowledge base belongs to a workspace the user has permissions for
|
||||
if (kbData.workspaceId) {
|
||||
// Workspace KB: use workspace permissions only
|
||||
const userPermission = await getUserEntityPermissions(userId, 'workspace', kbData.workspaceId)
|
||||
if (userPermission !== null) {
|
||||
return { hasAccess: true, knowledgeBase: kbData }
|
||||
}
|
||||
return { hasAccess: false }
|
||||
}
|
||||
|
||||
// Legacy non-workspace KB: allow owner access
|
||||
if (kbData.userId === userId) {
|
||||
return { hasAccess: true, knowledgeBase: kbData }
|
||||
}
|
||||
|
||||
return { hasAccess: false }
|
||||
@@ -181,8 +182,8 @@ export async function checkKnowledgeBaseAccess(
|
||||
/**
|
||||
* Check if a user has write access to a knowledge base
|
||||
* Write access is granted if:
|
||||
* 1. User owns the knowledge base directly, OR
|
||||
* 2. User has write or admin permissions on the knowledge base's workspace
|
||||
* 1. KB has a workspace: user has write or admin permissions on that workspace
|
||||
* 2. KB has no workspace (legacy): user owns the KB directly
|
||||
*/
|
||||
export async function checkKnowledgeBaseWriteAccess(
|
||||
knowledgeBaseId: string,
|
||||
@@ -204,17 +205,18 @@ export async function checkKnowledgeBaseWriteAccess(
|
||||
|
||||
const kbData = kb[0]
|
||||
|
||||
// Case 1: User owns the knowledge base directly
|
||||
if (kbData.userId === userId) {
|
||||
return { hasAccess: true, knowledgeBase: kbData }
|
||||
}
|
||||
|
||||
// Case 2: Knowledge base belongs to a workspace and user has write/admin permissions
|
||||
if (kbData.workspaceId) {
|
||||
// Workspace KB: use workspace permissions only
|
||||
const userPermission = await getUserEntityPermissions(userId, 'workspace', kbData.workspaceId)
|
||||
if (userPermission === 'write' || userPermission === 'admin') {
|
||||
return { hasAccess: true, knowledgeBase: kbData }
|
||||
}
|
||||
return { hasAccess: false }
|
||||
}
|
||||
|
||||
// Legacy non-workspace KB: allow owner access
|
||||
if (kbData.userId === userId) {
|
||||
return { hasAccess: true, knowledgeBase: kbData }
|
||||
}
|
||||
|
||||
return { hasAccess: false }
|
||||
|
||||
@@ -1,7 +1,4 @@
|
||||
import { db } from '@sim/db'
|
||||
import { permissions, workspace } from '@sim/db/schema'
|
||||
import { createLogger } from '@sim/logger'
|
||||
import { and, eq } from 'drizzle-orm'
|
||||
import { type NextRequest, NextResponse } from 'next/server'
|
||||
import { z } from 'zod'
|
||||
import { checkHybridAuth } from '@/lib/auth/hybrid'
|
||||
@@ -14,6 +11,7 @@ import {
|
||||
TABLE_LIMITS,
|
||||
type TableSchema,
|
||||
} from '@/lib/table'
|
||||
import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
|
||||
import { normalizeColumn } from './utils'
|
||||
|
||||
const logger = createLogger('TableAPI')
|
||||
@@ -83,47 +81,14 @@ async function checkWorkspaceAccess(
|
||||
workspaceId: string,
|
||||
userId: string
|
||||
): Promise<WorkspaceAccessResult> {
|
||||
const [workspaceData] = await db
|
||||
.select({
|
||||
id: workspace.id,
|
||||
ownerId: workspace.ownerId,
|
||||
})
|
||||
.from(workspace)
|
||||
.where(eq(workspace.id, workspaceId))
|
||||
.limit(1)
|
||||
const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
|
||||
|
||||
if (!workspaceData) {
|
||||
if (permission === null) {
|
||||
return { hasAccess: false, canWrite: false }
|
||||
}
|
||||
|
||||
if (workspaceData.ownerId === userId) {
|
||||
return { hasAccess: true, canWrite: true }
|
||||
}
|
||||
|
||||
const [permission] = await db
|
||||
.select({
|
||||
permissionType: permissions.permissionType,
|
||||
})
|
||||
.from(permissions)
|
||||
.where(
|
||||
and(
|
||||
eq(permissions.userId, userId),
|
||||
eq(permissions.entityType, 'workspace'),
|
||||
eq(permissions.entityId, workspaceId)
|
||||
)
|
||||
)
|
||||
.limit(1)
|
||||
|
||||
if (!permission) {
|
||||
return { hasAccess: false, canWrite: false }
|
||||
}
|
||||
|
||||
const canWrite = permission.permissionType === 'admin' || permission.permissionType === 'write'
|
||||
|
||||
return {
|
||||
hasAccess: true,
|
||||
canWrite,
|
||||
}
|
||||
const canWrite = permission === 'admin' || permission === 'write'
|
||||
return { hasAccess: true, canWrite }
|
||||
}
|
||||
|
||||
/** POST /api/table - Creates a new user-defined table. */
|
||||
|
||||
@@ -28,11 +28,7 @@ export interface ApiErrorResponse {
|
||||
|
||||
/**
|
||||
* Check if a user has read access to a table.
|
||||
* Read access is granted if:
|
||||
* 1. User created the table, OR
|
||||
* 2. User has any permission on the table's workspace (read, write, or admin)
|
||||
*
|
||||
* Follows the same pattern as Knowledge Base access checks.
|
||||
* Read access requires any workspace permission (read, write, or admin).
|
||||
*/
|
||||
export async function checkTableAccess(tableId: string, userId: string): Promise<TableAccessCheck> {
|
||||
const table = await getTableById(tableId)
|
||||
@@ -41,12 +37,6 @@ export async function checkTableAccess(tableId: string, userId: string): Promise
|
||||
return { hasAccess: false, notFound: true }
|
||||
}
|
||||
|
||||
// Case 1: User created the table
|
||||
if (table.createdBy === userId) {
|
||||
return { hasAccess: true, table }
|
||||
}
|
||||
|
||||
// Case 2: Table belongs to a workspace the user has permissions for
|
||||
const userPermission = await getUserEntityPermissions(userId, 'workspace', table.workspaceId)
|
||||
if (userPermission !== null) {
|
||||
return { hasAccess: true, table }
|
||||
@@ -57,11 +47,7 @@ export async function checkTableAccess(tableId: string, userId: string): Promise
|
||||
|
||||
/**
|
||||
* Check if a user has write access to a table.
|
||||
* Write access is granted if:
|
||||
* 1. User created the table, OR
|
||||
* 2. User has write or admin permissions on the table's workspace
|
||||
*
|
||||
* Follows the same pattern as Knowledge Base write access checks.
|
||||
* Write access requires write or admin workspace permission.
|
||||
*/
|
||||
export async function checkTableWriteAccess(
|
||||
tableId: string,
|
||||
@@ -73,12 +59,6 @@ export async function checkTableWriteAccess(
|
||||
return { hasAccess: false, notFound: true }
|
||||
}
|
||||
|
||||
// Case 1: User created the table
|
||||
if (table.createdBy === userId) {
|
||||
return { hasAccess: true, table }
|
||||
}
|
||||
|
||||
// Case 2: Table belongs to a workspace and user has write/admin permissions
|
||||
const userPermission = await getUserEntityPermissions(userId, 'workspace', table.workspaceId)
|
||||
if (userPermission === 'write' || userPermission === 'admin') {
|
||||
return { hasAccess: true, table }
|
||||
@@ -88,8 +68,8 @@ export async function checkTableWriteAccess(
|
||||
}
|
||||
|
||||
/**
|
||||
* @deprecated Use checkTableAccess or checkTableWriteAccess instead.
|
||||
* Legacy access check function for backwards compatibility.
|
||||
* Access check returning `{ ok, table }` or `{ ok: false, status }`.
|
||||
* Uses workspace permissions only.
|
||||
*/
|
||||
export async function checkAccess(
|
||||
tableId: string,
|
||||
@@ -102,10 +82,6 @@ export async function checkAccess(
|
||||
return { ok: false, status: 404 }
|
||||
}
|
||||
|
||||
if (table.createdBy === userId) {
|
||||
return { ok: true, table }
|
||||
}
|
||||
|
||||
const permission = await getUserEntityPermissions(userId, 'workspace', table.workspaceId)
|
||||
const hasAccess =
|
||||
permission !== null &&
|
||||
|
||||
Reference in New Issue
Block a user