Skip to content

fix(credentials): reflect workspace permission in credential member role #4699

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
minijeong-log wants to merge 11 commits into
base: staging
Choose a base branch
from
Open

fix(credentials): reflect workspace permission in credential member role #4699

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
8d78ecb
fix(credentials): reflect workspace permission in credential member role
minijeong-log May 21, 2026
1bbf7c6
fix(credentials): apply permission mapping in createWorkspaceEnvCrede…
minijeong-log May 21, 2026
71db264
perf(credentials): hoist permissions query out of per-credential loop
minijeong-log May 21, 2026
d1891c9
perf(credentials): eliminate redundant permissions query
minijeong-log May 21, 2026
78b6c88
fix(credentials): remove session.user.id from admin check for consist…
minijeong-log May 21, 2026
ad7ee85
fix(credentials): use tx instead of db for permissions query inside t…
minijeong-log May 22, 2026
c37e20c
refactor(credentials): remove unused getWorkspaceMemberUserIds
minijeong-log May 22, 2026
24eb310
merge: resolve conflict with upstream staging
minijeong-log May 22, 2026
80c7061
fix(credentials): restrict credential creation to workspace admin
minijeong-log May 22, 2026
305e02c
fix(credentials): grant admin role to credential creator
minijeong-log May 22, 2026
573ebd6
fix(credentials): remove actingUserId from ensureWorkspaceCredentialM…
minijeong-log May 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 19 additions & 7 deletions apps/sim/app/api/credentials/route.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
import { db } from '@sim/db'
import { account, credential, credentialMember, workspace } from '@sim/db/schema'
import { account, credential, credentialMember, permissions, workspace } from '@sim/db/schema'
import { createLogger } from '@sim/logger'
import { getPostgresErrorCode } from '@sim/utils/errors'
import { generateId } from '@sim/utils/id'
Expand All @@ -22,7 +22,6 @@ import {
normalizeAtlassianDomain,
validateAtlassianServiceAccount,
} from '@/lib/credentials/atlassian-service-account'
import { getWorkspaceMemberUserIds } from '@/lib/credentials/environment'
import { syncWorkspaceOAuthCredentialsForUser } from '@/lib/credentials/oauth'
import { getServiceConfigByProviderId } from '@/lib/oauth'
import {
Expand Down Expand Up @@ -535,17 +534,30 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
})

if ((type === 'env_workspace' || type === 'service_account') && workspaceRow?.ownerId) {
const workspaceUserIds = await getWorkspaceMemberUserIds(workspaceId)
const wsPermissionRows = await tx
.select({ userId: permissions.userId, permissionType: permissions.permissionType })
.from(permissions)
.where(
and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))
)
Comment thread
cursor[bot] marked this conversation as resolved.
const wsPermissionByUser = new Map(
wsPermissionRows.map((row) => [row.userId, row.permissionType])
)
const workspaceUserIds = Array.from(
new Set([workspaceRow.ownerId, ...wsPermissionRows.map((row) => row.userId)])
)
if (workspaceUserIds.length > 0) {
for (const memberUserId of workspaceUserIds) {
const wsPermission = wsPermissionByUser.get(memberUserId)
const isAdmin =
memberUserId === workspaceRow.ownerId ||
memberUserId === session.user.id ||
wsPermission === 'admin'
await tx.insert(credentialMember).values({
id: generateId(),
credentialId,
userId: memberUserId,
role:
memberUserId === workspaceRow.ownerId || memberUserId === session.user.id
? 'admin'
: 'member',
role: isAdmin ? 'admin' : 'member',
Comment thread
cursor[bot] marked this conversation as resolved.
status: 'active',
joinedAt: now,
invitedBy: session.user.id,
Expand Down
110 changes: 61 additions & 49 deletions apps/sim/lib/credentials/environment.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,27 +10,6 @@ interface AccessibleEnvCredential {
updatedAt: Date
}

export async function getWorkspaceMemberUserIds(workspaceId: string): Promise<string[]> {
const [workspaceRows, permissionRows] = await Promise.all([
db
.select({ ownerId: workspace.ownerId })
.from(workspace)
.where(eq(workspace.id, workspaceId))
.limit(1),
db
.select({ userId: permissions.userId })
.from(permissions)
.where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))),
])
const workspaceRow = workspaceRows[0]

const memberIds = new Set<string>(permissionRows.map((row) => row.userId))
if (workspaceRow?.ownerId) {
memberIds.add(workspaceRow.ownerId)
}
return Array.from(memberIds)
}

export async function getUserWorkspaceIds(userId: string): Promise<string[]> {
const [permissionRows, ownedWorkspaceRows] = await Promise.all([
db
Expand Down Expand Up @@ -58,7 +37,8 @@ export async function getUserWorkspaceIds(userId: string): Promise<string[]> {
async function ensureWorkspaceCredentialMemberships(
credentialId: string,
memberUserIds: string[],
ownerUserId: string
ownerUserId: string,
wsPermissionByUser: Map<string, string>
) {
if (!memberUserIds.length) return

Expand All @@ -83,17 +63,21 @@ async function ensureWorkspaceCredentialMemberships(
if (targetUserIds.length === 0) return

const now = new Date()
const values = targetUserIds.map((memberUserId) => ({
id: generateId(),
credentialId,
userId: memberUserId,
role: (memberUserId === ownerUserId ? 'admin' : 'member') as 'admin' | 'member',
status: 'active' as const,
joinedAt: now,
invitedBy: ownerUserId,
createdAt: now,
updatedAt: now,
}))
const values = targetUserIds.map((memberUserId) => {
const wsPermission = wsPermissionByUser.get(memberUserId)
const isAdmin = memberUserId === ownerUserId || wsPermission === 'admin'
return {
id: generateId(),
credentialId,
userId: memberUserId,
role: (isAdmin ? 'admin' : 'member') as 'admin' | 'member',
status: 'active' as const,
joinedAt: now,
invitedBy: ownerUserId,
createdAt: now,
updatedAt: now,
}
})

// `joinedAt` uses COALESCE so a non-null existing value is preserved but null is backfilled.
await db
Expand All @@ -117,17 +101,27 @@ export async function syncWorkspaceEnvCredentials(params: {
actingUserId: string
}) {
const { workspaceId, envKeys, actingUserId } = params
const [[workspaceRow], memberUserIds] = await Promise.all([
const [[workspaceRow], wsPermissionRows] = await Promise.all([
db
.select({ ownerId: workspace.ownerId })
.from(workspace)
.where(eq(workspace.id, workspaceId))
.limit(1),
getWorkspaceMemberUserIds(workspaceId),
db
.select({ userId: permissions.userId, permissionType: permissions.permissionType })
.from(permissions)
.where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))),
Comment thread
cursor[bot] marked this conversation as resolved.
])

if (!workspaceRow) return

const wsPermissionByUser = new Map(
wsPermissionRows.map((row) => [row.userId, row.permissionType])
)
const memberUserIds = Array.from(
new Set([workspaceRow.ownerId, ...wsPermissionRows.map((row) => row.userId)])
)

const normalizedKeys = Array.from(new Set(envKeys.filter(Boolean)))
const existingCredentials = await db
.select({
Expand Down Expand Up @@ -175,7 +169,12 @@ export async function syncWorkspaceEnvCredentials(params: {
}

for (const credentialId of credentialIdsToEnsureMembership) {
await ensureWorkspaceCredentialMemberships(credentialId, memberUserIds, workspaceRow.ownerId)
await ensureWorkspaceCredentialMemberships(
credentialId,
memberUserIds,
workspaceRow.ownerId,
wsPermissionByUser
)
Comment thread
cursor[bot] marked this conversation as resolved.
}

if (normalizedKeys.length > 0) {
Expand Down Expand Up @@ -209,18 +208,27 @@ export async function createWorkspaceEnvCredentials(params: {
const keys = Array.from(new Set(newKeys.filter(Boolean)))
if (keys.length === 0) return

const [[workspaceRow], memberUserIds] = await Promise.all([
const [[workspaceRow], wsPermissionRows] = await Promise.all([
db
.select({ ownerId: workspace.ownerId })
.from(workspace)
.where(eq(workspace.id, workspaceId))
.limit(1),
getWorkspaceMemberUserIds(workspaceId),
db
.select({ userId: permissions.userId, permissionType: permissions.permissionType })
.from(permissions)
.where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))),
])

if (!workspaceRow) return

const ownerUserId = workspaceRow.ownerId
const wsPermissionByUser = new Map(
wsPermissionRows.map((row) => [row.userId, row.permissionType])
)
const memberUserIds = Array.from(
new Set([ownerUserId, ...wsPermissionRows.map((row) => row.userId)])
)
const now = new Date()

const inserted = await db
Expand All @@ -245,17 +253,21 @@ export async function createWorkspaceEnvCredentials(params: {

// Bulk-insert memberships for all new credentials × all workspace members in one query
const membershipValues = createdIds.flatMap((credentialId) =>
memberUserIds.map((memberUserId) => ({
id: generateId(),
credentialId,
userId: memberUserId,
role: (memberUserId === ownerUserId ? 'admin' : 'member') as 'admin' | 'member',
status: 'active' as const,
joinedAt: now,
invitedBy: ownerUserId,
createdAt: now,
updatedAt: now,
}))
memberUserIds.map((memberUserId) => {
const wsPermission = wsPermissionByUser.get(memberUserId)
const isAdmin = memberUserId === ownerUserId || wsPermission === 'admin'
return {
id: generateId(),
credentialId,
userId: memberUserId,
role: (isAdmin ? 'admin' : 'member') as 'admin' | 'member',
status: 'active' as const,
joinedAt: now,
invitedBy: ownerUserId,
createdAt: now,
updatedAt: now,
}
})
)

await db.insert(credentialMember).values(membershipValues).onConflictDoNothing()
Expand Down