Files
simstudioai--sim/apps/sim/app/api/permission-groups/user/route.ts
T
wehub-resource-sync d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 13:20:55 +08:00

78 lines
2.7 KiB
TypeScript

import { NextResponse } from 'next/server'
import { userPermissionConfigQuerySchema } from '@/lib/api/contracts/permission-groups'
import { getSession } from '@/lib/auth'
import { isOrganizationOnEnterprisePlan } from '@/lib/billing'
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
import {
checkWorkspaceAccess,
isOrganizationAdminOrOwner,
} from '@/lib/workspaces/permissions/utils'
import { resolveWorkspaceGroup } from '@/ee/access-control/utils/permission-check'
export const GET = withRouteHandler(async (req: Request) => {
const session = await getSession()
if (!session?.user?.id) {
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
}
const queryResult = userPermissionConfigQuerySchema.safeParse(
Object.fromEntries(new URL(req.url).searchParams.entries())
)
if (!queryResult.success) {
return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
}
const { workspaceId } = queryResult.data
const access = await checkWorkspaceAccess(workspaceId, session.user.id)
if (!access.exists) {
return NextResponse.json({ error: 'Workspace not found' }, { status: 404 })
}
if (!access.hasAccess) {
return NextResponse.json({ error: 'Not a member of this workspace' }, { status: 403 })
}
const organizationId = access.workspace?.organizationId ?? null
// Workspaces without an organization have no permission groups, and the caller
// can never be an org admin in that case.
if (!organizationId) {
return NextResponse.json({
permissionGroupId: null,
groupName: null,
config: null,
entitled: false,
organizationId: null,
isOrgAdmin: false,
})
}
// Resolve role + entitlement against the WORKSPACE's owning organization (not
// the caller's active org) so management gating is scoped to the org that
// actually governs this workspace. External members are not org admins here.
const isOrgAdmin = await isOrganizationAdminOrOwner(session.user.id, organizationId)
if (!(await isOrganizationOnEnterprisePlan(organizationId))) {
return NextResponse.json({
permissionGroupId: null,
groupName: null,
config: null,
entitled: false,
organizationId,
isOrgAdmin,
})
}
// Single source of truth: specific-scope group covering this workspace ->
// the user's all-workspaces group -> org default -> none.
const resolved = await resolveWorkspaceGroup(session.user.id, organizationId, workspaceId)
return NextResponse.json({
permissionGroupId: resolved?.permissionGroupId ?? null,
groupName: resolved?.groupName ?? null,
config: resolved?.config ?? null,
entitled: true,
organizationId,
isOrgAdmin,
})
})