d25d482dc2
Publish CLI Package / publish-npm (push) Waiting to run
Publish Python SDK / publish-pypi (push) Waiting to run
Publish TypeScript SDK / publish-npm (push) Waiting to run
CI / Migrate Dev DB (push) Has been skipped
CI / Detect Version (push) Has been cancelled
CI / Migrate DB (push) Has been cancelled
CI / Build Dev ECR (./docker/app.Dockerfile, ECR_APP) (push) Has been cancelled
CI / Build Dev ECR (./docker/db.Dockerfile, ECR_MIGRATIONS) (push) Has been cancelled
CI / Build Dev ECR (./docker/pii.Dockerfile, ECR_PII) (push) Has been cancelled
CI / Build Dev ECR (./docker/realtime.Dockerfile, ECR_REALTIME) (push) Has been cancelled
CI / Deploy Trigger.dev (Dev) (push) Has been cancelled
CI / Build AMD64 (./docker/app.Dockerfile, ECR_APP, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build AMD64 (./docker/db.Dockerfile, ECR_MIGRATIONS, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build AMD64 (./docker/pii.Dockerfile, ECR_PII, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build AMD64 (./docker/realtime.Dockerfile, ECR_REALTIME, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/app.Dockerfile, ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/db.Dockerfile, ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/pii.Dockerfile, ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Build ARM64 (GHCR Only) (./docker/realtime.Dockerfile, ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/migrations) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/pii) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/realtime) (push) Has been cancelled
CI / Create GHCR Manifests (ghcr.io/simstudioai/simstudio) (push) Has been cancelled
CI / Check Docs Changes (push) Has been cancelled
CI / Process Docs (push) Has been cancelled
CI / Create GitHub Release (push) Has been cancelled
CI / Test and Build (push) Has been cancelled
78 lines
2.7 KiB
TypeScript
78 lines
2.7 KiB
TypeScript
import { NextResponse } from 'next/server'
|
|
import { userPermissionConfigQuerySchema } from '@/lib/api/contracts/permission-groups'
|
|
import { getSession } from '@/lib/auth'
|
|
import { isOrganizationOnEnterprisePlan } from '@/lib/billing'
|
|
import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
|
|
import {
|
|
checkWorkspaceAccess,
|
|
isOrganizationAdminOrOwner,
|
|
} from '@/lib/workspaces/permissions/utils'
|
|
import { resolveWorkspaceGroup } from '@/ee/access-control/utils/permission-check'
|
|
|
|
export const GET = withRouteHandler(async (req: Request) => {
|
|
const session = await getSession()
|
|
if (!session?.user?.id) {
|
|
return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
|
|
}
|
|
|
|
const queryResult = userPermissionConfigQuerySchema.safeParse(
|
|
Object.fromEntries(new URL(req.url).searchParams.entries())
|
|
)
|
|
if (!queryResult.success) {
|
|
return NextResponse.json({ error: 'workspaceId is required' }, { status: 400 })
|
|
}
|
|
const { workspaceId } = queryResult.data
|
|
|
|
const access = await checkWorkspaceAccess(workspaceId, session.user.id)
|
|
if (!access.exists) {
|
|
return NextResponse.json({ error: 'Workspace not found' }, { status: 404 })
|
|
}
|
|
if (!access.hasAccess) {
|
|
return NextResponse.json({ error: 'Not a member of this workspace' }, { status: 403 })
|
|
}
|
|
|
|
const organizationId = access.workspace?.organizationId ?? null
|
|
|
|
// Workspaces without an organization have no permission groups, and the caller
|
|
// can never be an org admin in that case.
|
|
if (!organizationId) {
|
|
return NextResponse.json({
|
|
permissionGroupId: null,
|
|
groupName: null,
|
|
config: null,
|
|
entitled: false,
|
|
organizationId: null,
|
|
isOrgAdmin: false,
|
|
})
|
|
}
|
|
|
|
// Resolve role + entitlement against the WORKSPACE's owning organization (not
|
|
// the caller's active org) so management gating is scoped to the org that
|
|
// actually governs this workspace. External members are not org admins here.
|
|
const isOrgAdmin = await isOrganizationAdminOrOwner(session.user.id, organizationId)
|
|
|
|
if (!(await isOrganizationOnEnterprisePlan(organizationId))) {
|
|
return NextResponse.json({
|
|
permissionGroupId: null,
|
|
groupName: null,
|
|
config: null,
|
|
entitled: false,
|
|
organizationId,
|
|
isOrgAdmin,
|
|
})
|
|
}
|
|
|
|
// Single source of truth: specific-scope group covering this workspace ->
|
|
// the user's all-workspaces group -> org default -> none.
|
|
const resolved = await resolveWorkspaceGroup(session.user.id, organizationId, workspaceId)
|
|
|
|
return NextResponse.json({
|
|
permissionGroupId: resolved?.permissionGroupId ?? null,
|
|
groupName: resolved?.groupName ?? null,
|
|
config: resolved?.config ?? null,
|
|
entitled: true,
|
|
organizationId,
|
|
isOrgAdmin,
|
|
})
|
|
})
|