fix(permissions): should not be able to create workflow with read perms

[icecrasher321]

Summary

Gate UI and route to prevent creation of workflow if you don't have write/admin.

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Skipped			Oct 17, 2025 8:28pm

💡 Enable Vercel Agent with $100 free credit for automated AI reviews

[greptile-apps]

Greptile Overview

Summary

Added permission gates to prevent workflow creation for users with read-only workspace access, implementing defense-in-depth security through both UI and API enforcement.

• Added permission check in POST /api/workflows route to verify users have write or admin access before creating workflows in workspaces
• Disabled workflow creation, folder creation, and import workflow buttons in the UI for users without edit permissions
• Changed Import Workflow button from conditionally rendered to always rendered but disabled based on permissions (consistent UX)
• Personal workflows (without workspaceId) bypass permission checks as expected since they don't belong to workspaces

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The implementation follows defense-in-depth security principles by enforcing permissions at both UI and API layers. The permission check correctly handles workspace workflows while allowing personal workflows to bypass the check. The code is clean, well-structured, and includes proper logging for security events.
• No files require special attention

Important Files Changed

File Analysis

Filename	Score	Overview
apps/sim/app/api/workflows/route.ts	5/5	Added permission check to prevent workflow creation for users with read-only access in workspaces
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/create-menu/create-menu.tsx	5/5	Disabled workflow, folder, and import buttons for users without edit permissions, removed conditional rendering

Sequence Diagram

sequenceDiagram
    participant User
    participant UI as Create Menu UI
    participant API as POST /api/workflows
    participant Perms as getUserEntityPermissions
    participant DB as Database

    User->>UI: Click "New Workflow"
    
    alt User has no edit permission
        UI->>User: Button disabled (opacity 50%)
    else User has edit permission
        UI->>API: POST /api/workflows {workspaceId, name, ...}
        
        alt workspaceId provided
            API->>Perms: Check user permissions for workspace
            Perms->>DB: Query permissions table
            DB-->>Perms: Return permission type
            
            alt Permission is 'read' or null
                Perms-->>API: 'read' or null
                API->>User: 403 Forbidden (Write/Admin required)
            else Permission is 'write' or 'admin'
                Perms-->>API: 'write' or 'admin'
                API->>DB: Insert workflow
                DB-->>API: Workflow created
                API->>User: 200 OK with workflow data
            end
        else No workspaceId (personal workflow)
            API->>DB: Insert workflow
            DB-->>API: Workflow created
            API->>User: 200 OK with workflow data
        end
    end

Loading

_{2 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}