address ui comments

Author: icecrasher321

apps/sim/app/api/guardrails/validate/route.ts

@@ -7,6 +7,7 @@ import { validateHallucination } from '@/lib/guardrails/validate_hallucination'
 import { validateJson } from '@/lib/guardrails/validate_json'
 import { validatePII } from '@/lib/guardrails/validate_pii'
 import { validateRegex } from '@/lib/guardrails/validate_regex'
+import { authorizeWorkflowByWorkspacePermission } from '@/lib/workflows/utils'
 import {
   assertPermissionsAllowed,
   ProviderNotAllowedError,
@@ -43,7 +44,6 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       bedrockSecretKey,
       bedrockRegion,
       workflowId,
-      workspaceId,
       piiEntityTypes,
       piiMode,
       piiLanguage,
@@ -114,11 +114,46 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       })
     }
 
-    if (validationType === 'hallucination' && model && workspaceId) {
+    let resolvedWorkspaceId: string | undefined
+
+    if (validationType === 'hallucination' && model) {
+      if (!workflowId || typeof workflowId !== 'string') {
+        return NextResponse.json({
+          success: true,
+          output: {
+            passed: false,
+            validationType,
+            input: input || '',
+            error:
+              'Workflow context is required for hallucination validation. Call this endpoint via a workflow execution, not directly.',
+          },
+        })
+      }
+
+      const authorization = await authorizeWorkflowByWorkspacePermission({
+        workflowId,
+        userId: auth.userId,
+        action: 'read',
+      })
+
+      if (!authorization.allowed || !authorization.workflow?.workspaceId) {
+        return NextResponse.json({
+          success: true,
+          output: {
+            passed: false,
+            validationType,
+            input: input || '',
+            error: authorization.message || 'Workflow not found or access denied.',
+          },
+        })
+      }
+
+      resolvedWorkspaceId = authorization.workflow.workspaceId
+
       try {
         await assertPermissionsAllowed({
           userId: auth.userId,
-          workspaceId,
+          workspaceId: resolvedWorkspaceId,
           model,
         })
       } catch (err) {
@@ -168,7 +203,7 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
         bedrockRegion,
       },
       workflowId,
-      workspaceId,
+      resolvedWorkspaceId,
       piiEntityTypes,
       piiMode,
       piiLanguage,

apps/sim/app/api/workspaces/[id]/permissions/route.ts

@@ -13,8 +13,10 @@ import { applyWorkspaceAutoAddGroup } from '@/lib/permission-groups/auto-add'
 import { captureServerEvent } from '@/lib/posthog/server'
 import {
   checkWorkspaceAccess,
+  getUserEntityPermissions,
   getUsersWithPermissions,
   hasWorkspaceAdminAccess,
+  type PermissionType,
 } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspacesPermissionsAPI')
@@ -48,23 +50,25 @@ export const GET = withRouteHandler(
       }
 
       const isAdmin = await hasWorkspaceAdminAccess(session.user.id, workspaceId)
+      const access = await checkWorkspaceAccess(workspaceId, session.user.id)
 
-      let hasAccess = isAdmin
-      if (!hasAccess) {
-        const access = await checkWorkspaceAccess(workspaceId, session.user.id)
-        if (!access.exists) {
-          return NextResponse.json(
-            { error: 'Workspace not found or access denied' },
-            { status: 404 }
-          )
-        }
-        hasAccess = access.hasAccess
+      if (!access.exists) {
+        return NextResponse.json({ error: 'Workspace not found or access denied' }, { status: 404 })
       }
 
-      if (!hasAccess) {
+      if (!isAdmin && !access.hasAccess) {
         return NextResponse.json({ error: 'Workspace not found or access denied' }, { status: 404 })
       }
 
+      const explicitPermission = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        workspaceId
+      )
+      const viewerPermissionType: PermissionType = isAdmin
+        ? 'admin'
+        : (explicitPermission ?? 'read')
+
       const result = await getUsersWithPermissions(workspaceId)
 
       return NextResponse.json({
@@ -73,6 +77,7 @@ export const GET = withRouteHandler(
         viewer: {
           userId: session.user.id,
           isAdmin,
+          permissionType: viewerPermissionType,
         },
       })
     } catch (error) {

apps/sim/ee/access-control/components/access-control.tsx

@@ -64,6 +64,7 @@ interface AddMembersModalProps {
   setSelectedMemberIds: React.Dispatch<React.SetStateAction<Set<string>>>
   onAddMembers: () => void
   isAdding: boolean
+  errorMessage: string | null
 }
 
 function AddMembersModal({
@@ -74,6 +75,7 @@ function AddMembersModal({
   setSelectedMemberIds,
   onAddMembers,
   isAdding,
+  errorMessage,
 }: AddMembersModalProps) {
   const [searchTerm, setSearchTerm] = useState('')
 
@@ -199,6 +201,9 @@ function AddMembersModal({
               </div>
             </div>
           )}
+          {errorMessage && (
+            <p className='mt-3 text-[var(--text-destructive)] text-xs'>{errorMessage}</p>
+          )}
         </ModalBody>
         <ModalFooter>
           <Button
@@ -289,6 +294,7 @@ export function AccessControl() {
   const [showConfigModal, setShowConfigModal] = useState(false)
   const [editingConfig, setEditingConfig] = useState<PermissionGroupConfig | null>(null)
   const [showAddMembersModal, setShowAddMembersModal] = useState(false)
+  const [addMembersError, setAddMembersError] = useState<string | null>(null)
   const [selectedMemberIds, setSelectedMemberIds] = useState<Set<string>>(() => new Set())
   const [providerSearchTerm, setProviderSearchTerm] = useState('')
   const [integrationSearchTerm, setIntegrationSearchTerm] = useState('')
@@ -628,11 +634,13 @@ export function AccessControl() {
 
   const handleOpenAddMembersModal = useCallback(() => {
     setSelectedMemberIds(new Set())
+    setAddMembersError(null)
     setShowAddMembersModal(true)
   }, [])
 
   const handleAddSelectedMembers = useCallback(async () => {
     if (!viewingGroup || !workspaceId || selectedMemberIds.size === 0) return
+    setAddMembersError(null)
     try {
       await bulkAddMembers.mutateAsync({
         workspaceId,
@@ -643,6 +651,9 @@ export function AccessControl() {
       setSelectedMemberIds(new Set())
     } catch (error) {
       logger.error('Failed to add members', error)
+      setAddMembersError(
+        error instanceof Error && error.message ? error.message : 'Failed to add members'
+      )
     }
   }, [viewingGroup, workspaceId, selectedMemberIds, bulkAddMembers])
 
@@ -1202,12 +1213,16 @@ export function AccessControl() {
 
         <AddMembersModal
           open={showAddMembersModal}
-          onOpenChange={setShowAddMembersModal}
+          onOpenChange={(open) => {
+            setShowAddMembersModal(open)
+            if (!open) setAddMembersError(null)
+          }}
           availableMembers={availableMembersToAdd}
           selectedMemberIds={selectedMemberIds}
           setSelectedMemberIds={setSelectedMemberIds}
           onAddMembers={handleAddSelectedMembers}
           isAdding={bulkAddMembers.isPending}
+          errorMessage={addMembersError}
         />
       </>
     )

apps/sim/hooks/queries/workspace.ts

@@ -262,6 +262,12 @@ export interface WorkspacePermissionsViewer {
    * workspace. Use this instead of scanning `users` for a `permissionType === 'admin'` row.
    */
   isAdmin: boolean
+  /**
+   * The viewer's effective permission level for this workspace. Resolves to `'admin'` whenever
+   * `isAdmin` is true (including owner / org-admin paths where no explicit permissions row exists),
+   * otherwise falls back to the user's explicit `permissions` row (`admin` | `write` | `read`).
+   */
+  permissionType: 'admin' | 'write' | 'read'
 }
 
 /** Workspace permissions data containing all users and their access levels. */

apps/sim/hooks/use-user-permissions.ts

@@ -48,12 +48,28 @@ export function useUserPermissions(
       }
     }
 
-    // Find current user in workspace permissions (case-insensitive)
+    /**
+     * Prefer the server-resolved `viewer.permissionType` — it already accounts for workspace
+     * owners and organization owners/admins who have no explicit `permissions` row but are
+     * effectively admins. Falls back to scanning `users` only if the server response predates
+     * the viewer field (rolling deploy).
+     */
+    const viewerPerms = workspacePermissions?.viewer?.permissionType
+    if (viewerPerms) {
+      return {
+        canRead: true,
+        canEdit: viewerPerms === 'write' || viewerPerms === 'admin',
+        canAdmin: viewerPerms === 'admin',
+        userPermissions: viewerPerms,
+        isLoading: false,
+        error: permissionsError,
+      }
+    }
+
     const currentUser = workspacePermissions?.users?.find(
       (user) => user.email.toLowerCase() === sessionEmail.toLowerCase()
     )
 
-    // If user not found in workspace, they have no permissions
     if (!currentUser) {
       logger.warn('User not found in workspace permissions', {
         userEmail: sessionEmail,
@@ -72,14 +88,11 @@ export function useUserPermissions(
     }
 
     const userPerms = currentUser.permissionType || 'read'
-
-    // Core permission checks
     const canAdmin = userPerms === 'admin'
     const canEdit = userPerms === 'write' || userPerms === 'admin'
-    const canRead = true // If user is found in workspace permissions, they have read access
 
     return {
-      canRead,
+      canRead: true,
       canEdit,
       canAdmin,
       userPermissions: userPerms,

apps/sim/lib/workspaces/permissions/utils.test.ts

@@ -208,6 +208,7 @@ describe('Permission Utils', () => {
           userId: 'user1',
           email: 'alice@example.com',
           name: 'Alice Smith',
+          image: 'https://example.com/alice.png',
           permissionType: 'admin' as PermissionType,
         },
       ]
@@ -222,6 +223,7 @@ describe('Permission Utils', () => {
           userId: 'user1',
           email: 'alice@example.com',
           name: 'Alice Smith',
+          image: 'https://example.com/alice.png',
           permissionType: 'admin',
         },
       ])

apps/sim/lib/workspaces/permissions/utils.ts

@@ -238,6 +238,7 @@ export async function getUsersWithPermissions(workspaceId: string): Promise<
     userId: string
     email: string
     name: string
+    image: string | null
     permissionType: PermissionType
   }>
 > {
@@ -246,6 +247,7 @@ export async function getUsersWithPermissions(workspaceId: string): Promise<
       userId: user.id,
       email: user.email,
       name: user.name,
+      image: user.image,
       permissionType: permissions.permissionType,
     })
     .from(permissions)
@@ -264,6 +266,7 @@ export async function getUsersWithPermissions(workspaceId: string): Promise<
     userId: row.userId,
     email: row.email,
     name: row.name,
+    image: row.image ?? null,
     permissionType: row.permissionType,
   }))
 }