Fix Mass Assignment on Save Custom Template (#6129)

christopherholland-workday · christopherholland-workday · web-flow · commit f64047bdcf4c · 2026-04-06T21:07:12.000+08:00
Co-authored-by: christopherholland-workday &lt;christopher.holland+evisort@workday.com&gt;
diff --git a/packages/server/src/controllers/marketplaces/index.ts b/packages/server/src/controllers/marketplaces/index.ts
@@ -2,6 +2,7 @@ import { NextFunction, Request, Response } from 'express'
 import { StatusCodes } from 'http-status-codes'
 import { InternalFlowiseError } from '../../errors/internalFlowiseError'
 import marketplacesService from '../../services/marketplaces'
+import { stripProtectedFields } from '../../utils/stripProtectedFields'
 
 // Get all templates for marketplaces
 const getAllTemplates = async (req: Request, res: Response, next: NextFunction) => {
@@ -52,15 +53,14 @@ const saveCustomTemplate = async (req: Request, res: Response, next: NextFunctio
                 `Error: marketplacesService.saveCustomTemplate - body not provided!`
             )
         }
-        const body = req.body
-        body.workspaceId = req.user?.activeWorkspaceId
-        if (!body.workspaceId) {
+        const workspaceId = req.user?.activeWorkspaceId
+        if (!workspaceId) {
             throw new InternalFlowiseError(
                 StatusCodes.NOT_FOUND,
-                `Error: marketplacesController.saveCustomTemplate - workspace ${body.workspaceId} not found!`
+                `Error: marketplacesController.saveCustomTemplate - workspace ${workspaceId} not found!`
             )
         }
-        const apiResponse = await marketplacesService.saveCustomTemplate(body)
+        const apiResponse = await marketplacesService.saveCustomTemplate({ ...stripProtectedFields(req.body), workspaceId })
         return res.json(apiResponse)
     } catch (error) {
         next(error)
diff --git a/packages/server/src/services/marketplaces/index.ts b/packages/server/src/services/marketplaces/index.ts
@@ -10,6 +10,7 @@ import { InternalFlowiseError } from '../../errors/internalFlowiseError'
 import { getErrorMessage } from '../../errors/utils'
 import { IReactFlowEdge, IReactFlowNode } from '../../Interface'
 import { getRunningExpressApp } from '../../utils/getRunningExpressApp'
+import { stripProtectedFields } from '../../utils/stripProtectedFields'
 import chatflowsService from '../chatflows'
 
 type ITemplate = {
@@ -208,7 +209,8 @@ const saveCustomTemplate = async (body: any): Promise<any> => {
         let flowDataStr = ''
         let derivedFramework = ''
         const customTemplate = new CustomTemplate()
-        Object.assign(customTemplate, body)
+        Object.assign(customTemplate, stripProtectedFields(body))
+        customTemplate.workspaceId = body.workspaceId // re-apply: set by controller from req.user
 
         if (body.chatflowId) {
             const chatflow = await chatflowsService.getChatflowById(body.chatflowId, body.workspaceId)
