address more comments

Author: icecrasher321

apps/sim/app/api/workflows/[id]/deploy/route.ts

@@ -12,6 +12,10 @@ import {
   createErrorResponse,
   createSuccessResponse,
 } from '@/app/api/workflows/utils'
+import {
+  PublicApiNotAllowedError,
+  validatePublicApiAllowed,
+} from '@/ee/access-control/utils/permission-check'
 
 const logger = createLogger('WorkflowDeployAPI')
 
@@ -154,9 +158,6 @@ export const PATCH = withRouteHandler(
       }
 
       if (isPublicApi) {
-        const { validatePublicApiAllowed, PublicApiNotAllowedError } = await import(
-          '@/ee/access-control/utils/permission-check'
-        )
         try {
           await validatePublicApiAllowed(session?.user?.id, workflowData?.workspaceId ?? undefined)
         } catch (err) {

apps/sim/app/api/workflows/[id]/execute/route.ts

@@ -1,6 +1,9 @@
+import { db } from '@sim/db'
+import { workflow as workflowTable } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { toError } from '@sim/utils/errors'
 import { generateId, isValidUuid } from '@sim/utils/id'
+import { eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuthType, checkHybridAuth, hasExternalApiCredentials } from '@/lib/auth/hybrid'
@@ -48,6 +51,10 @@ import {
   workflowHasResponseBlock,
 } from '@/lib/workflows/utils'
 import { executeWorkflowJob, type WorkflowExecutionPayload } from '@/background/workflow-execution'
+import {
+  PublicApiNotAllowedError,
+  validatePublicApiAllowed,
+} from '@/ee/access-control/utils/permission-check'
 import { normalizeName } from '@/executor/constants'
 import { ExecutionSnapshot } from '@/executor/execution/snapshot'
 import type {
@@ -312,9 +319,7 @@ async function handleExecutePost(
         return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
       }
 
-      const { db: dbClient, workflow: workflowTable } = await import('@sim/db')
-      const { eq } = await import('drizzle-orm')
-      const [wf] = await dbClient
+      const [wf] = await db
         .select({
           isPublicApi: workflowTable.isPublicApi,
           isDeployed: workflowTable.isDeployed,
@@ -325,23 +330,17 @@ async function handleExecutePost(
         .where(eq(workflowTable.id, workflowId))
         .limit(1)
 
-      if (!wf?.isPublicApi || !wf.isDeployed) {
-        return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
-      }
-
-      const { isPublicApiDisabled } = await import('@/lib/core/config/feature-flags')
-      if (isPublicApiDisabled) {
+      if (!wf?.isPublicApi || !wf.isDeployed || !wf.workspaceId) {
         return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
       }
 
-      if (wf.workspaceId) {
-        const { getUserPermissionConfig } = await import(
-          '@/ee/access-control/utils/permission-check'
-        )
-        const ownerConfig = await getUserPermissionConfig(wf.userId, wf.workspaceId)
-        if (ownerConfig?.disablePublicApi) {
+      try {
+        await validatePublicApiAllowed(wf.userId, wf.workspaceId)
+      } catch (err) {
+        if (err instanceof PublicApiNotAllowedError) {
           return NextResponse.json({ error: auth.error || 'Unauthorized' }, { status: 401 })
         }
+        throw err
       }
 
       userId = wf.userId

apps/sim/ee/access-control/utils/permission-check.ts

@@ -7,6 +7,8 @@ import {
   getAllowedIntegrationsFromEnv,
   isAccessControlEnabled,
   isHosted,
+  isInvitationsDisabled,
+  isPublicApiDisabled,
 } from '@/lib/core/config/feature-flags'
 import {
   DEFAULT_PERMISSION_GROUP_CONFIG,
@@ -302,7 +304,6 @@ export async function validateInvitationsAllowed(
   userId: string | undefined,
   workspaceId?: string
 ): Promise<void> {
-  const { isInvitationsDisabled } = await import('@/lib/core/config/feature-flags')
   if (isInvitationsDisabled) {
     logger.warn('Invitations blocked by feature flag')
     throw new InvitationsNotAllowedError()
@@ -333,7 +334,6 @@ export async function validatePublicApiAllowed(
   userId: string | undefined,
   workspaceId?: string
 ): Promise<void> {
-  const { isPublicApiDisabled } = await import('@/lib/core/config/feature-flags')
   if (isPublicApiDisabled) {
     logger.warn('Public API blocked by feature flag')
     throw new PublicApiNotAllowedError()