fix edge cases

icecrasher321 · icecrasher321 · commit 6cbc5c77f404 · 2026-04-21T11:36:41.000-07:00
diff --git a/apps/sim/app/api/guardrails/validate/route.ts b/apps/sim/app/api/guardrails/validate/route.ts
@@ -6,6 +6,10 @@ import { validateHallucination } from '@/lib/guardrails/validate_hallucination'
 import { validateJson } from '@/lib/guardrails/validate_json'
 import { validatePII } from '@/lib/guardrails/validate_pii'
 import { validateRegex } from '@/lib/guardrails/validate_regex'
+import {
+  assertPermissionsAllowed,
+  ProviderNotAllowedError,
+} from '@/ee/access-control/utils/permission-check'
 
 const logger = createLogger('GuardrailsValidateAPI')
 
@@ -110,9 +114,6 @@ export async function POST(request: NextRequest) {
     }
 
     if (validationType === 'hallucination' && model && workspaceId) {
-      const { assertPermissionsAllowed, ProviderNotAllowedError } = await import(
-        '@/ee/access-control/utils/permission-check'
-      )
       try {
         await assertPermissionsAllowed({
           userId: auth.userId,
diff --git a/apps/sim/app/api/mcp/tools/execute/route.ts b/apps/sim/app/api/mcp/tools/execute/route.ts
@@ -13,6 +13,10 @@ import {
   createMcpSuccessResponse,
   validateStringParam,
 } from '@/lib/mcp/utils'
+import {
+  assertPermissionsAllowed,
+  McpToolsNotAllowedError,
+} from '@/ee/access-control/utils/permission-check'
 
 const logger = createLogger('McpToolExecutionAPI')
 
@@ -71,6 +75,19 @@ export const POST = withMcpAuth('read')(
         return createMcpErrorResponse(new Error(toolNameValidation.error), 'Invalid toolName', 400)
       }
 
+      try {
+        await assertPermissionsAllowed({
+          userId,
+          workspaceId,
+          toolKind: 'mcp',
+        })
+      } catch (err) {
+        if (err instanceof McpToolsNotAllowedError) {
+          return createMcpErrorResponse(err, err.message, 403)
+        }
+        throw err
+      }
+
       logger.info(
         `[${requestId}] Executing tool ${toolName} on server ${serverId} for user ${userId} in workspace ${workspaceId}`
       )
diff --git a/apps/sim/app/api/permission-groups/user/route.ts b/apps/sim/app/api/permission-groups/user/route.ts
@@ -34,6 +34,7 @@ export async function GET(req: Request) {
       permissionGroupId: null,
       groupName: null,
       config: null,
+      entitled: false,
     })
   }
 
@@ -59,12 +60,14 @@ export async function GET(req: Request) {
       permissionGroupId: null,
       groupName: null,
       config: null,
+      entitled: true,
     })
   }
 
   return NextResponse.json({
     permissionGroupId: groupMembership.permissionGroupId,
     groupName: groupMembership.groupName,
     config: parsePermissionGroupConfig(groupMembership.config),
+    entitled: true,
   })
 }
diff --git a/apps/sim/app/api/providers/route.ts b/apps/sim/app/api/providers/route.ts
@@ -12,6 +12,11 @@ import {
   refreshTokenIfNeeded,
   resolveOAuthAccountId,
 } from '@/app/api/auth/oauth/utils'
+import {
+  assertPermissionsAllowed,
+  IntegrationNotAllowedError,
+  ProviderNotAllowedError,
+} from '@/ee/access-control/utils/permission-check'
 import type { StreamingExecution } from '@/executor/types'
 import { executeProviderRequest } from '@/providers'
 
@@ -103,8 +108,6 @@ export async function POST(request: NextRequest) {
         return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
       }
 
-      const { assertPermissionsAllowed, IntegrationNotAllowedError, ProviderNotAllowedError } =
-        await import('@/ee/access-control/utils/permission-check')
       try {
         await assertPermissionsAllowed({
           userId: auth.userId,
diff --git a/apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/members/route.ts b/apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/members/route.ts
@@ -7,7 +7,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
-import { hasWorkspaceAccessControlAccess } from '@/lib/billing'
+import { hasWorkspaceAccessControlAccess, isWorkspaceOnEnterprisePlan } from '@/lib/billing'
 import { checkWorkspaceAccess, hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspacePermissionGroupMembers')
@@ -45,6 +45,11 @@ export async function GET(
     return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
   }
 
+  const entitled = await isWorkspaceOnEnterprisePlan(workspaceId)
+  if (!entitled) {
+    return NextResponse.json({ error: 'Access Control is an Enterprise feature' }, { status: 403 })
+  }
+
   const group = await loadGroupInWorkspace(id, workspaceId)
   if (!group) {
     return NextResponse.json({ error: 'Permission group not found' }, { status: 404 })
diff --git a/apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/route.ts b/apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/route.ts
@@ -6,43 +6,20 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
-import { hasWorkspaceAccessControlAccess } from '@/lib/billing'
+import { hasWorkspaceAccessControlAccess, isWorkspaceOnEnterprisePlan } from '@/lib/billing'
 import {
   type PermissionGroupConfig,
   parsePermissionGroupConfig,
+  permissionGroupConfigSchema,
 } from '@/lib/permission-groups/types'
 import { checkWorkspaceAccess, hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspacePermissionGroup')
 
-const configSchema = z.object({
-  allowedIntegrations: z.array(z.string()).nullable().optional(),
-  allowedModelProviders: z.array(z.string()).nullable().optional(),
-  hideTraceSpans: z.boolean().optional(),
-  hideKnowledgeBaseTab: z.boolean().optional(),
-  hideTablesTab: z.boolean().optional(),
-  hideCopilot: z.boolean().optional(),
-  hideIntegrationsTab: z.boolean().optional(),
-  hideSecretsTab: z.boolean().optional(),
-  hideApiKeysTab: z.boolean().optional(),
-  hideInboxTab: z.boolean().optional(),
-  hideFilesTab: z.boolean().optional(),
-  disableMcpTools: z.boolean().optional(),
-  disableCustomTools: z.boolean().optional(),
-  disableSkills: z.boolean().optional(),
-  disableInvitations: z.boolean().optional(),
-  disablePublicApi: z.boolean().optional(),
-  hideDeployApi: z.boolean().optional(),
-  hideDeployMcp: z.boolean().optional(),
-  hideDeployA2a: z.boolean().optional(),
-  hideDeployChatbot: z.boolean().optional(),
-  hideDeployTemplate: z.boolean().optional(),
-})
-
 const updateSchema = z.object({
   name: z.string().trim().min(1).max(100).optional(),
   description: z.string().max(500).nullable().optional(),
-  config: configSchema.optional(),
+  config: permissionGroupConfigSchema.optional(),
   autoAddNewMembers: z.boolean().optional(),
 })
 
@@ -85,6 +62,11 @@ export async function GET(
     return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
   }
 
+  const entitled = await isWorkspaceOnEnterprisePlan(workspaceId)
+  if (!entitled) {
+    return NextResponse.json({ error: 'Access Control is an Enterprise feature' }, { status: 403 })
+  }
+
   const group = await loadGroupInWorkspace(id, workspaceId)
 
   if (!group) {
diff --git a/apps/sim/app/api/workspaces/[workspaceId]/permission-groups/route.ts b/apps/sim/app/api/workspaces/[workspaceId]/permission-groups/route.ts
@@ -7,44 +7,21 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
-import { hasWorkspaceAccessControlAccess } from '@/lib/billing'
+import { hasWorkspaceAccessControlAccess, isWorkspaceOnEnterprisePlan } from '@/lib/billing'
 import {
   DEFAULT_PERMISSION_GROUP_CONFIG,
   type PermissionGroupConfig,
   parsePermissionGroupConfig,
+  permissionGroupConfigSchema,
 } from '@/lib/permission-groups/types'
 import { checkWorkspaceAccess, hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspacePermissionGroups')
 
-const configSchema = z.object({
-  allowedIntegrations: z.array(z.string()).nullable().optional(),
-  allowedModelProviders: z.array(z.string()).nullable().optional(),
-  hideTraceSpans: z.boolean().optional(),
-  hideKnowledgeBaseTab: z.boolean().optional(),
-  hideTablesTab: z.boolean().optional(),
-  hideCopilot: z.boolean().optional(),
-  hideIntegrationsTab: z.boolean().optional(),
-  hideSecretsTab: z.boolean().optional(),
-  hideApiKeysTab: z.boolean().optional(),
-  hideInboxTab: z.boolean().optional(),
-  hideFilesTab: z.boolean().optional(),
-  disableMcpTools: z.boolean().optional(),
-  disableCustomTools: z.boolean().optional(),
-  disableSkills: z.boolean().optional(),
-  disableInvitations: z.boolean().optional(),
-  disablePublicApi: z.boolean().optional(),
-  hideDeployApi: z.boolean().optional(),
-  hideDeployMcp: z.boolean().optional(),
-  hideDeployA2a: z.boolean().optional(),
-  hideDeployChatbot: z.boolean().optional(),
-  hideDeployTemplate: z.boolean().optional(),
-})
-
 const createSchema = z.object({
   name: z.string().trim().min(1).max(100),
   description: z.string().max(500).optional(),
-  config: configSchema.optional(),
+  config: permissionGroupConfigSchema.optional(),
   autoAddNewMembers: z.boolean().optional(),
 })
 
@@ -67,6 +44,11 @@ export async function GET(
     return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
   }
 
+  const entitled = await isWorkspaceOnEnterprisePlan(workspaceId)
+  if (!entitled) {
+    return NextResponse.json({ error: 'Access Control is an Enterprise feature' }, { status: 403 })
+  }
+
   const groups = await db
     .select({
       id: permissionGroup.id,
diff --git a/apps/sim/ee/access-control/components/access-control.tsx b/apps/sim/ee/access-control/components/access-control.tsx
@@ -39,6 +39,7 @@ import {
   usePermissionGroups,
   useRemovePermissionGroupMember,
   useUpdatePermissionGroup,
+  useUserPermissionConfig,
 } from '@/ee/access-control/hooks/permission-groups'
 import { useBlacklistedProviders } from '@/hooks/queries/allowed-providers'
 import { useWorkspacePermissionsQuery } from '@/hooks/queries/workspace'
@@ -255,6 +256,8 @@ export function AccessControl() {
   const { data: workspacePermissionsData, isPending: permsLoading } = useWorkspacePermissionsQuery(
     workspaceId ?? null
   )
+  const { data: userPermissionConfig, isPending: entitlementLoading } =
+    useUserPermissionConfig(workspaceId)
 
   const currentUserIsWorkspaceAdmin = useMemo(() => {
     if (!workspacePermissionsData || !session?.user?.id) return false
@@ -264,9 +267,10 @@ export function AccessControl() {
   }, [workspacePermissionsData, session?.user?.id])
 
   const accessControlEnabledLocally = isTruthy(getEnv('NEXT_PUBLIC_ACCESS_CONTROL_ENABLED'))
-  const canManage = accessControlEnabledLocally || currentUserIsWorkspaceAdmin
+  const isEntitled = accessControlEnabledLocally || !!userPermissionConfig?.entitled
+  const canManage = isEntitled && currentUserIsWorkspaceAdmin
 
-  const isLoading = !workspaceId || groupsLoading || permsLoading
+  const isLoading = !workspaceId || groupsLoading || permsLoading || entitlementLoading
 
   const createPermissionGroup = useCreatePermissionGroup()
   const updatePermissionGroup = useUpdatePermissionGroup()
diff --git a/apps/sim/ee/access-control/hooks/permission-groups.ts b/apps/sim/ee/access-control/hooks/permission-groups.ts
@@ -31,6 +31,7 @@ export interface UserPermissionConfig {
   permissionGroupId: string | null
   groupName: string | null
   config: PermissionGroupConfig | null
+  entitled: boolean
 }
 
 export const permissionGroupKeys = {
diff --git a/apps/sim/lib/permission-groups/types.ts b/apps/sim/lib/permission-groups/types.ts
@@ -1,3 +1,29 @@
+import { z } from 'zod'
+
+export const permissionGroupConfigSchema = z.object({
+  allowedIntegrations: z.array(z.string()).nullable().optional(),
+  allowedModelProviders: z.array(z.string()).nullable().optional(),
+  hideTraceSpans: z.boolean().optional(),
+  hideKnowledgeBaseTab: z.boolean().optional(),
+  hideTablesTab: z.boolean().optional(),
+  hideCopilot: z.boolean().optional(),
+  hideIntegrationsTab: z.boolean().optional(),
+  hideSecretsTab: z.boolean().optional(),
+  hideApiKeysTab: z.boolean().optional(),
+  hideInboxTab: z.boolean().optional(),
+  hideFilesTab: z.boolean().optional(),
+  disableMcpTools: z.boolean().optional(),
+  disableCustomTools: z.boolean().optional(),
+  disableSkills: z.boolean().optional(),
+  disableInvitations: z.boolean().optional(),
+  disablePublicApi: z.boolean().optional(),
+  hideDeployApi: z.boolean().optional(),
+  hideDeployMcp: z.boolean().optional(),
+  hideDeployA2a: z.boolean().optional(),
+  hideDeployChatbot: z.boolean().optional(),
+  hideDeployTemplate: z.boolean().optional(),
+})
+
 export interface PermissionGroupConfig {
   allowedIntegrations: string[] | null
   allowedModelProviders: string[] | null
diff --git a/apps/sim/tools/index.ts b/apps/sim/tools/index.ts
@@ -17,6 +17,7 @@ import { isUserFile } from '@/lib/core/utils/user-file'
 import { SIM_VIA_HEADER, serializeCallChain } from '@/lib/execution/call-chain'
 import { parseMcpToolId } from '@/lib/mcp/utils'
 import { resolveWorkspaceFileReference } from '@/lib/uploads/contexts/workspace/workspace-file-manager'
+import { assertPermissionsAllowed } from '@/ee/access-control/utils/permission-check'
 import { isCustomTool, isMcpTool } from '@/executor/constants'
 import { resolveSkillContent } from '@/executor/handlers/agent/skills-resolver'
 import type { ExecutionContext, UserFile } from '@/executor/types'
@@ -776,9 +777,6 @@ export async function executeTool(
             : undefined
 
     if (toolKind && scope.userId && scope.workspaceId) {
-      const { assertPermissionsAllowed } = await import(
-        '@/ee/access-control/utils/permission-check'
-      )
       await assertPermissionsAllowed({
         userId: scope.userId,
         workspaceId: scope.workspaceId,
diff --git a/packages/db/migrations/0193_workspace_scoped_access_control.sql b/packages/db/migrations/0193_workspace_scoped_access_control.sql
@@ -3,6 +3,28 @@
 -- owned by that org; members are copied to each clone only if the user has
 -- workspace-level permissions on the target workspace.
 
+-- 0. Backfill workspace -> organization links for grandfathered workspaces whose
+--    billed account user is the sole owner of exactly one organization. This is a
+--    best-effort reconciliation: migration 0192 defaulted every pre-existing
+--    workspace to `grandfathered_shared` with `organization_id = NULL`, but many
+--    of those workspaces belong to users who own a single org. Without this link,
+--    the permission-group clone step below would drop all access control data for
+--    those workspaces. We only attach when ownership is unambiguous (user owns
+--    exactly one org) to avoid silently binding a workspace to the wrong org.
+UPDATE "workspace" w
+SET "organization_id" = owner_orgs."organization_id",
+    "workspace_mode" = 'organization'::"workspace_mode"
+FROM (
+  SELECT m."user_id", MIN(m."organization_id") AS "organization_id"
+  FROM "member" m
+  WHERE m."role" = 'owner'
+  GROUP BY m."user_id"
+  HAVING COUNT(*) = 1
+) AS owner_orgs
+WHERE w."organization_id" IS NULL
+  AND w."workspace_mode" = 'grandfathered_shared'
+  AND w."billed_account_user_id" = owner_orgs."user_id";--> statement-breakpoint
+
 -- 1. Add workspace_id as nullable so existing rows can coexist during the data migration.
 ALTER TABLE "permission_group" ADD COLUMN "workspace_id" text;--> statement-breakpoint
 ALTER TABLE "permission_group" ADD CONSTRAINT "permission_group_workspace_id_workspace_id_fk" FOREIGN KEY ("workspace_id") REFERENCES "public"."workspace"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
@@ -64,6 +86,10 @@ WHERE EXISTS (
   WHERE p."entity_type" = 'workspace'
     AND p."entity_id" = plan."workspace_id"
     AND p."user_id" = m."user_id"
+) OR EXISTS (
+  SELECT 1 FROM "workspace" w
+  WHERE w."id" = plan."workspace_id"
+    AND w."owner_id" = m."user_id"
 );--> statement-breakpoint
 
 -- 5. Delete legacy org-scoped rows now that clones exist.

Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@ export interface UserPermissionConfig {`
`31`	`31`	`permissionGroupId: string \| null`
`32`	`32`	`groupName: string \| null`
`33`	`33`	`config: PermissionGroupConfig \| null`
	`34`	`+ entitled: boolean`
`34`	`35`	`}`
`35`	`36`
`36`	`37`	`export const permissionGroupKeys = {`