feat(files): gate public sharing behind an access-control permission

TheodoreSpeaks · TheodoreSpeaks · commit d939f0c6f77c · 2026-06-18T16:43:54.000-07:00
diff --git a/apps/sim/app/api/workspaces/[id]/files/[fileId]/share/route.test.ts b/apps/sim/app/api/workspaces/[id]/files/[fileId]/share/route.test.ts
@@ -5,11 +5,13 @@ import { auditMock, authMockFns, permissionsMock, permissionsMockFns } from '@si
 import { NextRequest } from 'next/server'
 import { beforeEach, describe, expect, it, vi } from 'vitest'
 
-const { mockGetWorkspaceFile, mockGetShareForResource, mockUpsertFileShare } = vi.hoisted(() => ({
-  mockGetWorkspaceFile: vi.fn(),
-  mockGetShareForResource: vi.fn(),
-  mockUpsertFileShare: vi.fn(),
-}))
+const { mockGetWorkspaceFile, mockGetShareForResource, mockUpsertFileShare, mockValidateSharing } =
+  vi.hoisted(() => ({
+    mockGetWorkspaceFile: vi.fn(),
+    mockGetShareForResource: vi.fn(),
+    mockUpsertFileShare: vi.fn(),
+    mockValidateSharing: vi.fn(),
+  }))
 
 vi.mock('@/lib/uploads/contexts/workspace', () => ({
   getWorkspaceFile: mockGetWorkspaceFile,
@@ -20,6 +22,16 @@ vi.mock('@/lib/public-shares/share-manager', () => ({
   upsertFileShare: mockUpsertFileShare,
 }))
 
+vi.mock('@/ee/access-control/utils/permission-check', () => {
+  class PublicFileSharingNotAllowedError extends Error {
+    constructor() {
+      super('Public file sharing is not allowed based on your permission group settings')
+      this.name = 'PublicFileSharingNotAllowedError'
+    }
+  }
+  return { validatePublicFileSharing: mockValidateSharing, PublicFileSharingNotAllowedError }
+})
+
 vi.mock('@/lib/workspaces/permissions/utils', () => permissionsMock)
 vi.mock('@sim/audit', () => auditMock)
 
@@ -59,6 +71,7 @@ describe('share route', () => {
     mockGetWorkspaceFile.mockResolvedValue({ id: FILE_ID, name: 'report.pdf' })
     mockGetShareForResource.mockResolvedValue(SHARE)
     mockUpsertFileShare.mockResolvedValue(SHARE)
+    mockValidateSharing.mockResolvedValue(undefined) // policy allows by default
   })
 
   describe('GET', () => {
@@ -108,6 +121,29 @@ describe('share route', () => {
       expect(await res.json()).toEqual({ share: SHARE })
     })
 
+    it('returns 403 when org access-control disables public sharing (enable)', async () => {
+      const { PublicFileSharingNotAllowedError } = await import(
+        '@/ee/access-control/utils/permission-check'
+      )
+      mockValidateSharing.mockRejectedValueOnce(new PublicFileSharingNotAllowedError())
+      const res = await PUT(putRequest({ isActive: true }), params())
+      expect(res.status).toBe(403)
+      expect(mockUpsertFileShare).not.toHaveBeenCalled()
+    })
+
+    it('allows disabling a share even when policy disallows enabling', async () => {
+      mockValidateSharing.mockRejectedValue(new Error('should not be called for disable'))
+      const res = await PUT(putRequest({ isActive: false }), params())
+      expect(res.status).toBe(200)
+      expect(mockValidateSharing).not.toHaveBeenCalled()
+      expect(mockUpsertFileShare).toHaveBeenCalledWith({
+        workspaceId: WS,
+        fileId: FILE_ID,
+        userId: 'user-1',
+        isActive: false,
+      })
+    })
+
     it('rejects a missing isActive body', async () => {
       const res = await PUT(putRequest({}), params())
       expect(res.status).toBe(400)
diff --git a/apps/sim/app/api/workspaces/[id]/files/[fileId]/share/route.ts b/apps/sim/app/api/workspaces/[id]/files/[fileId]/share/route.ts
@@ -10,6 +10,10 @@ import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { getShareForResource, upsertFileShare } from '@/lib/public-shares/share-manager'
 import { getWorkspaceFile } from '@/lib/uploads/contexts/workspace'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
+import {
+  PublicFileSharingNotAllowedError,
+  validatePublicFileSharing,
+} from '@/ee/access-control/utils/permission-check'
 
 export const dynamic = 'force-dynamic'
 
@@ -92,6 +96,20 @@ export const PUT = withRouteHandler(
         return NextResponse.json({ error: 'File not found' }, { status: 404 })
       }
 
+      // Enabling a public link is gated by the org's access-control policy; disabling
+      // is always allowed so users can still un-share after the policy is turned on.
+      if (isActive) {
+        try {
+          await validatePublicFileSharing(session.user.id, workspaceId)
+        } catch (error) {
+          if (error instanceof PublicFileSharingNotAllowedError) {
+            logger.warn(`[${requestId}] Public file sharing disabled for workspace ${workspaceId}`)
+            return NextResponse.json({ error: error.message }, { status: 403 })
+          }
+          throw error
+        }
+      }
+
       const share = await upsertFileShare({
         workspaceId,
         fileId,
diff --git a/apps/sim/app/workspace/[workspaceId]/files/components/share-modal/share-modal.tsx b/apps/sim/app/workspace/[workspaceId]/files/components/share-modal/share-modal.tsx
@@ -12,6 +12,7 @@ import {
 import { Link } from '@/components/emcn/icons'
 import type { ShareRecord } from '@/lib/api/contracts/public-shares'
 import { useFileShare, useUpsertFileShare } from '@/hooks/queries/public-shares'
+import { usePermissionConfig } from '@/hooks/use-permission-config'
 
 interface ShareModalProps {
   open: boolean
@@ -37,11 +38,16 @@ export function ShareModal({
   initialShare,
 }: ShareModalProps) {
   const { data: share } = useFileShare(workspaceId, fileId, { enabled: open })
+  const { config: permissionConfig } = usePermissionConfig()
   const upsertShare = useUpsertFileShare()
 
   const saved = share ?? initialShare ?? null
   const savedActive = saved?.isActive ?? false
 
+  // Org access-control policy can disable enabling new public links (the route is the
+  // source of truth; this just reflects it). Disabling an existing share stays allowed.
+  const enableBlockedByPolicy = permissionConfig.disablePublicFileSharing && !savedActive
+
   // `null` until the user toggles, so the switch always reflects the authoritative
   // saved state (which may resolve after mount via useFileShare) instead of a stale
   // initial snapshot — otherwise a Save could silently flip sharing the wrong way.
@@ -66,11 +72,13 @@ export function ShareModal({
           type='custom'
           title='Access'
           hint={
-            effectiveActive
-              ? isDirty
-                ? 'Save to make this file accessible to anyone with the link.'
-                : 'Anyone with the link can view and download this file.'
-              : 'Only workspace members can access this file.'
+            enableBlockedByPolicy
+              ? 'Public sharing is disabled for this workspace by an administrator.'
+              : effectiveActive
+                ? isDirty
+                  ? 'Save to make this file accessible to anyone with the link.'
+                  : 'Anyone with the link can view and download this file.'
+                : 'Only workspace members can access this file.'
           }
         >
           <ChipSwitch
@@ -89,7 +97,7 @@ export function ShareModal({
         primaryAction={{
           label: upsertShare.isPending ? 'Saving...' : 'Save',
           onClick: handleSave,
-          disabled: !isDirty || upsertShare.isPending,
+          disabled: !isDirty || upsertShare.isPending || (effectiveActive && enableBlockedByPolicy),
         }}
       />
     </ChipModal>
diff --git a/apps/sim/ee/access-control/components/access-control.tsx b/apps/sim/ee/access-control/components/access-control.tsx
@@ -644,6 +644,12 @@ export function AccessControl() {
         category: 'Features',
         configKey: 'disablePublicApi' as const,
       },
+      {
+        id: 'disable-public-file-sharing',
+        label: 'Public Sharing',
+        category: 'Files',
+        configKey: 'disablePublicFileSharing' as const,
+      },
     ],
     []
   )
diff --git a/apps/sim/ee/access-control/utils/permission-check.test.ts b/apps/sim/ee/access-control/utils/permission-check.test.ts
@@ -32,6 +32,7 @@ const {
     disableSkills: false,
     disableInvitations: false,
     disablePublicApi: false,
+    disablePublicFileSharing: false,
     hideDeployApi: false,
     hideDeployMcp: false,
     hideDeployA2a: false,
diff --git a/apps/sim/ee/access-control/utils/permission-check.ts b/apps/sim/ee/access-control/utils/permission-check.ts
@@ -84,6 +84,13 @@ export class PublicApiNotAllowedError extends Error {
   }
 }
 
+export class PublicFileSharingNotAllowedError extends Error {
+  constructor() {
+    super('Public file sharing is not allowed based on your permission group settings')
+    this.name = 'PublicFileSharingNotAllowedError'
+  }
+}
+
 /**
  * Merges the env allowlist into a permission config.
  * If `config` is null and no env allowlist is set, returns null.
@@ -284,6 +291,21 @@ export async function getUserPermissionConfig(
   return mergeEnvAllowlist(resolved?.config ?? null)
 }
 
+/**
+ * Throws {@link PublicFileSharingNotAllowedError} if the user's effective permission
+ * group for the workspace disables public file sharing. No-op when access control
+ * doesn't apply (non-enterprise / disabled), so non-governed orgs are unaffected.
+ */
+export async function validatePublicFileSharing(
+  userId: string,
+  workspaceId: string
+): Promise<void> {
+  const config = await getUserPermissionConfig(userId, workspaceId)
+  if (config?.disablePublicFileSharing) {
+    throw new PublicFileSharingNotAllowedError()
+  }
+}
+
 /**
  * Org-addressed variant of {@link getUserPermissionConfig}. Use when only the
  * organization is known (e.g. organization-level invitations); resolves the
diff --git a/apps/sim/lib/api/contracts/permission-groups.ts b/apps/sim/lib/api/contracts/permission-groups.ts
@@ -21,6 +21,7 @@ export const permissionGroupFullConfigSchema = z.object({
   disableSkills: z.boolean(),
   disableInvitations: z.boolean(),
   disablePublicApi: z.boolean(),
+  disablePublicFileSharing: z.boolean(),
   hideDeployApi: z.boolean(),
   hideDeployMcp: z.boolean(),
   hideDeployA2a: z.boolean(),
diff --git a/apps/sim/lib/permission-groups/types.ts b/apps/sim/lib/permission-groups/types.ts
@@ -31,6 +31,7 @@ export const permissionGroupConfigSchema = z.object({
   disableSkills: z.boolean().optional(),
   disableInvitations: z.boolean().optional(),
   disablePublicApi: z.boolean().optional(),
+  disablePublicFileSharing: z.boolean().optional(),
   hideDeployApi: z.boolean().optional(),
   hideDeployMcp: z.boolean().optional(),
   hideDeployA2a: z.boolean().optional(),
@@ -60,6 +61,7 @@ export interface PermissionGroupConfig {
   disableSkills: boolean
   disableInvitations: boolean
   disablePublicApi: boolean
+  disablePublicFileSharing: boolean
   hideDeployApi: boolean
   hideDeployMcp: boolean
   hideDeployA2a: boolean
@@ -85,6 +87,7 @@ export const DEFAULT_PERMISSION_GROUP_CONFIG: PermissionGroupConfig = {
   disableSkills: false,
   disableInvitations: false,
   disablePublicApi: false,
+  disablePublicFileSharing: false,
   hideDeployApi: false,
   hideDeployMcp: false,
   hideDeployA2a: false,
@@ -120,6 +123,8 @@ export function parsePermissionGroupConfig(config: unknown): PermissionGroupConf
     disableSkills: typeof c.disableSkills === 'boolean' ? c.disableSkills : false,
     disableInvitations: typeof c.disableInvitations === 'boolean' ? c.disableInvitations : false,
     disablePublicApi: typeof c.disablePublicApi === 'boolean' ? c.disablePublicApi : false,
+    disablePublicFileSharing:
+      typeof c.disablePublicFileSharing === 'boolean' ? c.disablePublicFileSharing : false,
     hideDeployApi: typeof c.hideDeployApi === 'boolean' ? c.hideDeployApi : false,
     hideDeployMcp: typeof c.hideDeployMcp === 'boolean' ? c.hideDeployMcp : false,
     hideDeployA2a: typeof c.hideDeployA2a === 'boolean' ? c.hideDeployA2a : false,
