MCPcopy
hub / github.com/FlowiseAI/Flowise / validatePermissions

Function validatePermissions

packages/server/src/services/apikey/index.ts:20–88  ·  view source on GitHub ↗

* Validates that requested permissions are allowed for API keys * @param user - The logged-in user * @param permissions - string array of requested permissions * @param operation - The operation being performed (for error message) * @throws InternalFlowiseError if validation fails

(user: LoggedInUser, requestedPermissions: string[], operation: string)

Source from the content-addressed store, hash-verified

18 * @throws InternalFlowiseError if validation fails
19 */
20function validatePermissions(user: LoggedInUser, requestedPermissions: string[], operation: string) {
21 // API Keys should not have workspace or admin permissions
22 // This applies to ALL users, including admins (platform constraint)
23 const hasRestrictedPermissions = requestedPermissions.some(
24 (permission: string) => permission.startsWith('workspace:') || permission.startsWith('admin:')
25 )
26
27 if (hasRestrictedPermissions) {
28 throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, `Cannot ${operation} API key with workspace or admin permissions`)
29 }
30
31 // For Cloud platform, check feature-gated permissions
32 // This also applies to ALL users, including admins (platform constraint)
33 const appServer = getRunningExpressApp()
34 if (appServer.identityManager.getPlatformType() === Platform.CLOUD) {
35 if (!user.features) {
36 // On Cloud platform, user features should always exist
37 // Log the anomaly with context for debugging
38 logger.error(
39 `[server]: Missing user features on Cloud platform for ${operation} API key. ` +
40 `User: ${user.email || user.id}, ` +
41 `Organization: ${user.activeOrganizationId || 'unknown'}, ` +
42 `Subscription: ${user.activeOrganizationSubscriptionId || 'unknown'}, ` +
43 `Customer: ${user.activeOrganizationCustomerId || 'unknown'}, ` +
44 `Workspace: ${user.activeWorkspaceId || 'unknown'}`
45 )
46 throw new InternalFlowiseError(StatusCodes.INTERNAL_SERVER_ERROR, `Unable to validate permissions: user features not available`)
47 }
48
49 const featureToPermissionMap: { [key: string]: string[] } = {
50 'feat:login-activity': ['loginActivity:'],
51 'feat:logs': ['logs:'],
52 'feat:roles': ['roles:'],
53 'feat:share': ['credentials:share', 'templates:custom-share'],
54 'feat:sso-config': ['sso:'],
55 'feat:users': ['users:'],
56 'feat:workspaces': ['workspace:']
57 }
58
59 const disabledFeatures = Object.entries(user.features).filter(([, value]) => value === 'false')
60 const disabledPermissionPrefixes: string[] = []
61 disabledFeatures.forEach(([featureKey]) => {
62 const prefixes = featureToPermissionMap[featureKey]
63 if (prefixes) {
64 disabledPermissionPrefixes.push(...prefixes)
65 }
66 })
67
68 const hasDisabledFeaturePermissions = requestedPermissions.some((permission: string) =>
69 disabledPermissionPrefixes.some((prefix) => permission.startsWith(prefix))
70 )
71
72 if (hasDisabledFeaturePermissions) {
73 throw new InternalFlowiseError(StatusCodes.BAD_REQUEST, `Cannot ${operation} API key with permissions for disabled features`)
74 }
75 }
76
77 // User permission validation - only applies to non-admins (authorization check)

Callers 2

createApiKeyFunction · 0.85
updateApiKeyFunction · 0.85

Calls 1

getRunningExpressAppFunction · 0.90

Tested by

no test coverage detected