MCPcopy
hub / github.com/simstudioai/sim / verifyFileAccess

Function verifyFileAccess

apps/sim/app/api/files/authorization.ts:130–193  ·  view source on GitHub ↗
(
  cloudKey: string,
  userId: string,
  customConfig?: StorageConfig,
  context?: StorageContext | 'general',
  isLocal?: boolean,
  options?: { requireWrite?: boolean }
)

Source from the content-addressed store, hash-verified

128 * @returns Promise<boolean> True if user has access, false otherwise
129 */
130export async function verifyFileAccess(
131 cloudKey: string,
132 userId: string,
133 customConfig?: StorageConfig,
134 context?: StorageContext | 'general',
135 isLocal?: boolean,
136 options?: { requireWrite?: boolean }
137): Promise<boolean> {
138 const requireWrite = options?.requireWrite ?? false
139 try {
140 if (context === 'general') {
141 return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite)
142 }
143
144 // Infer context from key if not explicitly provided
145 const inferredContext = context || inferContextFromKey(cloudKey)
146
147 // 0. Public contexts: profile pictures, OG images, and workspace logos are world-readable, so reads short-circuit; writes require proof of ownership
148 if (
149 inferredContext === 'profile-pictures' ||
150 inferredContext === 'og-images' ||
151 inferredContext === 'workspace-logos'
152 ) {
153 if (requireWrite) {
154 return await verifyPublicAssetWriteAccess(cloudKey, userId, inferredContext, customConfig)
155 }
156 logger.info('Public file access allowed', { cloudKey, context: inferredContext })
157 return true
158 }
159
160 // 1. Workspace / mothership files: Check database first (most reliable for both local and cloud)
161 if (inferredContext === 'workspace' || inferredContext === 'mothership') {
162 return await verifyWorkspaceFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite)
163 }
164
165 // 2. Execution files: workspace_id/workflow_id/execution_id/filename
166 if (inferredContext === 'execution') {
167 return await verifyExecutionFileAccess(cloudKey, userId, customConfig, requireWrite)
168 }
169
170 // 3. Copilot files: Check database first, then metadata, then path pattern (legacy)
171 if (inferredContext === 'copilot') {
172 return await verifyCopilotFileAccess(cloudKey, userId, customConfig)
173 }
174
175 // 4. KB files: kb/filename
176 if (inferredContext === 'knowledge-base') {
177 return await verifyKBFileAccess(cloudKey, userId, customConfig)
178 }
179
180 // 5. Chat files: chat/filename
181 if (inferredContext === 'chat') {
182 return await verifyChatFileAccess(cloudKey, userId, customConfig, requireWrite)
183 }
184
185 // 6. Regular uploads: UUID-filename or timestamp-filename
186 // Check metadata for userId/workspaceId, or database for workspace files
187 return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite)

Callers 15

resolveFileInputToUrlFunction · 0.90
downloadFileFromUrlFunction · 0.90
resolveInternalFileUrlFunction · 0.90
uploadFilesToSlackFunction · 0.90
grantAccessFunction · 0.90
readFunction · 0.90
writeFunction · 0.90
handleLocalFileFunction · 0.90
handleCloudProxyFunction · 0.90

Calls 10

inferContextFromKeyFunction · 0.90
verifyRegularFileAccessFunction · 0.85
verifyCopilotFileAccessFunction · 0.85
verifyKBFileAccessFunction · 0.85
verifyChatFileAccessFunction · 0.85
infoMethod · 0.80
errorMethod · 0.80

Tested by 3

grantAccessFunction · 0.72
readFunction · 0.72
writeFunction · 0.72