MCPcopy
hub / github.com/simstudioai/sim / verifyRegularFileAccess

Function verifyRegularFileAccess

apps/sim/app/api/files/authorization.ts:638–713  ·  view source on GitHub ↗

* Verify access to regular uploads * Regular uploads: UUID-filename or timestamp-filename * Priority: Database lookup (for workspace files) > Metadata > Deny

(
  cloudKey: string,
  userId: string,
  customConfig?: StorageConfig,
  isLocal?: boolean,
  requireWrite = false
)

Source from the content-addressed store, hash-verified

636 * Priority: Database lookup (for workspace files) > Metadata > Deny
637 */
638async function verifyRegularFileAccess(
639 cloudKey: string,
640 userId: string,
641 customConfig?: StorageConfig,
642 isLocal?: boolean,
643 requireWrite = false
644): Promise<boolean> {
645 try {
646 // Priority 1: Check if this might be a workspace file (check database)
647 // This handles legacy files that might not have metadata
648 const workspaceFileRecord = await lookupWorkspaceFileByKey(cloudKey)
649 if (workspaceFileRecord) {
650 const permission = await getUserEntityPermissions(
651 userId,
652 'workspace',
653 workspaceFileRecord.workspaceId
654 )
655 if (workspacePermissionSatisfies(permission, requireWrite)) {
656 logger.debug('Regular file access granted (workspace file from database)', {
657 userId,
658 workspaceId: workspaceFileRecord.workspaceId,
659 cloudKey,
660 })
661 return true
662 }
663 logger.warn('User does not have workspace access for file', {
664 userId,
665 workspaceId: workspaceFileRecord.workspaceId,
666 cloudKey,
667 })
668 return false
669 }
670
671 // Priority 2: Check metadata (works for both local and cloud files)
672 const config: StorageConfig = customConfig || {}
673 const metadata = await getFileMetadata(cloudKey, config)
674 const fileUserId = metadata.userId
675 const workspaceId = metadata.workspaceId
676
677 // If file has userId, verify ownership
678 if (fileUserId) {
679 if (fileUserId === userId) {
680 logger.debug('Regular file access granted (userId match)', { userId, cloudKey })
681 return true
682 }
683 logger.warn('User does not own file', { userId, fileUserId, cloudKey })
684 return false
685 }
686
687 // If file has workspaceId, verify workspace membership
688 if (workspaceId) {
689 const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
690 if (workspacePermissionSatisfies(permission, requireWrite)) {
691 logger.debug('Regular file access granted (workspace membership)', {
692 userId,
693 workspaceId,
694 cloudKey,
695 })

Callers 1

verifyFileAccessFunction · 0.85

Calls 7

getUserEntityPermissionsFunction · 0.90
getFileMetadataFunction · 0.90
lookupWorkspaceFileByKeyFunction · 0.85
debugMethod · 0.80
errorMethod · 0.80
warnMethod · 0.65

Tested by

no test coverage detected