MCPcopy Index your code
hub / github.com/simstudioai/sim / verifyWorkspaceFileAccess

Function verifyWorkspaceFileAccess

apps/sim/app/api/files/authorization.ts:199–271  ·  view source on GitHub ↗

* Verify access to workspace files * Priority: Database lookup > Metadata > Deny

(
  cloudKey: string,
  userId: string,
  customConfig?: StorageConfig,
  isLocal?: boolean,
  requireWrite = false
)

Source from the content-addressed store, hash-verified

197 * Priority: Database lookup > Metadata > Deny
198 */
199async function verifyWorkspaceFileAccess(
200 cloudKey: string,
201 userId: string,
202 customConfig?: StorageConfig,
203 isLocal?: boolean,
204 requireWrite = false
205): Promise<boolean> {
206 try {
207 const anyWorkspaceFileRecord = await getFileMetadataByKey(cloudKey, 'workspace', {
208 includeDeleted: true,
209 })
210 if (anyWorkspaceFileRecord?.deletedAt) {
211 logger.warn('Workspace file access denied for archived file', {
212 userId,
213 cloudKey,
214 })
215 return false
216 }
217
218 // Priority 1: Check database (most reliable, works for both local and cloud)
219 const workspaceFileRecord = await lookupWorkspaceFileByKey(cloudKey)
220 if (workspaceFileRecord) {
221 const permission = await getUserEntityPermissions(
222 userId,
223 'workspace',
224 workspaceFileRecord.workspaceId
225 )
226 if (workspacePermissionSatisfies(permission, requireWrite)) {
227 logger.debug('Workspace file access granted (database lookup)', {
228 userId,
229 workspaceId: workspaceFileRecord.workspaceId,
230 cloudKey,
231 })
232 return true
233 }
234 logger.warn('User does not have workspace access for file', {
235 userId,
236 workspaceId: workspaceFileRecord.workspaceId,
237 cloudKey,
238 })
239 return false
240 }
241
242 // Priority 2: Check metadata (works for both local and cloud files)
243 const config: StorageConfig = customConfig || {}
244 const metadata = await getFileMetadata(cloudKey, config)
245 const workspaceId = metadata.workspaceId
246
247 if (workspaceId) {
248 const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
249 if (workspacePermissionSatisfies(permission, requireWrite)) {
250 logger.debug('Workspace file access granted (metadata)', {
251 userId,
252 workspaceId,
253 cloudKey,
254 })
255 return true
256 }

Callers 1

verifyFileAccessFunction · 0.85

Calls 8

getFileMetadataByKeyFunction · 0.90
getUserEntityPermissionsFunction · 0.90
getFileMetadataFunction · 0.90
lookupWorkspaceFileByKeyFunction · 0.85
debugMethod · 0.80
errorMethod · 0.80
warnMethod · 0.65

Tested by

no test coverage detected