* Verify access to workspace files * Priority: Database lookup > Metadata > Deny
( cloudKey: string, userId: string, customConfig?: StorageConfig, isLocal?: boolean, requireWrite = false )
| 197 | * Priority: Database lookup > Metadata > Deny |
| 198 | */ |
| 199 | async function verifyWorkspaceFileAccess( |
| 200 | cloudKey: string, |
| 201 | userId: string, |
| 202 | customConfig?: StorageConfig, |
| 203 | isLocal?: boolean, |
| 204 | requireWrite = false |
| 205 | ): Promise<boolean> { |
| 206 | try { |
| 207 | const anyWorkspaceFileRecord = await getFileMetadataByKey(cloudKey, 'workspace', { |
| 208 | includeDeleted: true, |
| 209 | }) |
| 210 | if (anyWorkspaceFileRecord?.deletedAt) { |
| 211 | logger.warn('Workspace file access denied for archived file', { |
| 212 | userId, |
| 213 | cloudKey, |
| 214 | }) |
| 215 | return false |
| 216 | } |
| 217 | |
| 218 | // Priority 1: Check database (most reliable, works for both local and cloud) |
| 219 | const workspaceFileRecord = await lookupWorkspaceFileByKey(cloudKey) |
| 220 | if (workspaceFileRecord) { |
| 221 | const permission = await getUserEntityPermissions( |
| 222 | userId, |
| 223 | 'workspace', |
| 224 | workspaceFileRecord.workspaceId |
| 225 | ) |
| 226 | if (workspacePermissionSatisfies(permission, requireWrite)) { |
| 227 | logger.debug('Workspace file access granted (database lookup)', { |
| 228 | userId, |
| 229 | workspaceId: workspaceFileRecord.workspaceId, |
| 230 | cloudKey, |
| 231 | }) |
| 232 | return true |
| 233 | } |
| 234 | logger.warn('User does not have workspace access for file', { |
| 235 | userId, |
| 236 | workspaceId: workspaceFileRecord.workspaceId, |
| 237 | cloudKey, |
| 238 | }) |
| 239 | return false |
| 240 | } |
| 241 | |
| 242 | // Priority 2: Check metadata (works for both local and cloud files) |
| 243 | const config: StorageConfig = customConfig || {} |
| 244 | const metadata = await getFileMetadata(cloudKey, config) |
| 245 | const workspaceId = metadata.workspaceId |
| 246 | |
| 247 | if (workspaceId) { |
| 248 | const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId) |
| 249 | if (workspacePermissionSatisfies(permission, requireWrite)) { |
| 250 | logger.debug('Workspace file access granted (metadata)', { |
| 251 | userId, |
| 252 | workspaceId, |
| 253 | cloudKey, |
| 254 | }) |
| 255 | return true |
| 256 | } |
no test coverage detected