| 50 | * webhooks) from reaching into other workspaces the actor administers. |
| 51 | */ |
| 52 | export async function authorizeDeploymentWorkflow( |
| 53 | userId: string, |
| 54 | workflowId: string, |
| 55 | workspaceId: string, |
| 56 | action: 'read' | 'admin' |
| 57 | ): Promise< |
| 58 | { ok: true; workflow: AuthorizedDeploymentWorkflow } | { ok: false; response: NextResponse } |
| 59 | > { |
| 60 | const authorization = await authorizeWorkflowByWorkspacePermission({ |
| 61 | workflowId, |
| 62 | userId, |
| 63 | action, |
| 64 | }) |
| 65 | |
| 66 | if (!authorization.allowed || !authorization.workflow) { |
| 67 | return { |
| 68 | ok: false, |
| 69 | response: deploymentToolError(authorization.message || 'Access denied', authorization.status), |
| 70 | } |
| 71 | } |
| 72 | |
| 73 | if (authorization.workflow.workspaceId !== workspaceId) { |
| 74 | return { |
| 75 | ok: false, |
| 76 | response: deploymentToolError('Workflow not found in this workspace', 404), |
| 77 | } |
| 78 | } |
| 79 | |
| 80 | return { ok: true, workflow: authorization.workflow } |
| 81 | } |