| 312 | * Returns session and workflow info if authorized, or error response if not |
| 313 | */ |
| 314 | export async function validateWorkflowPermissions( |
| 315 | workflowId: string, |
| 316 | requestId: string, |
| 317 | action: 'read' | 'write' | 'admin' = 'read' |
| 318 | ) { |
| 319 | const session = await getSession() |
| 320 | if (!session?.user?.id) { |
| 321 | logger.warn(`[${requestId}] No authenticated user session for workflow ${action}`) |
| 322 | return { |
| 323 | error: { message: 'Unauthorized', status: 401 }, |
| 324 | session: null, |
| 325 | workflow: null, |
| 326 | } |
| 327 | } |
| 328 | |
| 329 | const authorization = await authorizeWorkflowByWorkspacePermission({ |
| 330 | workflowId, |
| 331 | userId: session.user.id, |
| 332 | action, |
| 333 | }) |
| 334 | |
| 335 | if (!authorization.workflow) { |
| 336 | logger.warn(`[${requestId}] Workflow ${workflowId} not found`) |
| 337 | return { |
| 338 | error: { message: 'Workflow not found', status: 404 }, |
| 339 | session: null, |
| 340 | workflow: null, |
| 341 | } |
| 342 | } |
| 343 | |
| 344 | if (!authorization.allowed) { |
| 345 | const message = |
| 346 | authorization.message || `Unauthorized: Access denied to ${action} this workflow` |
| 347 | logger.warn( |
| 348 | `[${requestId}] User ${session.user.id} unauthorized to ${action} workflow ${workflowId}`, |
| 349 | { |
| 350 | action, |
| 351 | workflowId, |
| 352 | } |
| 353 | ) |
| 354 | return { |
| 355 | error: { message, status: authorization.status }, |
| 356 | session: null, |
| 357 | workflow: null, |
| 358 | } |
| 359 | } |
| 360 | |
| 361 | return { |
| 362 | error: null, |
| 363 | session, |
| 364 | workflow: authorization.workflow, |
| 365 | } |
| 366 | } |
| 367 | |
| 368 | // ── Workflow CRUD ── |
| 369 | |