address bugbot comments

Author: icecrasher321

apps/sim/app/api/credentials/[id]/members/route.ts

@@ -5,6 +5,7 @@ import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
+import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('CredentialMembersAPI')
 
@@ -37,7 +38,7 @@ export async function GET(_request: NextRequest, context: RouteContext) {
     const { id: credentialId } = await context.params
 
     const [cred] = await db
-      .select({ id: credential.id })
+      .select({ id: credential.id, workspaceId: credential.workspaceId })
       .from(credential)
       .where(eq(credential.id, credentialId))
       .limit(1)
@@ -46,6 +47,15 @@ export async function GET(_request: NextRequest, context: RouteContext) {
       return NextResponse.json({ members: [] }, { status: 200 })
     }
 
+    const callerPerm = await getUserEntityPermissions(
+      session.user.id,
+      'workspace',
+      cred.workspaceId
+    )
+    if (callerPerm === null) {
+      return NextResponse.json({ error: 'Forbidden' }, { status: 403 })
+    }
+
     const members = await db
       .select({
         id: credentialMember.id,

apps/sim/lib/auth/credential-access.ts

@@ -39,6 +39,8 @@ export async function authorizeCredentialUse(
     return { ok: false, error: auth.error || 'Authentication required' }
   }
 
+  const actingUserId = auth.authType === 'internal_jwt' ? callerUserId : auth.userId
+
   const [workflowContext] = workflowId
     ? await db
         .select({ workspaceId: workflowTable.workspaceId })
@@ -81,12 +83,9 @@ export async function authorizeCredentialUse(
       return { ok: false, error: 'Credential account not found' }
     }
 
-    const effectiveCallerId =
-      callerUserId || (auth.authType !== 'internal_jwt' ? auth.userId : null)
-
-    if (effectiveCallerId) {
+    if (actingUserId) {
       const requesterPerm = await getUserEntityPermissions(
-        effectiveCallerId,
+        actingUserId,
         'workspace',
         platformCredential.workspaceId
       )
@@ -97,7 +96,7 @@ export async function authorizeCredentialUse(
         .where(
           and(
             eq(credentialMember.credentialId, platformCredential.id),
-            eq(credentialMember.userId, effectiveCallerId),
+            eq(credentialMember.userId, actingUserId),
             eq(credentialMember.status, 'active')
           )
         )
@@ -167,16 +166,14 @@ export async function authorizeCredentialUse(
       return { ok: false, error: 'Credential account not found' }
     }
 
-    const legacyCallerId = callerUserId || (auth.authType !== 'internal_jwt' ? auth.userId : null)
-
-    if (legacyCallerId) {
+    if (actingUserId) {
       const [membership] = await db
         .select({ id: credentialMember.id })
         .from(credentialMember)
         .where(
           and(
             eq(credentialMember.credentialId, workspaceCredential.id),
-            eq(credentialMember.userId, legacyCallerId),
+            eq(credentialMember.userId, actingUserId),
             eq(credentialMember.status, 'active')
           )
         )