fix(permissions): cannot create workflow with read perms (#1671)

Author: icecrasher321

apps/sim/app/api/workflows/route.ts

@@ -5,6 +5,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console/logger'
+import { getUserEntityPermissions } from '@/lib/permissions/utils'
 import { generateRequestId } from '@/lib/utils'
 import { verifyWorkspaceMembership } from './utils'
 
@@ -94,6 +95,24 @@ export async function POST(req: NextRequest) {
     const body = await req.json()
     const { name, description, color, workspaceId, folderId } = CreateWorkflowSchema.parse(body)
 
+    if (workspaceId) {
+      const workspacePermission = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        workspaceId
+      )
+
+      if (!workspacePermission || workspacePermission === 'read') {
+        logger.warn(
+          `[${requestId}] User ${session.user.id} attempted to create workflow in workspace ${workspaceId} without write permissions`
+        )
+        return NextResponse.json(
+          { error: 'Write or Admin access required to create workflows in this workspace' },
+          { status: 403 }
+        )
+      }
+    }
+
     const workflowId = crypto.randomUUID()
     const now = new Date()
 

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/create-menu/create-menu.tsx

@@ -323,9 +323,12 @@ export function CreateMenu({ onCreateWorkflow, isCreatingWorkflow = false }: Cre
         >
           {/* New Workflow */}
           <button
-            className={cn(menuItemClassName, isCreatingWorkflow && 'cursor-not-allowed opacity-50')}
+            className={cn(
+              menuItemClassName,
+              (isCreatingWorkflow || !userPermissions.canEdit) && 'cursor-not-allowed opacity-50'
+            )}
             onClick={handleCreateWorkflow}
-            disabled={isCreatingWorkflow}
+            disabled={isCreatingWorkflow || !userPermissions.canEdit}
           >
             <Plus className={iconClassName} />
             <span className={textClassName}>
@@ -335,27 +338,31 @@ export function CreateMenu({ onCreateWorkflow, isCreatingWorkflow = false }: Cre
 
           {/* New Folder */}
           <button
-            className={cn(menuItemClassName, isCreating && 'cursor-not-allowed opacity-50')}
+            className={cn(
+              menuItemClassName,
+              (isCreating || !userPermissions.canEdit) && 'cursor-not-allowed opacity-50'
+            )}
             onClick={handleCreateFolder}
-            disabled={isCreating}
+            disabled={isCreating || !userPermissions.canEdit}
           >
             <Folder className={iconClassName} />
             <span className={textClassName}>{isCreating ? 'Creating...' : 'New folder'}</span>
           </button>
 
           {/* Import Workflow */}
-          {userPermissions.canEdit && (
-            <button
-              className={cn(menuItemClassName, isImporting && 'cursor-not-allowed opacity-50')}
-              onClick={handleImportWorkflow}
-              disabled={isImporting}
-            >
-              <Download className={iconClassName} />
-              <span className={textClassName}>
-                {isImporting ? 'Importing...' : 'Import workflow'}
-              </span>
-            </button>
-          )}
+          <button
+            className={cn(
+              menuItemClassName,
+              (isImporting || !userPermissions.canEdit) && 'cursor-not-allowed opacity-50'
+            )}
+            onClick={handleImportWorkflow}
+            disabled={isImporting || !userPermissions.canEdit}
+          >
+            <Download className={iconClassName} />
+            <span className={textClassName}>
+              {isImporting ? 'Importing...' : 'Import workflow'}
+            </span>
+          </button>
         </PopoverContent>
       </Popover>