address comments

Author: icecrasher321

apps/sim/app/api/workspaces/[id]/permissions/route.ts

@@ -12,6 +12,7 @@ import { syncWorkspaceEnvCredentials } from '@/lib/credentials/environment'
 import { applyWorkspaceAutoAddGroup } from '@/lib/permission-groups/auto-add'
 import { captureServerEvent } from '@/lib/posthog/server'
 import {
+  checkWorkspaceAccess,
   getUsersWithPermissions,
   hasWorkspaceAdminAccess,
 } from '@/lib/workspaces/permissions/utils'
@@ -46,19 +47,21 @@ export const GET = withRouteHandler(
         return NextResponse.json({ error: 'Authentication required' }, { status: 401 })
       }
 
-      const userPermission = await db
-        .select()
-        .from(permissions)
-        .where(
-          and(
-            eq(permissions.entityId, workspaceId),
-            eq(permissions.entityType, 'workspace'),
-            eq(permissions.userId, session.user.id)
+      const isAdmin = await hasWorkspaceAdminAccess(session.user.id, workspaceId)
+
+      let hasAccess = isAdmin
+      if (!hasAccess) {
+        const access = await checkWorkspaceAccess(workspaceId, session.user.id)
+        if (!access.exists) {
+          return NextResponse.json(
+            { error: 'Workspace not found or access denied' },
+            { status: 404 }
           )
-        )
-        .limit(1)
+        }
+        hasAccess = access.hasAccess
+      }
 
-      if (userPermission.length === 0) {
+      if (!hasAccess) {
         return NextResponse.json({ error: 'Workspace not found or access denied' }, { status: 404 })
       }
 
@@ -67,6 +70,10 @@ export const GET = withRouteHandler(
       return NextResponse.json({
         users: result,
         total: result.length,
+        viewer: {
+          userId: session.user.id,
+          isAdmin,
+        },
       })
     } catch (error) {
       logger.error('Error fetching workspace permissions:', error)

apps/sim/app/api/workspaces/[id]/route.ts

@@ -184,6 +184,16 @@ export const PATCH = withRouteHandler(
           )
         }
 
+        if (existingWorkspace.workspaceMode === 'personal') {
+          return NextResponse.json(
+            {
+              error:
+                'Personal workspaces are always billed to their owner and cannot change billed account.',
+            },
+            { status: 400 }
+          )
+        }
+
         const candidateId = billedAccountUserId
 
         const isOwner = candidateId === existingWorkspace.ownerId

apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/members/bulk/route.ts

@@ -7,7 +7,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
-import { hasWorkspaceAccessControlAccess } from '@/lib/billing'
+import { isWorkspaceOnEnterprisePlan } from '@/lib/billing'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 
@@ -50,8 +50,8 @@ export const POST = withRouteHandler(
         return NextResponse.json({ error: 'Admin permissions required' }, { status: 403 })
       }
 
-      const hasAccess = await hasWorkspaceAccessControlAccess(session.user.id, workspaceId)
-      if (!hasAccess) {
+      const entitled = await isWorkspaceOnEnterprisePlan(workspaceId)
+      if (!entitled) {
         return NextResponse.json(
           { error: 'Access Control is an Enterprise feature' },
           { status: 403 }
@@ -97,36 +97,38 @@ export const POST = withRouteHandler(
         return NextResponse.json({ added: 0, moved: 0 })
       }
 
-      const existingMemberships = await db
-        .select({
-          id: permissionGroupMember.id,
-          userId: permissionGroupMember.userId,
-          permissionGroupId: permissionGroupMember.permissionGroupId,
-        })
-        .from(permissionGroupMember)
-        .innerJoin(permissionGroup, eq(permissionGroupMember.permissionGroupId, permissionGroup.id))
-        .where(
-          and(
-            eq(permissionGroup.workspaceId, workspaceId),
-            inArray(permissionGroupMember.userId, targetUserIds)
+      const { addedUserIds, movedCount } = await db.transaction(async (tx) => {
+        const existingMemberships = await tx
+          .select({
+            id: permissionGroupMember.id,
+            userId: permissionGroupMember.userId,
+            permissionGroupId: permissionGroupMember.permissionGroupId,
+          })
+          .from(permissionGroupMember)
+          .innerJoin(
+            permissionGroup,
+            eq(permissionGroupMember.permissionGroupId, permissionGroup.id)
+          )
+          .where(
+            and(
+              eq(permissionGroup.workspaceId, workspaceId),
+              inArray(permissionGroupMember.userId, targetUserIds)
+            )
           )
-        )
 
-      const alreadyInThisGroup = new Set(
-        existingMemberships.filter((m) => m.permissionGroupId === id).map((m) => m.userId)
-      )
-      const usersToAdd = targetUserIds.filter((uid) => !alreadyInThisGroup.has(uid))
+        const alreadyInThisGroup = new Set(
+          existingMemberships.filter((m) => m.permissionGroupId === id).map((m) => m.userId)
+        )
+        const usersToAdd = targetUserIds.filter((uid) => !alreadyInThisGroup.has(uid))
 
-      if (usersToAdd.length === 0) {
-        return NextResponse.json({ added: 0, moved: 0 })
-      }
+        if (usersToAdd.length === 0) {
+          return { addedUserIds: [] as string[], movedCount: 0 }
+        }
 
-      const membershipsToDelete = existingMemberships.filter(
-        (m) => m.permissionGroupId !== id && usersToAdd.includes(m.userId)
-      )
-      const movedCount = membershipsToDelete.length
+        const membershipsToDelete = existingMemberships.filter(
+          (m) => m.permissionGroupId !== id && usersToAdd.includes(m.userId)
+        )
 
-      await db.transaction(async (tx) => {
         if (membershipsToDelete.length > 0) {
           await tx.delete(permissionGroupMember).where(
             inArray(
@@ -145,12 +147,18 @@ export const POST = withRouteHandler(
         }))
 
         await tx.insert(permissionGroupMember).values(newMembers)
+
+        return { addedUserIds: usersToAdd, movedCount: membershipsToDelete.length }
       })
 
+      if (addedUserIds.length === 0) {
+        return NextResponse.json({ added: 0, moved: 0 })
+      }
+
       logger.info('Bulk added members to permission group', {
         permissionGroupId: id,
         workspaceId,
-        addedCount: usersToAdd.length,
+        addedCount: addedUserIds.length,
         movedCount,
         assignedBy: session.user.id,
       })
@@ -164,16 +172,16 @@ export const POST = withRouteHandler(
         resourceName: group.name,
         actorName: session.user.name ?? undefined,
         actorEmail: session.user.email ?? undefined,
-        description: `Bulk added ${usersToAdd.length} member(s) to permission group "${group.name}"`,
+        description: `Bulk added ${addedUserIds.length} member(s) to permission group "${group.name}"`,
         metadata: {
           permissionGroupId: id,
-          addedUserIds: usersToAdd,
+          addedUserIds,
           movedCount,
         },
         request: req,
       })
 
-      return NextResponse.json({ added: usersToAdd.length, moved: movedCount })
+      return NextResponse.json({ added: addedUserIds.length, moved: movedCount })
     } catch (error) {
       if (error instanceof z.ZodError) {
         return NextResponse.json({ error: error.errors[0].message }, { status: 400 })

apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/members/route.ts

@@ -7,7 +7,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
-import { hasWorkspaceAccessControlAccess, isWorkspaceOnEnterprisePlan } from '@/lib/billing'
+import { isWorkspaceOnEnterprisePlan } from '@/lib/billing'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { checkWorkspaceAccess, hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 
@@ -99,8 +99,8 @@ export const POST = withRouteHandler(
         return NextResponse.json({ error: 'Admin permissions required' }, { status: 403 })
       }
 
-      const hasAccess = await hasWorkspaceAccessControlAccess(session.user.id, workspaceId)
-      if (!hasAccess) {
+      const entitled = await isWorkspaceOnEnterprisePlan(workspaceId)
+      if (!entitled) {
         return NextResponse.json(
           { error: 'Access Control is an Enterprise feature' },
           { status: 403 }
@@ -244,8 +244,8 @@ export const DELETE = withRouteHandler(
         return NextResponse.json({ error: 'Admin permissions required' }, { status: 403 })
       }
 
-      const hasAccess = await hasWorkspaceAccessControlAccess(session.user.id, workspaceId)
-      if (!hasAccess) {
+      const entitled = await isWorkspaceOnEnterprisePlan(workspaceId)
+      if (!entitled) {
         return NextResponse.json(
           { error: 'Access Control is an Enterprise feature' },
           { status: 403 }

apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/route.ts

@@ -6,7 +6,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
-import { hasWorkspaceAccessControlAccess, isWorkspaceOnEnterprisePlan } from '@/lib/billing'
+import { isWorkspaceOnEnterprisePlan } from '@/lib/billing'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import {
   type PermissionGroupConfig,
@@ -105,8 +105,8 @@ export const PUT = withRouteHandler(
         return NextResponse.json({ error: 'Admin permissions required' }, { status: 403 })
       }
 
-      const hasAccess = await hasWorkspaceAccessControlAccess(session.user.id, workspaceId)
-      if (!hasAccess) {
+      const entitled = await isWorkspaceOnEnterprisePlan(workspaceId)
+      if (!entitled) {
         return NextResponse.json(
           { error: 'Access Control is an Enterprise feature' },
           { status: 403 }
@@ -234,8 +234,8 @@ export const DELETE = withRouteHandler(
         return NextResponse.json({ error: 'Admin permissions required' }, { status: 403 })
       }
 
-      const hasAccess = await hasWorkspaceAccessControlAccess(session.user.id, workspaceId)
-      if (!hasAccess) {
+      const entitled = await isWorkspaceOnEnterprisePlan(workspaceId)
+      if (!entitled) {
         return NextResponse.json(
           { error: 'Access Control is an Enterprise feature' },
           { status: 403 }

apps/sim/app/api/workspaces/[workspaceId]/permission-groups/route.ts

@@ -7,7 +7,7 @@ import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
-import { hasWorkspaceAccessControlAccess, isWorkspaceOnEnterprisePlan } from '@/lib/billing'
+import { isWorkspaceOnEnterprisePlan } from '@/lib/billing'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import {
   DEFAULT_PERMISSION_GROUP_CONFIG,
@@ -103,8 +103,8 @@ export const POST = withRouteHandler(
         return NextResponse.json({ error: 'Admin permissions required' }, { status: 403 })
       }
 
-      const hasAccess = await hasWorkspaceAccessControlAccess(session.user.id, workspaceId)
-      if (!hasAccess) {
+      const entitled = await isWorkspaceOnEnterprisePlan(workspaceId)
+      if (!entitled) {
         return NextResponse.json(
           { error: 'Access Control is an Enterprise feature' },
           { status: 403 }

apps/sim/app/workspace/[workspaceId]/settings/components/credentials/credentials-manager.tsx

@@ -399,12 +399,7 @@ export function CredentialsManager() {
   const { data: workspacePermissions } = useWorkspacePermissionsQuery(workspaceId || null)
   const queryClient = useQueryClient()
 
-  const isWorkspaceAdmin = useMemo(() => {
-    const userId = session?.user?.id
-    if (!userId || !workspacePermissions?.users) return false
-    const currentUser = workspacePermissions.users.find((user) => user.userId === userId)
-    return currentUser?.permissionType === 'admin'
-  }, [session?.user?.id, workspacePermissions?.users])
+  const isWorkspaceAdmin = workspacePermissions?.viewer?.isAdmin ?? false
 
   const isLoading = isPersonalLoading || isWorkspaceLoading
   const variables = useMemo(() => personalEnvData || {}, [personalEnvData])

apps/sim/app/workspace/[workspaceId]/settings/components/subscription/subscription.tsx

@@ -345,9 +345,10 @@ export function Subscription() {
   const isCritical = isBlocked || usage.percentUsed >= USAGE_THRESHOLDS.CRITICAL
 
   const billedAccountUserId = workspaceData?.settings?.workspace?.billedAccountUserId ?? null
+  const workspaceMode = workspaceData?.settings?.workspace?.workspaceMode ?? null
   const isOrganizationWorkspace =
-    workspaceData?.settings?.workspace?.organizationId != null &&
-    workspaceData?.settings?.workspace?.workspaceMode === 'organization'
+    workspaceData?.settings?.workspace?.organizationId != null && workspaceMode === 'organization'
+  const isGrandfatheredSharedWorkspace = workspaceMode === 'grandfathered_shared'
   const workspaceAdmins: WorkspaceAdmin[] =
     workspaceData?.permissions?.users?.filter(
       (user: WorkspaceAdmin) => user.permissionType === 'admin'
@@ -1073,7 +1074,7 @@ export function Subscription() {
               </>
             )}
 
-          {!isLoading && isTeamAdmin && !isOrganizationWorkspace && (
+          {!isLoading && isTeamAdmin && isGrandfatheredSharedWorkspace && (
             <div className='flex items-center justify-between gap-4'>
               <div className='flex items-center gap-1.5'>
                 <Label htmlFor='billed-account'>Billed Account</Label>

apps/sim/ee/access-control/components/access-control.tsx

@@ -25,7 +25,6 @@ import {
   Switch,
 } from '@/components/emcn'
 import { Input as BaseInput } from '@/components/ui'
-import { useSession } from '@/lib/auth/auth-client'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
 import type { PermissionGroupConfig } from '@/lib/permission-groups/types'
 import { getUserColor } from '@/lib/workspaces/colors'
@@ -245,7 +244,6 @@ function AccessControlSkeleton() {
 }
 
 export function AccessControl() {
-  const { data: session } = useSession()
   const params = useParams()
   const workspaceId = typeof params?.workspaceId === 'string' ? params.workspaceId : undefined
 
@@ -259,12 +257,7 @@ export function AccessControl() {
   const { data: userPermissionConfig, isPending: entitlementLoading } =
     useUserPermissionConfig(workspaceId)
 
-  const currentUserIsWorkspaceAdmin = useMemo(() => {
-    if (!workspacePermissionsData || !session?.user?.id) return false
-    return workspacePermissionsData.users.some(
-      (u) => u.userId === session.user?.id && u.permissionType === 'admin'
-    )
-  }, [workspacePermissionsData, session?.user?.id])
+  const currentUserIsWorkspaceAdmin = workspacePermissionsData?.viewer?.isAdmin ?? false
 
   const accessControlEnabledLocally = isTruthy(getEnv('NEXT_PUBLIC_ACCESS_CONTROL_ENABLED'))
   const isEntitled = accessControlEnabledLocally || !!userPermissionConfig?.entitled

apps/sim/hooks/queries/workspace.ts

@@ -253,10 +253,22 @@ export interface WorkspaceUser {
   permissionType: 'admin' | 'write' | 'read'
 }
 
+/** Viewer context for a workspace permissions response. */
+export interface WorkspacePermissionsViewer {
+  userId: string
+  /**
+   * Mirrors the server's `hasWorkspaceAdminAccess` check: true when the caller is the workspace
+   * owner, an explicit workspace admin, or an organization owner/admin of an organization-owned
+   * workspace. Use this instead of scanning `users` for a `permissionType === 'admin'` row.
+   */
+  isAdmin: boolean
+}
+
 /** Workspace permissions data containing all users and their access levels. */
 export interface WorkspacePermissions {
   users: WorkspaceUser[]
   total: number
+  viewer?: WorkspacePermissionsViewer
 }
 
 async function fetchWorkspacePermissions(