Skip to content

fix(tables): verify workflow belongs to table's workspace before binding#5397

Merged
waleedlatif1 merged 2 commits into
stagingfrom
fix/table-workflow-group-workspace-check
Jul 3, 2026
Merged

fix(tables): verify workflow belongs to table's workspace before binding#5397
waleedlatif1 merged 2 commits into
stagingfrom
fix/table-workflow-group-workspace-check

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • Added a check in the table workflow-group POST and PATCH handlers that verifies a supplied workflowId resolves to an active workflow in the table's own workspace before it's persisted onto the group.
  • Rejects with 400 when the workflow doesn't exist or belongs to a different workspace.

Type of Change

  • Bug fix

Testing

  • Added apps/sim/app/api/table/[tableId]/groups/route.test.ts covering: rejection on a different-workspace workflowId, rejection on a nonexistent workflowId, success for same-workspace workflowId (POST + PATCH), and no-op when workflowId isn't being changed.
  • bun run check:api-validation passes.
  • Full apps/sim/app/api/table/** test suite passes (107/107).
  • Typecheck and lint clean.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Add a check that a table workflow group's workflowId resolves to an
active workflow in the table's own workspace, in both the create and
update handlers, before it is persisted.
@vercel

vercel Bot commented Jul 3, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jul 3, 2026 9:22pm

Request Review

@cursor

cursor Bot commented Jul 3, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Tightens authorization on table–workflow binding using existing platform authz; behavior change is limited to invalid cross-workspace IDs but touches write APIs users rely on for table automation.

Overview
POST and PATCH on api/table/[tableId]/groups now call validateWorkflowInWorkspace (via getActiveWorkflowContext) before addWorkflowGroup / updateWorkflowGroup persist a workflowId. Missing workflows or workflows in another workspace return 400 with Invalid workflow ID.

Validation runs only when a workflow is actually supplied: POST when group.workflowId is truthy, PATCH when workflowId is present in the body. Enrichment groups with no workflowId and PATCH updates that only change other fields skip the lookup.

New Vitest coverage in route.test.ts exercises cross-workspace rejection, missing workflow rejection, same-workspace success, and the skip paths for POST and PATCH.

Reviewed by Cursor Bugbot for commit b75971f. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds a workspace-ownership check before persisting a workflowId onto a table workflow group. Without this check, a caller could bind a workflow from a different workspace to a table by supplying a foreign workflow ID in the POST or PATCH body.

  • route.ts: Introduces validateWorkflowInWorkspace, a small helper that calls getActiveWorkflowContext and returns a 400 if the resolved workflow is missing or belongs to a different workspace. Both the POST and PATCH handlers invoke this check when a workflowId is being set or changed, while correctly skipping it for enrichment groups (empty workflowId) or PATCH requests that don't touch workflowId at all.
  • route.test.ts: New test file covering all four cases per handler — rejection on cross-workspace ID, rejection on non-existent ID, acceptance on same-workspace ID, and the no-op skip path.

Confidence Score: 5/5

Safe to merge. The change is a targeted guard that adds one extra DB lookup per POST/PATCH when a workflowId is supplied; all existing behaviour is preserved.

The fix is minimal and well-contained: a single helper called in two places, both guarded by the existing schema constraints (workflowId is either a non-empty string or undefined/empty-default, so neither handler can pass a blank string into the check). The skip conditions — empty workflowId for enrichment groups and undefined workflowId for PATCH no-ops — are correct and tested. The test suite covers all four paths per handler and mocks are properly scoped.

No files require special attention.

Important Files Changed

Filename Overview
apps/sim/app/api/table/[tableId]/groups/route.ts Adds workspace-ownership validation for workflowId in POST and PATCH handlers via new validateWorkflowInWorkspace helper; skip logic is correct for enrichment groups and PATCH no-ops.
apps/sim/app/api/table/[tableId]/groups/route.test.ts New test file covering all four cross-workspace/missing/valid/no-op scenarios for both POST and PATCH; mocks are correctly scoped per describe block.

Reviews (3): Last reviewed commit: "fix(tables): reorder JSDoc for mapWorkfl..." | Re-trigger Greptile

Greptile flagged the JSDoc for mapWorkflowGroupError as orphaned after
validateWorkflowInWorkspace was inserted between the comment and the
function it documented. Move the comment back above its function.
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

Fixed — moved the validateWorkflowInWorkspace JSDoc back so mapWorkflowGroupError's original comment sits directly above it again. Pushed in b75971f.

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit b75971f. Configure here.

@waleedlatif1 waleedlatif1 merged commit 6bc70cb into staging Jul 3, 2026
18 checks passed
@waleedlatif1 waleedlatif1 deleted the fix/table-workflow-group-workspace-check branch July 3, 2026 21:38
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant