fix(tables): verify workflow belongs to table's workspace before binding#5397
Conversation
Add a check that a table workflow group's workflowId resolves to an active workflow in the table's own workspace, in both the create and update handlers, before it is persisted.
|
The latest updates on your projects. Learn more about Vercel for GitHub. |
PR SummaryMedium Risk Overview Validation runs only when a workflow is actually supplied: POST when New Vitest coverage in Reviewed by Cursor Bugbot for commit b75971f. Configure here. |
Greptile SummaryThis PR adds a workspace-ownership check before persisting a
Confidence Score: 5/5Safe to merge. The change is a targeted guard that adds one extra DB lookup per POST/PATCH when a workflowId is supplied; all existing behaviour is preserved. The fix is minimal and well-contained: a single helper called in two places, both guarded by the existing schema constraints (workflowId is either a non-empty string or undefined/empty-default, so neither handler can pass a blank string into the check). The skip conditions — empty workflowId for enrichment groups and undefined workflowId for PATCH no-ops — are correct and tested. The test suite covers all four paths per handler and mocks are properly scoped. No files require special attention. Important Files Changed
Reviews (3): Last reviewed commit: "fix(tables): reorder JSDoc for mapWorkfl..." | Re-trigger Greptile |
Greptile flagged the JSDoc for mapWorkflowGroupError as orphaned after validateWorkflowInWorkspace was inserted between the comment and the function it documented. Move the comment back above its function.
|
Fixed — moved the |
|
@cursor review |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit b75971f. Configure here.
Summary
workflowIdresolves to an active workflow in the table's own workspace before it's persisted onto the group.Type of Change
Testing
apps/sim/app/api/table/[tableId]/groups/route.test.tscovering: rejection on a different-workspace workflowId, rejection on a nonexistent workflowId, success for same-workspace workflowId (POST + PATCH), and no-op when workflowId isn't being changed.bun run check:api-validationpasses.apps/sim/app/api/table/**test suite passes (107/107).Checklist