Skip to content

fix: apply admin workspace bypass to updateChatflow#1078

Merged
ct3685 merged 1 commit into
stagingfrom
ct/fix-admin-update-chatflow-workspace
May 15, 2026
Merged

fix: apply admin workspace bypass to updateChatflow#1078
ct3685 merged 1 commit into
stagingfrom
ct/fix-admin-update-chatflow-workspace

Conversation

@ct3685
Copy link
Copy Markdown

@ct3685 ct3685 commented May 15, 2026

Root Cause

Same class of bug as PR #1075 but in updateChatflow.

The controller calls getChatflowById(id, req.user.activeWorkspaceId) before saving. The admin's activeWorkspaceId is their Personal Workspace — the template source chatflow lives in the Default Workspace — so the service query returns null and throws "not found in the database", blocking the save.

Fix

One line: admins skip the workspace filter in the lookup, same pattern as the GET controller.

const isAdmin = req.user?.roles?.includes('Admin') || req.user?.permissions?.includes('org:manage')
const chatflow = await chatflowsService.getChatflowById(req.params.id, isAdmin ? undefined : workspaceId)

The service still does org-scoped access — it just doesn't add a workspace filter to the SQL query for admins.

Test Plan

  • As an admin, open the default template canvas and save a change — should succeed
  • As a non-admin, saving a chatflow in a workspace they don't belong to should still be blocked

@ct3685 ct3685 added bug Something isn't working backend labels May 15, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented May 15, 2026

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
answerai-docs Building Building Preview May 15, 2026 9:07pm
the-answerai Building Building Preview May 15, 2026 9:07pm

Request Review

@ct3685 ct3685 merged commit 7b54a8b into staging May 15, 2026
5 of 8 checks passed
@ct3685 ct3685 deleted the ct/fix-admin-update-chatflow-workspace branch May 15, 2026 21:08
@github-actions github-actions Bot mentioned this pull request May 15, 2026
Merged
ct3685 added a commit that referenced this pull request May 15, 2026
@github-actions @ct3685
chore(release): staging to production - 2026.05.15 (#1077)
868ef0e 
## 🚀 Release: Staging to Production

**Release Date:** 2026-05-15

### Changes in this release

- fix: apply admin workspace bypass to updateChatflow (#1078) (7b54a8b)
- chore: add aws-crt dependency to package.json (88217c9)

---
*This PR is automatically created/updated when commits are pushed to
staging.*
*Merging this PR will trigger the release workflow to create a new
GitHub release.*

---------

Co-authored-by: Cameron Taylor <cameron@lastrev.com>
Co-authored-by: Cameron Taylor <50385537+ct3685@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backend bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ct3685