Skip to content

fix(permissions): add client-side permissions validation to prevent unauthorized actions, upgraded custom tool modal#2130

Merged
waleedlatif1 merged 4 commits intostagingfrom
fix/perms
Nov 28, 2025
Merged

fix(permissions): add client-side permissions validation to prevent unauthorized actions, upgraded custom tool modal#2130
waleedlatif1 merged 4 commits intostagingfrom
fix/perms

Conversation

@waleedlatif1
Copy link
Collaborator

@waleedlatif1 waleedlatif1 commented Nov 28, 2025

Summary

  • add client-side permissions validation to prevent unauthorized actions
  • upgraded custom tool modal with better error messages and syntax highlighting and a better wand prompt

Type of Change

  • Bug fix
  • New feature

Testing

Tested manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@waleedlatif1
fix(permissions): add client-side permissions validation to prevent u…
c011fe8 
…nauthorized actions, upgraded custom tool modal
@vercel
Copy link

vercel bot commented Nov 28, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Preview Comments Updated (UTC)
docs Skipped Skipped Nov 28, 2025 8:24pm

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Nov 28, 2025
edited
Loading

Greptile Overview

Greptile Summary

This PR adds client-side permissions validation to prevent unauthorized actions and improves the custom tool modal UX.

Key Changes:

  • Added disableExport, disableRename, disableDuplicate, and disableDelete props to ContextMenu component to support permission-based UI disabling
  • Connected workspace header and workspace selector components to check userPermissions.canEdit and userPermissions.canAdmin before enabling UI actions
  • Fixed regex highlighting bug in code editor by using placeholder substitution approach instead of direct regex replacement on HTML-tagged content
  • Improved custom tool modal AI prompts with better examples and clearer instructions for parameter referencing
  • Enhanced error messages in custom tool modal to provide specific feedback (e.g., function name change restrictions)
  • Updated API route to return actual error messages instead of generic messages
  • Fixed React SVG attribute from clip-path to clipPath in icon components

Confidence Score: 5/5

  • This PR is safe to merge with well-implemented client-side permission checks and improved UX
  • All changes are defensive in nature (adding permission checks rather than removing them), the code editor fix properly addresses the previous regex bug using a sound placeholder approach, and the improvements to error messages and prompts enhance user experience without introducing security risks
  • No files require special attention

Important Files Changed

File Analysis

Filename Score Overview
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components-new/workflow-list/components/context-menu/context-menu.tsx 5/5 Added disable props for menu items to support permissions-based UI disabling
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components-new/workspace-header/workspace-header.tsx 5/5 Connected context menu with user permissions to disable actions based on access level
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/workspace-selector/workspace-selector.tsx 5/5 Added admin permission check to workspace export button with appropriate tooltip
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/code-editor/code-editor.tsx 5/5 Fixed regex highlighting by using placeholder substitution to avoid HTML tag conflicts
apps/sim/app/workspace/[workspaceId]/w/[workflowId]/components/panel/components/editor/components/sub-block/components/tool-input/components/custom-tool-modal/custom-tool-modal.tsx 5/5 Improved AI prompts and error messages, cleaned up code comments, added better error handling for function name changes

Sequence Diagram

sequenceDiagram
    participant User
    participant UI as UI Component
    participant Permissions as Permission System
    participant ContextMenu
    participant API as Custom Tools API

    Note over User,API: Client-Side Permission Validation Flow
    
    User->>UI: Attempt workspace action (rename/duplicate/export/delete)
    UI->>Permissions: Check userPermissions.canEdit/canAdmin
    
    alt Has Permission
        Permissions-->>UI: Permission granted
        UI->>ContextMenu: Enable menu item
        User->>ContextMenu: Click action
        ContextMenu->>API: Execute action
        API-->>User: Action successful
    else No Permission
        Permissions-->>UI: Permission denied
        UI->>ContextMenu: Disable menu item (disabled=true)
        Note over User,ContextMenu: Menu item appears grayed out
        User->>ContextMenu: Click disabled item
        ContextMenu->>ContextMenu: Check if disabled before executing
        ContextMenu-->>User: No action (prevented client-side)
    end

    Note over User,API: Custom Tool Modal Enhancement Flow
    
    User->>UI: Open custom tool modal
    UI->>User: Display improved UI with syntax highlighting
    
    User->>UI: Request AI generation (wand button)
    UI->>API: Generate code with improved prompts
    API-->>UI: Return generated code
    UI->>User: Display with better formatting
    
    User->>UI: Submit invalid tool
    UI->>API: Attempt save
    API-->>UI: Return specific error message
    UI->>User: Display detailed error (e.g., "Cannot change function name")
Loading

greptile-apps[bot]
greptile-apps bot reviewed Nov 28, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

10 files reviewed, 1 comment

Edit Code Review Agent Settings | Greptile

@waleedlatif1
Copy link
Collaborator Author

waleedlatif1 commented Nov 28, 2025

@greptile

greptile-apps[bot]
greptile-apps bot reviewed Nov 28, 2025
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

10 files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1 waleedlatif1 merged commit a10e1a6 into staging Nov 28, 2025
5 checks passed
@waleedlatif1 waleedlatif1 deleted the fix/perms branch November 28, 2025 20:24
@waleedlatif1 waleedlatif1 mentioned this pull request Nov 28, 2025
Merged
waleedlatif1 added a commit that referenced this pull request Nov 29, 2025
@waleedlatif1 @icecrasher321
v0.5.12: memory optimizations, sentry, incidentio, posthog, zendesk, …
1d08796 
…pylon, intercom, mailchimp, loading optimizations (#2132)

* fix(memory-util): fixed unbounded array of gmail/outlook pollers causing high memory util, added missing db indexes/removed unused ones, auto-disable schedules/webhooks after 10 consecutive failures (#2115)

* fix(memory-util): fixed unbounded array of gmail/outlook pollers causing high memory util, added missing db indexes/removed unused ones, auto-disable schedules/webhooks after 10 consecutive failures

* ack PR comments

* ack

* improvement(teams-plan): seats increase simplification + not triggering checkout session (#2117)

* improvement(teams-plan): seats increase simplification + not triggering checkout session

* cleanup via helper

* feat(tools): added sentry, incidentio, and posthog tools (#2116)

* feat(tools): added sentry, incidentio, and posthog tools

* update docs

* fixed docs to use native fumadocs for llms.txt and copy markdown, fixed tool issues

* cleanup

* enhance error extractor, fixed posthog tools

* docs enhancements, cleanup

* added more incident io ops, remove zustand/shallow in favor of zustand/react/shallow

* fix type errors

* remove unnecessary comments

* added vllm to docs

* feat(i18n): update translations (#2120)

* feat(i18n): update translations

* fix build

---------

Co-authored-by: waleedlatif1 <[email protected]>

* improvement(workflow-execution): perf improvements to passing workflow state + decrypted env vars (#2119)

* improvement(execution): load workflow state once instead of 2-3 times

* decrypt only in get helper

* remove comments

* remove comments

* feat(models): host google gemini models (#2122)

* feat(models): host google gemini models

* remove unused primary key

* feat(i18n): update translations (#2123)

Co-authored-by: waleedlatif1 <[email protected]>

* feat(tools): added zendesk, pylon, intercom, & mailchimp (#2126)

* feat(tools): added zendesk, pylon, intercom, & mailchimp

* finish zendesk and pylon

* updated docs

* feat(i18n): update translations (#2129)

* feat(i18n): update translations

* fixed build

---------

Co-authored-by: waleedlatif1 <[email protected]>

* fix(permissions): add client-side permissions validation to prevent unauthorized actions, upgraded custom tool modal (#2130)

* fix(permissions): add client-side permissions validation to prevent unauthorized actions, upgraded custom tool modal

* fix failing test

* fix test

* cleanup

* fix(custom-tools): add composite index on custom tool names & workspace id (#2131)

---------

Co-authored-by: Vikhyath Mondreti <[email protected]>
Co-authored-by: waleedlatif1 <[email protected]>
DarkShark-RAz pushed a commit to DarkShark-RAz/sim that referenced this pull request Nov 30, 2025
@waleedlatif1 @DarkShark-RAz
fix(permissions): add client-side permissions validation to prevent u…
504516f 
…nauthorized actions, upgraded custom tool modal (simstudioai#2130)

* fix(permissions): add client-side permissions validation to prevent unauthorized actions, upgraded custom tool modal

* fix failing test

* fix test

* cleanup
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@waleedlatif1

Comments