fix(tool-input): keep block-tool params selected across store replace

Author: icecrasher321

apps/sim/app/api/files/authorization.ts

@@ -28,6 +28,21 @@ interface AuthorizationResult {
   workspaceId?: string
 }
 
+type WorkspacePermission = 'read' | 'write' | 'admin'
+
+/**
+ * Whether a resolved workspace permission satisfies a file operation. Read and
+ * download paths accept any membership; destructive operations (`requireWrite`)
+ * require write or admin, matching the permission needed to create the file.
+ */
+function workspacePermissionSatisfies(
+  permission: WorkspacePermission | null,
+  requireWrite: boolean
+): boolean {
+  if (permission === null) return false
+  return requireWrite ? permission === 'write' || permission === 'admin' : true
+}
+
 /**
  * Lookup workspace file by storage key from database
  * @param key Storage key to lookup
@@ -117,11 +132,13 @@ export async function verifyFileAccess(
   userId: string,
   customConfig?: StorageConfig,
   context?: StorageContext | 'general',
-  isLocal?: boolean
+  isLocal?: boolean,
+  options?: { requireWrite?: boolean }
 ): Promise<boolean> {
+  const requireWrite = options?.requireWrite ?? false
   try {
     if (context === 'general') {
-      return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal)
+      return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite)
     }
 
     // Infer context from key if not explicitly provided
@@ -139,12 +156,12 @@ export async function verifyFileAccess(
 
     // 1. Workspace / mothership files: Check database first (most reliable for both local and cloud)
     if (inferredContext === 'workspace' || inferredContext === 'mothership') {
-      return await verifyWorkspaceFileAccess(cloudKey, userId, customConfig, isLocal)
+      return await verifyWorkspaceFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite)
     }
 
     // 2. Execution files: workspace_id/workflow_id/execution_id/filename
     if (inferredContext === 'execution') {
-      return await verifyExecutionFileAccess(cloudKey, userId, customConfig)
+      return await verifyExecutionFileAccess(cloudKey, userId, customConfig, requireWrite)
     }
 
     // 3. Copilot files: Check database first, then metadata, then path pattern (legacy)
@@ -159,12 +176,12 @@ export async function verifyFileAccess(
 
     // 5. Chat files: chat/filename
     if (inferredContext === 'chat') {
-      return await verifyChatFileAccess(cloudKey, userId, customConfig)
+      return await verifyChatFileAccess(cloudKey, userId, customConfig, requireWrite)
     }
 
     // 6. Regular uploads: UUID-filename or timestamp-filename
     // Check metadata for userId/workspaceId, or database for workspace files
-    return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal)
+    return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite)
   } catch (error) {
     logger.error('Error verifying file access:', { cloudKey, userId, error })
     // Deny access on error to be safe
@@ -180,7 +197,8 @@ async function verifyWorkspaceFileAccess(
   cloudKey: string,
   userId: string,
   customConfig?: StorageConfig,
-  isLocal?: boolean
+  isLocal?: boolean,
+  requireWrite = false
 ): Promise<boolean> {
   try {
     const anyWorkspaceFileRecord = await getFileMetadataByKey(cloudKey, 'workspace', {
@@ -202,7 +220,7 @@ async function verifyWorkspaceFileAccess(
         'workspace',
         workspaceFileRecord.workspaceId
       )
-      if (permission !== null) {
+      if (workspacePermissionSatisfies(permission, requireWrite)) {
         logger.debug('Workspace file access granted (database lookup)', {
           userId,
           workspaceId: workspaceFileRecord.workspaceId,
@@ -225,7 +243,7 @@ async function verifyWorkspaceFileAccess(
 
     if (workspaceId) {
       const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
-      if (permission !== null) {
+      if (workspacePermissionSatisfies(permission, requireWrite)) {
         logger.debug('Workspace file access granted (metadata)', {
           userId,
           workspaceId,
@@ -257,7 +275,8 @@ async function verifyWorkspaceFileAccess(
 async function verifyExecutionFileAccess(
   cloudKey: string,
   userId: string,
-  customConfig?: StorageConfig
+  customConfig?: StorageConfig,
+  requireWrite = false
 ): Promise<boolean> {
   const parts = cloudKey.split('/')
 
@@ -285,7 +304,7 @@ async function verifyExecutionFileAccess(
   }
 
   const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
-  if (permission === null) {
+  if (!workspacePermissionSatisfies(permission, requireWrite)) {
     logger.warn('User does not have workspace access for execution file', {
       userId,
       workspaceId,
@@ -502,7 +521,8 @@ export async function verifyKBFileWriteAccess(cloudKey: string, userId: string):
 async function verifyChatFileAccess(
   cloudKey: string,
   userId: string,
-  customConfig?: StorageConfig
+  customConfig?: StorageConfig,
+  requireWrite = false
 ): Promise<boolean> {
   try {
     const config: StorageConfig = customConfig || (await getChatStorageConfig())
@@ -516,7 +536,7 @@ async function verifyChatFileAccess(
     }
 
     const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
-    if (permission === null) {
+    if (!workspacePermissionSatisfies(permission, requireWrite)) {
       logger.warn('User does not have workspace access for chat file', {
         userId,
         workspaceId,
@@ -542,7 +562,8 @@ async function verifyRegularFileAccess(
   cloudKey: string,
   userId: string,
   customConfig?: StorageConfig,
-  isLocal?: boolean
+  isLocal?: boolean,
+  requireWrite = false
 ): Promise<boolean> {
   try {
     // Priority 1: Check if this might be a workspace file (check database)
@@ -554,7 +575,7 @@ async function verifyRegularFileAccess(
         'workspace',
         workspaceFileRecord.workspaceId
       )
-      if (permission !== null) {
+      if (workspacePermissionSatisfies(permission, requireWrite)) {
         logger.debug('Regular file access granted (workspace file from database)', {
           userId,
           workspaceId: workspaceFileRecord.workspaceId,
@@ -589,7 +610,7 @@ async function verifyRegularFileAccess(
     // If file has workspaceId, verify workspace membership
     if (workspaceId) {
       const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
-      if (permission !== null) {
+      if (workspacePermissionSatisfies(permission, requireWrite)) {
         logger.debug('Regular file access granted (workspace membership)', {
           userId,
           workspaceId,

apps/sim/app/api/files/delete/route.ts

@@ -64,8 +64,10 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
 
       const storageContext: StorageContext = context || inferContextFromKey(key)
 
-      // KB deletes are binding-only and require write/admin on the owning workspace;
-      // they never use the transitional read fallback that file serving allows.
+      // Deletes require write/admin on the owning workspace (owner-scoped files
+      // like copilot/regular uploads still authorize by ownership). KB deletes
+      // are binding-only and never use the transitional read fallback that file
+      // serving allows.
       const hasAccess =
         storageContext === 'knowledge-base'
           ? await verifyKBFileWriteAccess(key, userId)
@@ -74,7 +76,8 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
               userId,
               undefined, // customConfig
               storageContext, // context
-              !hasCloudStorage() // isLocal
+              !hasCloudStorage(), // isLocal
+              { requireWrite: true }
             )
 
       if (!hasAccess) {

apps/sim/app/api/folders/[id]/route.ts

@@ -140,9 +140,9 @@ export const DELETE = withRouteHandler(
         existingFolder.workspaceId
       )
 
-      if (workspacePermission !== 'admin') {
+      if (!workspacePermission || workspacePermission === 'read') {
         return NextResponse.json(
-          { error: 'Admin access required to delete folders' },
+          { error: 'Write or Admin access required to delete folders' },
           { status: 403 }
         )
       }

apps/sim/app/api/knowledge/[id]/documents/[documentId]/chunks/[chunkId]/route.ts

@@ -6,7 +6,7 @@ import { parseRequest } from '@/lib/api/server'
 import { getSession } from '@/lib/auth'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { deleteChunk, updateChunk } from '@/lib/knowledge/chunks/service'
-import { checkChunkAccess } from '@/app/api/knowledge/utils'
+import { checkChunkAccess, checkChunkWriteAccess } from '@/app/api/knowledge/utils'
 
 const logger = createLogger('ChunkByIdAPI')
 
@@ -75,7 +75,7 @@ export const PUT = withRouteHandler(
         return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
       }
 
-      const accessCheck = await checkChunkAccess(
+      const accessCheck = await checkChunkWriteAccess(
         knowledgeBaseId,
         documentId,
         chunkId,
@@ -147,7 +147,7 @@ export const DELETE = withRouteHandler(
         return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
       }
 
-      const accessCheck = await checkChunkAccess(
+      const accessCheck = await checkChunkWriteAccess(
         knowledgeBaseId,
         documentId,
         chunkId,

apps/sim/app/api/knowledge/utils.ts

@@ -435,3 +435,72 @@ export async function checkChunkAccess(
     knowledgeBase: kbAccess.knowledgeBase!,
   }
 }
+
+/**
+ * Check if a user has write access to a chunk.
+ *
+ * Mirrors `checkChunkAccess` but requires write/admin on the knowledge base's
+ * workspace (or KB ownership for legacy KBs), matching the permission needed to
+ * create chunks. Used for chunk mutation (update and delete) so those operations
+ * require the same permission as creation rather than read.
+ */
+export async function checkChunkWriteAccess(
+  knowledgeBaseId: string,
+  documentId: string,
+  chunkId: string,
+  userId: string
+): Promise<ChunkAccessCheck> {
+  const kbAccess = await checkKnowledgeBaseWriteAccess(knowledgeBaseId, userId)
+
+  if (!kbAccess.hasAccess) {
+    return {
+      hasAccess: false,
+      notFound: kbAccess.notFound,
+      reason: kbAccess.notFound ? 'Knowledge base not found' : 'Unauthorized knowledge base access',
+    }
+  }
+
+  const doc = await db
+    .select()
+    .from(document)
+    .where(
+      and(
+        eq(document.id, documentId),
+        eq(document.knowledgeBaseId, knowledgeBaseId),
+        eq(document.userExcluded, false),
+        isNull(document.archivedAt),
+        isNull(document.deletedAt)
+      )
+    )
+    .limit(1)
+
+  if (doc.length === 0) {
+    return { hasAccess: false, notFound: true, reason: 'Document not found' }
+  }
+
+  const docData = doc[0] as DocumentData
+
+  if (docData.processingStatus !== 'completed') {
+    return {
+      hasAccess: false,
+      reason: `Document is not ready for access (status: ${docData.processingStatus})`,
+    }
+  }
+
+  const chunk = await db
+    .select()
+    .from(embedding)
+    .where(and(eq(embedding.id, chunkId), eq(embedding.documentId, documentId)))
+    .limit(1)
+
+  if (chunk.length === 0) {
+    return { hasAccess: false, notFound: true, reason: 'Chunk not found' }
+  }
+
+  return {
+    hasAccess: true,
+    chunk: chunk[0] as EmbeddingData,
+    document: docData,
+    knowledgeBase: kbAccess.knowledgeBase!,
+  }
+}

apps/sim/app/api/mcp/servers/route.ts

@@ -134,10 +134,10 @@ export const POST = withRouteHandler(
 )
 
 /**
- * DELETE - Delete an MCP server from the workspace (requires admin permission)
+ * DELETE - Delete an MCP server from the workspace (requires write permission)
  */
 export const DELETE = withRouteHandler(
-  withMcpAuth('admin')(
+  withMcpAuth('write')(
     async (request: NextRequest, { userId, userName, userEmail, workspaceId, requestId }) => {
       try {
         const { searchParams } = new URL(request.url)

apps/sim/app/api/mcp/workflow-servers/[id]/route.ts

@@ -147,7 +147,7 @@ export const PATCH = withRouteHandler(
  * DELETE - Delete a workflow MCP server and all its tools
  */
 export const DELETE = withRouteHandler(
-  withMcpAuth<RouteParams>('admin')(
+  withMcpAuth<RouteParams>('write')(
     async (
       request: NextRequest,
       { userId, userName, userEmail, workspaceId, requestId },

apps/sim/app/api/schedules/route.ts

@@ -220,8 +220,8 @@ export const POST = withRouteHandler(async (req: NextRequest) => {
     const { workspaceId, title, prompt, cronExpression, timezone, lifecycle, maxRuns, startDate } =
       parsed.data.body
 
-    const hasPermission = await verifyWorkspaceMembership(session.user.id, workspaceId)
-    if (!hasPermission) {
+    const permission = await verifyWorkspaceMembership(session.user.id, workspaceId)
+    if (permission !== 'admin' && permission !== 'write') {
       return NextResponse.json({ error: 'Not authorized' }, { status: 403 })
     }
 

apps/sim/app/api/workflows/[id]/route.test.ts

@@ -397,7 +397,42 @@ describe('Workflow By ID API Route', () => {
       expect(data.error).toBe('Cannot delete the only workflow in the workspace')
     })
 
-    it.concurrent('should deny deletion for non-admin users', async () => {
+    it('should allow user with write permission to delete workflow', async () => {
+      const mockWorkflow = {
+        id: 'workflow-123',
+        userId: 'other-user',
+        name: 'Test Workflow',
+        workspaceId: 'workspace-456',
+      }
+
+      mockGetSession({ user: { id: 'user-123' } })
+
+      mockGetWorkflowById.mockResolvedValue(mockWorkflow)
+      mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
+        allowed: true,
+        status: 200,
+        workflow: mockWorkflow,
+        workspacePermission: 'write',
+      })
+
+      mockPerformDeleteWorkflow.mockResolvedValue({ success: true })
+
+      const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
+        method: 'DELETE',
+      })
+      const params = Promise.resolve({ id: 'workflow-123' })
+
+      const response = await DELETE(req, { params })
+
+      expect(response.status).toBe(200)
+      const data = await response.json()
+      expect(data.success).toBe(true)
+      expect(mockAuthorizeWorkflowByWorkspacePermission).toHaveBeenCalledWith(
+        expect.objectContaining({ workflowId: 'workflow-123', action: 'write' })
+      )
+    })
+
+    it.concurrent('should deny deletion for read-only users', async () => {
       const mockWorkflow = {
         id: 'workflow-123',
         userId: 'other-user',
@@ -411,9 +446,9 @@ describe('Workflow By ID API Route', () => {
       mockAuthorizeWorkflowByWorkspacePermission.mockResolvedValue({
         allowed: false,
         status: 403,
-        message: 'Unauthorized: Access denied to admin this workflow',
+        message: 'Unauthorized: Access denied to write this workflow',
         workflow: mockWorkflow,
-        workspacePermission: null,
+        workspacePermission: 'read',
       })
 
       const req = new NextRequest('http://localhost:3000/api/workflows/workflow-123', {
@@ -425,7 +460,7 @@ describe('Workflow By ID API Route', () => {
 
       expect(response.status).toBe(403)
       const data = await response.json()
-      expect(data.error).toBe('Unauthorized: Access denied to admin this workflow')
+      expect(data.error).toBe('Unauthorized: Access denied to write this workflow')
     })
   })