fix(security): enforce write permission on target workspace in folder duplicate

MaxwellCalkin · claude · MaxwellCalkin · commit 27684e06a396 · 2026-03-08T22:30:51.000-04:00
The folder duplicate endpoint only checked permissions on the source
workspace. When a different workspaceId was provided in the request body,
folders (and their entire nested structure) were created in the target
workspace without verifying the user had write access to it.

The workflow duplicate helper (lib/workflows/persistence/duplicate.ts)
already enforces this check, but the folder duplicate route bypassed it
for folder creation.

Add a permission check on the target workspace when it differs from the
source, requiring write or admin access before proceeding. Add tests for
cross-workspace authorization scenarios.

&gt; **AI Disclosure:** This PR was authored by an AI (Claude, Anthropic).

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/folders/[id]/duplicate/route.test.ts b/apps/sim/app/api/folders/[id]/duplicate/route.test.ts
@@ -0,0 +1,238 @@
+/**
+ * Tests for folder duplicate API route (/api/folders/[id]/duplicate)
+ *
+ * @vitest-environment node
+ */
+import { auditMock, createMockRequest, type MockUser } from '@sim/testing'
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+
+const { mockGetSession, mockGetUserEntityPermissions, mockLogger, mockDbRef, mockDuplicateWorkflow } =
+  vi.hoisted(() => {
+    const logger = {
+      info: vi.fn(),
+      warn: vi.fn(),
+      error: vi.fn(),
+      debug: vi.fn(),
+      trace: vi.fn(),
+      fatal: vi.fn(),
+      child: vi.fn(),
+    }
+    return {
+      mockGetSession: vi.fn(),
+      mockGetUserEntityPermissions: vi.fn(),
+      mockLogger: logger,
+      mockDbRef: { current: null as any },
+      mockDuplicateWorkflow: vi.fn(),
+    }
+  })
+
+vi.mock('@/lib/audit/log', () => auditMock)
+vi.mock('@/lib/auth', () => ({
+  getSession: mockGetSession,
+}))
+vi.mock('@sim/logger', () => ({
+  createLogger: vi.fn().mockReturnValue(mockLogger),
+}))
+vi.mock('@/lib/workspaces/permissions/utils', () => ({
+  getUserEntityPermissions: mockGetUserEntityPermissions,
+}))
+vi.mock('@/lib/workflows/persistence/duplicate', () => ({
+  duplicateWorkflow: mockDuplicateWorkflow,
+}))
+vi.mock('@sim/db', () => ({
+  get db() {
+    return mockDbRef.current
+  },
+}))
+
+import { POST } from '@/app/api/folders/[id]/duplicate/route'
+
+const TEST_USER: MockUser = {
+  id: 'user-123',
+  email: 'test@example.com',
+  name: 'Test User',
+}
+
+const SOURCE_WORKSPACE_ID = 'workspace-source'
+const TARGET_WORKSPACE_ID = 'workspace-target'
+
+const mockFolder = {
+  id: 'folder-1',
+  name: 'Source Folder',
+  userId: TEST_USER.id,
+  workspaceId: SOURCE_WORKSPACE_ID,
+  parentId: null,
+  color: '#6B7280',
+  sortOrder: 1,
+  isExpanded: false,
+  createdAt: new Date('2024-01-01T00:00:00Z'),
+  updatedAt: new Date('2024-01-01T00:00:00Z'),
+}
+
+function createDuplicateDbMock(options: { folderLookupResult?: any; throwError?: boolean } = {}) {
+  const { folderLookupResult = mockFolder, throwError = false } = options
+
+  const mockSelect = vi.fn().mockImplementation(() => ({
+    from: vi.fn().mockImplementation(() => ({
+      where: vi.fn().mockImplementation(() => ({
+        then: vi.fn().mockImplementation((callback) => {
+          if (throwError) {
+            throw new Error('Database error')
+          }
+          const result = folderLookupResult ? [folderLookupResult] : []
+          return Promise.resolve(callback(result))
+        }),
+      })),
+    })),
+  }))
+
+  const mockTransactionInsert = vi.fn().mockReturnValue({
+    values: vi.fn().mockResolvedValue(undefined),
+  })
+
+  const minSelectMock = vi.fn().mockReturnValue({
+    from: vi.fn().mockReturnValue({
+      where: vi.fn().mockResolvedValue([{ minSortOrder: 0 }]),
+    }),
+  })
+
+  const txMock = {
+    select: minSelectMock,
+    insert: mockTransactionInsert,
+  }
+
+  const mockTransaction = vi.fn().mockImplementation(async (fn: any) => {
+    return fn(txMock)
+  })
+
+  return {
+    select: mockSelect,
+    transaction: mockTransaction,
+  }
+}
+
+function mockAuthenticatedUser(user?: MockUser) {
+  mockGetSession.mockResolvedValue({ user: user || TEST_USER })
+}
+
+function mockUnauthenticated() {
+  mockGetSession.mockResolvedValue(null)
+}
+
+describe('Folder Duplicate API Route', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    mockGetUserEntityPermissions.mockResolvedValue('admin')
+    mockDbRef.current = createDuplicateDbMock()
+    mockDuplicateWorkflow.mockResolvedValue({
+      id: 'new-workflow-1',
+      name: 'Duplicated Workflow',
+    })
+  })
+
+  describe('POST /api/folders/[id]/duplicate', () => {
+    it('should reject unauthenticated requests', async () => {
+      mockUnauthenticated()
+
+      const req = createMockRequest('POST', {
+        name: 'Duplicate Folder',
+      })
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      const response = await POST(req as any, { params })
+
+      expect(response.status).toBe(401)
+    })
+
+    it('should reject when user has read-only access to source workspace', async () => {
+      mockAuthenticatedUser()
+      mockGetUserEntityPermissions.mockResolvedValue('read')
+
+      const req = createMockRequest('POST', {
+        name: 'Duplicate Folder',
+      })
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      const response = await POST(req as any, { params })
+
+      expect(response.status).toBe(403)
+    })
+
+    it('should reject when user lacks access to a different target workspace', async () => {
+      mockAuthenticatedUser()
+
+      mockGetUserEntityPermissions
+        .mockResolvedValueOnce('admin') // source workspace check
+        .mockResolvedValueOnce('read') // target workspace check - read only
+
+      const req = createMockRequest('POST', {
+        name: 'Duplicate Folder',
+        workspaceId: TARGET_WORKSPACE_ID,
+      })
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      const response = await POST(req as any, { params })
+
+      expect(response.status).toBe(403)
+      const data = await response.json()
+      expect(data.error).toBe('Write or admin access required for target workspace')
+    })
+
+    it('should reject when user has no permission on target workspace', async () => {
+      mockAuthenticatedUser()
+
+      mockGetUserEntityPermissions
+        .mockResolvedValueOnce('admin') // source workspace check
+        .mockResolvedValueOnce(null) // target workspace check - no access
+
+      const req = createMockRequest('POST', {
+        name: 'Duplicate Folder',
+        workspaceId: TARGET_WORKSPACE_ID,
+      })
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      const response = await POST(req as any, { params })
+
+      expect(response.status).toBe(403)
+    })
+
+    it('should not check target workspace permission when duplicating within same workspace', async () => {
+      mockAuthenticatedUser()
+      mockGetUserEntityPermissions.mockResolvedValue('admin')
+
+      const req = createMockRequest('POST', {
+        name: 'Duplicate Folder',
+      })
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      await POST(req as any, { params })
+
+      expect(mockGetUserEntityPermissions).toHaveBeenCalledTimes(1)
+      expect(mockGetUserEntityPermissions).toHaveBeenCalledWith(
+        TEST_USER.id,
+        'workspace',
+        SOURCE_WORKSPACE_ID
+      )
+    })
+
+    it('should check target workspace permission when workspaceId differs', async () => {
+      mockAuthenticatedUser()
+      mockGetUserEntityPermissions.mockResolvedValue('admin')
+
+      const req = createMockRequest('POST', {
+        name: 'Duplicate Folder',
+        workspaceId: TARGET_WORKSPACE_ID,
+      })
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      await POST(req as any, { params })
+
+      expect(mockGetUserEntityPermissions).toHaveBeenCalledTimes(2)
+      expect(mockGetUserEntityPermissions).toHaveBeenCalledWith(
+        TEST_USER.id,
+        'workspace',
+        TARGET_WORKSPACE_ID
+      )
+    })
+  })
+})
diff --git a/apps/sim/app/api/folders/[id]/duplicate/route.ts b/apps/sim/app/api/folders/[id]/duplicate/route.ts
@@ -59,6 +59,24 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
 
     const targetWorkspaceId = workspaceId || sourceFolder.workspaceId
 
+    if (targetWorkspaceId !== sourceFolder.workspaceId) {
+      const targetPermission = await getUserEntityPermissions(
+        session.user.id,
+        'workspace',
+        targetWorkspaceId
+      )
+
+      if (!targetPermission || targetPermission === 'read') {
+        logger.warn(
+          `[${requestId}] User ${session.user.id} denied write access to target workspace ${targetWorkspaceId}`
+        )
+        return NextResponse.json(
+          { error: 'Write or admin access required for target workspace' },
+          { status: 403 }
+        )
+      }
+    }
+
     const { newFolderId, folderMapping } = await db.transaction(async (tx) => {
       const newFolderId = crypto.randomUUID()
       const now = new Date()
