added safety incase userId is missing

waleedlatif1 · waleedlatif1 · commit 4eaad052a1d8 · 2026-02-17T18:29:27.000-08:00
diff --git a/apps/sim/ee/access-control/utils/permission-check.test.ts b/apps/sim/ee/access-control/utils/permission-check.test.ts
@@ -29,32 +29,35 @@ const mockGetAllowedIntegrationsFromEnv = vi.fn<() => string[] | null>()
 const mockIsOrganizationOnEnterprisePlan = vi.fn<() => Promise<boolean>>()
 const mockGetProviderFromModel = vi.fn<(model: string) => string>()
 
-vi.doMock('@sim/db', () => databaseMock)
-vi.doMock('@sim/db/schema', () => ({}))
-vi.doMock('@sim/logger', () => loggerMock)
-vi.doMock('drizzle-orm', () => drizzleOrmMock)
-vi.doMock('@/lib/billing', () => ({
+vi.mock('@sim/db', () => databaseMock)
+vi.mock('@sim/db/schema', () => ({}))
+vi.mock('@sim/logger', () => loggerMock)
+vi.mock('drizzle-orm', () => drizzleOrmMock)
+vi.mock('@/lib/billing', () => ({
   isOrganizationOnEnterprisePlan: mockIsOrganizationOnEnterprisePlan,
 }))
-vi.doMock('@/lib/core/config/feature-flags', () => ({
+vi.mock('@/lib/core/config/feature-flags', () => ({
   getAllowedIntegrationsFromEnv: mockGetAllowedIntegrationsFromEnv,
   isAccessControlEnabled: false,
   isHosted: false,
 }))
-vi.doMock('@/lib/permission-groups/types', () => ({
+vi.mock('@/lib/permission-groups/types', () => ({
   DEFAULT_PERMISSION_GROUP_CONFIG,
   parsePermissionGroupConfig: (config: unknown) => {
     if (!config || typeof config !== 'object') return DEFAULT_PERMISSION_GROUP_CONFIG
     return { ...DEFAULT_PERMISSION_GROUP_CONFIG, ...config }
   },
 }))
-vi.doMock('@/providers/utils', () => ({
+vi.mock('@/providers/utils', () => ({
   getProviderFromModel: mockGetProviderFromModel,
 }))
 
-const { IntegrationNotAllowedError, getUserPermissionConfig, validateBlockType } = await import(
-  './permission-check'
-)
+import { getAllowedIntegrationsFromEnv } from '@/lib/core/config/feature-flags'
+import {
+  getUserPermissionConfig,
+  IntegrationNotAllowedError,
+  validateBlockType,
+} from './permission-check'
 
 describe('IntegrationNotAllowedError', () => {
   it.concurrent('creates error with correct name and message', () => {
@@ -104,6 +107,56 @@ describe('getUserPermissionConfig', () => {
   })
 })
 
+describe('env allowlist fallback when userId is absent', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('returns null config when no userId and no env allowlist', async () => {
+    mockGetAllowedIntegrationsFromEnv.mockReturnValue(null)
+
+    const userId: string | undefined = undefined
+    const permissionConfig = userId ? await getUserPermissionConfig(userId) : null
+    const allowedIntegrations =
+      permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
+
+    expect(allowedIntegrations).toBeNull()
+  })
+
+  it('falls back to env allowlist when no userId is provided', async () => {
+    mockGetAllowedIntegrationsFromEnv.mockReturnValue(['slack', 'gmail'])
+
+    const userId: string | undefined = undefined
+    const permissionConfig = userId ? await getUserPermissionConfig(userId) : null
+    const allowedIntegrations =
+      permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
+
+    expect(allowedIntegrations).toEqual(['slack', 'gmail'])
+  })
+
+  it('env allowlist filters block types when userId is absent', async () => {
+    mockGetAllowedIntegrationsFromEnv.mockReturnValue(['slack', 'gmail'])
+
+    const userId: string | undefined = undefined
+    const permissionConfig = userId ? await getUserPermissionConfig(userId) : null
+    const allowedIntegrations =
+      permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
+
+    expect(allowedIntegrations).not.toBeNull()
+    expect(allowedIntegrations!.includes('slack')).toBe(true)
+    expect(allowedIntegrations!.includes('discord')).toBe(false)
+  })
+
+  it('uses permission config when userId is present, ignoring env fallback', async () => {
+    mockGetAllowedIntegrationsFromEnv.mockReturnValue(['slack', 'gmail'])
+
+    const config = await getUserPermissionConfig('user-123')
+
+    expect(config).not.toBeNull()
+    expect(config!.allowedIntegrations).toEqual(['slack', 'gmail'])
+  })
+})
+
 describe('validateBlockType', () => {
   beforeEach(() => {
     vi.clearAllMocks()
@@ -115,15 +168,15 @@ describe('validateBlockType', () => {
     })
 
     it('allows any block type', async () => {
-      await expect(validateBlockType(undefined, 'google_drive')).resolves.not.toThrow()
+      await validateBlockType(undefined, 'google_drive')
     })
 
     it('allows multi-word block types', async () => {
-      await expect(validateBlockType(undefined, 'microsoft_excel')).resolves.not.toThrow()
+      await validateBlockType(undefined, 'microsoft_excel')
     })
 
     it('always allows start_trigger', async () => {
-      await expect(validateBlockType(undefined, 'start_trigger')).resolves.not.toThrow()
+      await validateBlockType(undefined, 'start_trigger')
     })
   })
 
@@ -137,9 +190,9 @@ describe('validateBlockType', () => {
     })
 
     it('allows block types on the allowlist', async () => {
-      await expect(validateBlockType(undefined, 'slack')).resolves.not.toThrow()
-      await expect(validateBlockType(undefined, 'google_drive')).resolves.not.toThrow()
-      await expect(validateBlockType(undefined, 'microsoft_excel')).resolves.not.toThrow()
+      await validateBlockType(undefined, 'slack')
+      await validateBlockType(undefined, 'google_drive')
+      await validateBlockType(undefined, 'microsoft_excel')
     })
 
     it('rejects block types not on the allowlist', async () => {
@@ -149,12 +202,12 @@ describe('validateBlockType', () => {
     })
 
     it('always allows start_trigger regardless of allowlist', async () => {
-      await expect(validateBlockType(undefined, 'start_trigger')).resolves.not.toThrow()
+      await validateBlockType(undefined, 'start_trigger')
     })
 
     it('matches case-insensitively', async () => {
-      await expect(validateBlockType(undefined, 'Slack')).resolves.not.toThrow()
-      await expect(validateBlockType(undefined, 'GOOGLE_DRIVE')).resolves.not.toThrow()
+      await validateBlockType(undefined, 'Slack')
+      await validateBlockType(undefined, 'GOOGLE_DRIVE')
     })
 
     it('includes reason in error for env-only enforcement', async () => {
diff --git a/apps/sim/lib/copilot/process-contents.ts b/apps/sim/lib/copilot/process-contents.ts
@@ -2,6 +2,7 @@ import { db } from '@sim/db'
 import { copilotChats, document, knowledgeBase, templates } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, eq, isNull } from 'drizzle-orm'
+import { getAllowedIntegrationsFromEnv } from '@/lib/core/config/feature-flags'
 import { loadWorkflowFromNormalizedTables } from '@/lib/workflows/persistence/utils'
 import { sanitizeForCopilot } from '@/lib/workflows/sanitization/json-sanitizer'
 import { isHiddenFromDisplay } from '@/blocks/types'
@@ -349,16 +350,14 @@ async function processBlockMetadata(
   userId?: string
 ): Promise<AgentContext | null> {
   try {
-    if (userId) {
-      const permissionConfig = await getUserPermissionConfig(userId)
-      const allowedIntegrations = permissionConfig?.allowedIntegrations
-      if (allowedIntegrations != null && !allowedIntegrations.includes(blockId.toLowerCase())) {
-        logger.debug('Block not allowed by permission group', { blockId, userId })
-        return null
-      }
+    const permissionConfig = userId ? await getUserPermissionConfig(userId) : null
+    const allowedIntegrations =
+      permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
+    if (allowedIntegrations != null && !allowedIntegrations.includes(blockId.toLowerCase())) {
+      logger.debug('Block not allowed by integration allowlist', { blockId, userId })
+      return null
     }
 
-    // Reuse registry to match get_blocks_metadata tool result
     const { registry: blockRegistry } = await import('@/blocks/registry')
     const { tools: toolsRegistry } = await import('@/tools/registry')
     const SPECIAL_BLOCKS_METADATA: Record<string, any> = {}
@@ -466,7 +465,6 @@ async function processWorkflowBlockFromDb(
     if (!block) return null
     const tag = label ? `@${label} in Workflow` : `@${block.name || blockId} in Workflow`
 
-    // Build content: isolate the block and include its subBlocks fully
     const contentObj = {
       workflowId,
       block: block,
@@ -518,7 +516,6 @@ async function processExecutionLogFromDb(
       endedAt: log.endedAt?.toISOString?.() || (log.endedAt ? String(log.endedAt) : null),
       totalDurationMs: log.totalDurationMs ?? null,
       workflowName: log.workflowName || '',
-      // Include trace spans and any available details without being huge
       executionData: log.executionData
         ? {
             traceSpans: (log.executionData as any).traceSpans || undefined,
diff --git a/apps/sim/lib/copilot/tools/server/blocks/get-block-config.ts b/apps/sim/lib/copilot/tools/server/blocks/get-block-config.ts
@@ -6,6 +6,7 @@ import {
   GetBlockConfigResult,
   type GetBlockConfigResultType,
 } from '@/lib/copilot/tools/shared/schemas'
+import { getAllowedIntegrationsFromEnv } from '@/lib/core/config/feature-flags'
 import { registry as blockRegistry, getLatestBlock } from '@/blocks/registry'
 import { isHiddenFromDisplay, type SubBlockConfig } from '@/blocks/types'
 import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
@@ -439,7 +440,8 @@ export const getBlockConfigServerTool: BaseServerTool<
     }
 
     const permissionConfig = context?.userId ? await getUserPermissionConfig(context.userId) : null
-    const allowedIntegrations = permissionConfig?.allowedIntegrations
+    const allowedIntegrations =
+      permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
 
     if (allowedIntegrations != null && !allowedIntegrations.includes(blockType.toLowerCase())) {
       throw new Error(`Block "${blockType}" is not available`)
diff --git a/apps/sim/lib/copilot/tools/server/blocks/get-block-options.ts b/apps/sim/lib/copilot/tools/server/blocks/get-block-options.ts
@@ -6,6 +6,7 @@ import {
   GetBlockOptionsResult,
   type GetBlockOptionsResultType,
 } from '@/lib/copilot/tools/shared/schemas'
+import { getAllowedIntegrationsFromEnv } from '@/lib/core/config/feature-flags'
 import { registry as blockRegistry, getLatestBlock } from '@/blocks/registry'
 import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
 import { tools as toolsRegistry } from '@/tools/registry'
@@ -59,7 +60,8 @@ export const getBlockOptionsServerTool: BaseServerTool<
     }
 
     const permissionConfig = context?.userId ? await getUserPermissionConfig(context.userId) : null
-    const allowedIntegrations = permissionConfig?.allowedIntegrations
+    const allowedIntegrations =
+      permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
 
     if (allowedIntegrations != null && !allowedIntegrations.includes(blockId.toLowerCase())) {
       throw new Error(`Block "${blockId}" is not available`)
diff --git a/apps/sim/lib/copilot/tools/server/blocks/get-blocks-and-tools.ts b/apps/sim/lib/copilot/tools/server/blocks/get-blocks-and-tools.ts
@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import type { BaseServerTool } from '@/lib/copilot/tools/server/base-tool'
 import { GetBlocksAndToolsInput, GetBlocksAndToolsResult } from '@/lib/copilot/tools/shared/schemas'
+import { getAllowedIntegrationsFromEnv } from '@/lib/core/config/feature-flags'
 import { registry as blockRegistry } from '@/blocks/registry'
 import type { BlockConfig } from '@/blocks/types'
 import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
@@ -17,7 +18,8 @@ export const getBlocksAndToolsServerTool: BaseServerTool<
     logger.debug('Executing get_blocks_and_tools')
 
     const permissionConfig = context?.userId ? await getUserPermissionConfig(context.userId) : null
-    const allowedIntegrations = permissionConfig?.allowedIntegrations
+    const allowedIntegrations =
+      permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
 
     type BlockListItem = {
       type: string
diff --git a/apps/sim/lib/copilot/tools/server/blocks/get-blocks-metadata-tool.ts b/apps/sim/lib/copilot/tools/server/blocks/get-blocks-metadata-tool.ts
@@ -3,6 +3,7 @@ import { join } from 'path'
 import { createLogger } from '@sim/logger'
 import type { BaseServerTool } from '@/lib/copilot/tools/server/base-tool'
 import { GetBlocksMetadataInput, GetBlocksMetadataResult } from '@/lib/copilot/tools/shared/schemas'
+import { getAllowedIntegrationsFromEnv } from '@/lib/core/config/feature-flags'
 import { registry as blockRegistry } from '@/blocks/registry'
 import { AuthMode, type BlockConfig, isHiddenFromDisplay } from '@/blocks/types'
 import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
@@ -112,7 +113,8 @@ export const getBlocksMetadataServerTool: BaseServerTool<
     logger.debug('Executing get_blocks_metadata', { count: blockIds?.length })
 
     const permissionConfig = context?.userId ? await getUserPermissionConfig(context.userId) : null
-    const allowedIntegrations = permissionConfig?.allowedIntegrations
+    const allowedIntegrations =
+      permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
 
     const result: Record<string, CopilotBlockMetadata> = {}
     for (const blockId of blockIds || []) {
@@ -420,7 +422,6 @@ function extractInputs(metadata: CopilotBlockMetadata): {
     }
 
     if (schema.options && schema.options.length > 0) {
-      // Always return the id (actual value to use), not the display label
       input.options = schema.options.map((opt) => opt.id || opt.label)
     }
 
diff --git a/apps/sim/lib/copilot/tools/server/blocks/get-trigger-blocks.ts b/apps/sim/lib/copilot/tools/server/blocks/get-trigger-blocks.ts
@@ -1,6 +1,7 @@
 import { createLogger } from '@sim/logger'
 import { z } from 'zod'
 import type { BaseServerTool } from '@/lib/copilot/tools/server/base-tool'
+import { getAllowedIntegrationsFromEnv } from '@/lib/core/config/feature-flags'
 import { registry as blockRegistry } from '@/blocks/registry'
 import type { BlockConfig } from '@/blocks/types'
 import { getUserPermissionConfig } from '@/ee/access-control/utils/permission-check'
@@ -22,7 +23,8 @@ export const getTriggerBlocksServerTool: BaseServerTool<
     logger.debug('Executing get_trigger_blocks')
 
     const permissionConfig = context?.userId ? await getUserPermissionConfig(context.userId) : null
-    const allowedIntegrations = permissionConfig?.allowedIntegrations
+    const allowedIntegrations =
+      permissionConfig?.allowedIntegrations ?? getAllowedIntegrationsFromEnv()
 
     const triggerBlockIds: string[] = []
 
