fix(editor): Restrict workflow and credential sharing to their owners (no-changelog) (#7870)

Removing scope permission checks on workflow and credential sharing and relying only on resource ownership. Every user can share only the workflows and credentials they created.
2025-03-05 20:50:17 -08:00 · 2023-11-29 16:36:49 +01:00 · 2023-11-29 16:36:49 +01:00 · 14f53def07
parent 74b4513298
commit 14f53def07
1 changed files with 2 additions and 2 deletions
--- a/packages/editor-ui/src/permissions.ts
+++ b/packages/editor-ui/src/permissions.ts
@ -84,7 +84,7 @@ export const getCredentialPermissions = (user: IUser | null, credential: ICreden
 		{ name: 'updateConnection', test: [UserRole.ResourceOwner] },
 		{
 			name: 'updateSharing',
-			test: (permissions) => rbacStore.hasScope('credential:share') || !!permissions.isOwner,
+			test: (permissions) => !!permissions.isOwner,
 		},
 		{ name: 'updateNodeAccess', test: [UserRole.ResourceOwner] },
 		{ name: 'delete', test: [UserRole.ResourceOwner, UserRole.InstanceOwner] },
@ -109,7 +109,7 @@ export const getWorkflowPermissions = (user: IUser | null, workflow: IWorkflowDb
 		},
 		{
 			name: 'updateSharing',
-			test: (permissions) => rbacStore.hasScope('workflow:share') || !!permissions.isOwner,
+			test: (permissions) => !!permissions.isOwner,
 		},
 		{
 			name: 'delete',