mirror of
https://github.com/n8n-io/n8n.git
synced 2024-12-25 04:34:06 -08:00
fix(editor): Allow owners and admins to share workflows and credentials they don't own (#7833)
This commit is contained in:
parent
1c6178759c
commit
3ab3ec9da8
|
@ -18,7 +18,7 @@ export type WildcardScope = `${Resource}:*` | '*';
|
|||
export type WorkflowScope = ResourceScope<'workflow', DefaultOperations | 'share'>;
|
||||
export type TagScope = ResourceScope<'tag'>;
|
||||
export type UserScope = ResourceScope<'user'>;
|
||||
export type CredentialScope = ResourceScope<'credential'>;
|
||||
export type CredentialScope = ResourceScope<'credential', DefaultOperations | 'share'>;
|
||||
export type VariableScope = ResourceScope<'variable'>;
|
||||
export type SourceControlScope = ResourceScope<'sourceControl', 'pull' | 'push' | 'manage'>;
|
||||
export type ExternalSecretStoreScope = ResourceScope<
|
||||
|
|
|
@ -17,6 +17,7 @@ export const ownerPermissions: Scope[] = [
|
|||
'credential:update',
|
||||
'credential:delete',
|
||||
'credential:list',
|
||||
'credential:share',
|
||||
'variable:create',
|
||||
'variable:read',
|
||||
'variable:update',
|
||||
|
|
|
@ -142,7 +142,7 @@ export default defineComponent({
|
|||
},
|
||||
async onAction(action: string) {
|
||||
if (action === CREDENTIAL_LIST_ITEM_ACTIONS.OPEN) {
|
||||
await this.onClick();
|
||||
await this.onClick(new Event('click'));
|
||||
} else if (action === CREDENTIAL_LIST_ITEM_ACTIONS.DELETE) {
|
||||
const deleteConfirmed = await this.confirm(
|
||||
this.$locale.baseText(
|
||||
|
|
|
@ -31,28 +31,18 @@
|
|||
/>
|
||||
</div>
|
||||
<div v-else>
|
||||
<n8n-info-tip :bold="false" class="mb-s">
|
||||
<template v-if="credentialPermissions.isOwner">
|
||||
{{ $locale.baseText('credentialEdit.credentialSharing.info.owner') }}
|
||||
</template>
|
||||
<template v-else>
|
||||
{{
|
||||
$locale.baseText('credentialEdit.credentialSharing.info.sharee', {
|
||||
interpolate: { credentialOwnerName },
|
||||
})
|
||||
}}
|
||||
</template>
|
||||
<n8n-info-tip v-if="credentialPermissions.isOwner" :bold="false" class="mb-s">
|
||||
{{ $locale.baseText('credentialEdit.credentialSharing.info.owner') }}
|
||||
</n8n-info-tip>
|
||||
<n8n-info-tip
|
||||
v-if="
|
||||
!credentialPermissions.isOwner &&
|
||||
!credentialPermissions.isSharee &&
|
||||
credentialPermissions.isInstanceOwner
|
||||
"
|
||||
class="mb-s"
|
||||
:bold="false"
|
||||
>
|
||||
{{ $locale.baseText('credentialEdit.credentialSharing.info.instanceOwner') }}
|
||||
<n8n-info-tip v-if="!credentialPermissions.updateSharing" :bold="false" class="mb-s">
|
||||
{{
|
||||
$locale.baseText('credentialEdit.credentialSharing.info.sharee', {
|
||||
interpolate: { credentialOwnerName },
|
||||
})
|
||||
}}
|
||||
</n8n-info-tip>
|
||||
<n8n-info-tip v-if="credentialPermissions.read" class="mb-s" :bold="false">
|
||||
{{ $locale.baseText('credentialEdit.credentialSharing.info.reader') }}
|
||||
</n8n-info-tip>
|
||||
<n8n-user-select
|
||||
v-if="credentialPermissions.updateSharing"
|
||||
|
@ -128,8 +118,9 @@ export default defineComponent({
|
|||
const isAlreadySharedWithUser = (this.credentialData.sharedWith || []).find(
|
||||
(sharee: IUser) => sharee.id === user.id,
|
||||
);
|
||||
const isOwner = this.credentialData.ownedBy.id === user.id;
|
||||
|
||||
return !isCurrentUser && !isAlreadySharedWithUser;
|
||||
return !isCurrentUser && !isAlreadySharedWithUser && !isOwner;
|
||||
});
|
||||
},
|
||||
sharedWithList(): IUser[] {
|
||||
|
|
|
@ -23,7 +23,7 @@
|
|||
</n8n-text>
|
||||
</div>
|
||||
<div v-else :class="$style.container">
|
||||
<n8n-info-tip v-if="!workflowPermissions.isOwner" :bold="false" class="mb-s">
|
||||
<n8n-info-tip v-if="!workflowPermissions.updateSharing" :bold="false" class="mb-s">
|
||||
{{
|
||||
$locale.baseText('workflows.shareModal.info.sharee', {
|
||||
interpolate: { workflowOwnerName },
|
||||
|
@ -213,8 +213,9 @@ export default defineComponent({
|
|||
const isAlreadySharedWithUser = (this.sharedWith || []).find(
|
||||
(sharee) => sharee.id === user.id,
|
||||
);
|
||||
const isOwner = this.workflow?.ownedBy?.id === user.id;
|
||||
|
||||
return !isCurrentUser && !isAlreadySharedWithUser;
|
||||
return !isCurrentUser && !isAlreadySharedWithUser && !isOwner;
|
||||
});
|
||||
},
|
||||
sharedWithList(): Array<Partial<IUser>> {
|
||||
|
|
|
@ -64,6 +64,7 @@ export const parsePermissionsTable = (
|
|||
|
||||
export const getCredentialPermissions = (user: IUser | null, credential: ICredentialsResponse) => {
|
||||
const settingsStore = useSettingsStore();
|
||||
const rbacStore = useRBACStore();
|
||||
const isSharingEnabled = settingsStore.isEnterpriseFeatureEnabled(
|
||||
EnterpriseEditionFeature.Sharing,
|
||||
);
|
||||
|
@ -77,10 +78,14 @@ export const getCredentialPermissions = (user: IUser | null, credential: ICreden
|
|||
name: UserRole.ResourceSharee,
|
||||
test: () => !!credential?.sharedWith?.find((sharee) => sharee.id === user?.id),
|
||||
},
|
||||
{ name: 'read', test: () => rbacStore.hasScope('credential:read') },
|
||||
{ name: 'save', test: [UserRole.ResourceOwner, UserRole.InstanceOwner] },
|
||||
{ name: 'updateName', test: [UserRole.ResourceOwner, UserRole.InstanceOwner] },
|
||||
{ name: 'updateConnection', test: [UserRole.ResourceOwner] },
|
||||
{ name: 'updateSharing', test: [UserRole.ResourceOwner] },
|
||||
{
|
||||
name: 'updateSharing',
|
||||
test: (permissions) => rbacStore.hasScope('credential:share') || !!permissions.isOwner,
|
||||
},
|
||||
{ name: 'updateNodeAccess', test: [UserRole.ResourceOwner] },
|
||||
{ name: 'delete', test: [UserRole.ResourceOwner, UserRole.InstanceOwner] },
|
||||
{ name: 'use', test: [UserRole.ResourceOwner, UserRole.ResourceSharee] },
|
||||
|
@ -104,7 +109,7 @@ export const getWorkflowPermissions = (user: IUser | null, workflow: IWorkflowDb
|
|||
},
|
||||
{
|
||||
name: 'updateSharing',
|
||||
test: (permissions) => rbacStore.hasScope('workflow:update') || !!permissions.isOwner,
|
||||
test: (permissions) => rbacStore.hasScope('workflow:share') || !!permissions.isOwner,
|
||||
},
|
||||
{
|
||||
name: 'delete',
|
||||
|
|
|
@ -416,7 +416,7 @@
|
|||
"credentialEdit.oAuthButton.connectMyAccount": "Connect my account",
|
||||
"credentialEdit.oAuthButton.signInWithGoogle": "Sign in with Google",
|
||||
"credentialEdit.credentialSharing.info.owner": "Sharing a credential allows people to use it in their workflows. They cannot access credential details.",
|
||||
"credentialEdit.credentialSharing.info.instanceOwner": "You can view this credential because you are the instance owner (and rename or delete it too). To use it in a workflow, ask the credential owner to share it with you.",
|
||||
"credentialEdit.credentialSharing.info.reader": "You can view this credential because you have permission to read and share (and rename or delete it too). To use it in a workflow, ask the credential owner to share it with you.",
|
||||
"credentialEdit.credentialSharing.info.sharee": "Only {credentialOwnerName} can change who this credential is shared with",
|
||||
"credentialEdit.credentialSharing.info.sharee.fallback": "the owner",
|
||||
"credentialEdit.credentialSharing.select.placeholder": "Add users...",
|
||||
|
@ -1998,7 +1998,7 @@
|
|||
"workflows.shareModal.changesHint": "You made changes",
|
||||
"workflows.shareModal.isDefaultUser.description": "You first need to set up your owner account to enable workflow sharing features.",
|
||||
"workflows.shareModal.isDefaultUser.button": "Go to settings",
|
||||
"workflows.shareModal.info.sharee": "Only {workflowOwnerName} can change who this workflow is shared with",
|
||||
"workflows.shareModal.info.sharee": "Only {workflowOwnerName} or users with workflow sharing permission can change who this workflow is shared with",
|
||||
"workflows.shareModal.info.sharee.fallback": "the owner",
|
||||
"workflows.roles.editor": "Editor",
|
||||
"workflows.concurrentChanges.confirmMessage.title": "Workflow was changed by someone else",
|
||||
|
|
|
@ -43,10 +43,9 @@ import { useRBACStore } from '@/stores/rbac.store';
|
|||
import type { Scope, ScopeLevel } from '@n8n/permissions';
|
||||
import { inviteUsers, acceptInvitation } from '@/api/invitation';
|
||||
|
||||
const isDefaultUser = (user: IUserResponse | null) =>
|
||||
user?.isPending && user?.globalRole?.name === ROLE.Owner;
|
||||
const isPendingUser = (user: IUserResponse | null) => !!user?.isPending;
|
||||
const isInstanceOwner = (user: IUserResponse | null) => user?.globalRole?.name === ROLE.Owner;
|
||||
const isDefaultUser = (user: IUserResponse | null) => isInstanceOwner(user) && isPendingUser(user);
|
||||
|
||||
export const useUsersStore = defineStore(STORES.USERS, {
|
||||
state: (): IUsersState => ({
|
||||
|
|
Loading…
Reference in a new issue