From 7b00d6e73111e23a75c2b755653032523be043bc Mon Sep 17 00:00:00 2001
From: Omar Ajoue <krynble@gmail.com>
Date: Tue, 22 Nov 2022 14:24:29 +0100
Subject: [PATCH] feat: Implement runtine check for enterprise features
 (no-changelog) (#4676)

* feat: Implement runtine check for enterprise features
---
 .../src/UserManagement/PermissionChecker.ts   | 29 ++++++++++++-------
 .../UserManagement/UserManagementHelper.ts    |  9 ++++++
 2 files changed, 28 insertions(+), 10 deletions(-)

diff --git a/packages/cli/src/UserManagement/PermissionChecker.ts b/packages/cli/src/UserManagement/PermissionChecker.ts
index 658ee0c1c0..24e906b11a 100644
--- a/packages/cli/src/UserManagement/PermissionChecker.ts
+++ b/packages/cli/src/UserManagement/PermissionChecker.ts
@@ -1,6 +1,9 @@
 import { INode, NodeOperationError, Workflow } from 'n8n-workflow';
-import { In } from 'typeorm';
+import { FindManyOptions, In, ObjectLiteral } from 'typeorm';
 import * as Db from '@/Db';
+import config from '@/config';
+import type { SharedCredentials } from '@db/entities/SharedCredentials';
+import { getRole } from './UserManagementHelper';
 
 export class PermissionChecker {
 	/**
@@ -26,23 +29,29 @@ export class PermissionChecker {
 		// allow if all creds used in this workflow are a subset of
 		// all creds accessible to users who have access to this workflow
 
-		let workflowUserIds: string[] = [];
+		let workflowUserIds = [userId];
 
-		if (workflow.id) {
+		if (workflow.id && config.getEnv('enterprise.workflowSharingEnabled')) {
 			const workflowSharings = await Db.collections.SharedWorkflow.find({
 				relations: ['workflow'],
 				where: { workflow: { id: Number(workflow.id) } },
 			});
-
 			workflowUserIds = workflowSharings.map((s) => s.userId);
-		} else {
-			// unsaved workflows have no id, so only get credentials for current user
-			workflowUserIds = [userId];
 		}
 
-		const credentialSharings = await Db.collections.SharedCredentials.find({
-			where: { user: In(workflowUserIds) },
-		});
+		const credentialsWhereCondition: FindManyOptions<SharedCredentials> & { where: ObjectLiteral } =
+			{
+				where: { user: In(workflowUserIds) },
+			};
+
+		if (!config.getEnv('enterprise.features.sharing')) {
+			// If credential sharing is not enabled, get only credentials owned by this user
+			credentialsWhereCondition.where.role = await getRole('credential', 'owner');
+		}
+
+		const credentialSharings = await Db.collections.SharedCredentials.find(
+			credentialsWhereCondition,
+		);
 
 		const accessibleCredIds = credentialSharings.map((s) => s.credentialId.toString());
 
diff --git a/packages/cli/src/UserManagement/UserManagementHelper.ts b/packages/cli/src/UserManagement/UserManagementHelper.ts
index f91de0d19e..c7f65003df 100644
--- a/packages/cli/src/UserManagement/UserManagementHelper.ts
+++ b/packages/cli/src/UserManagement/UserManagementHelper.ts
@@ -78,6 +78,15 @@ export async function getInstanceOwner(): Promise<User> {
 	return owner;
 }
 
+export async function getRole(scope: Role['scope'], name: Role['name']): Promise<Role> {
+	return Db.collections.Role.findOneOrFail({
+		where: {
+			name,
+			scope,
+		},
+	});
+}
+
 /**
  * Return the n8n instance base URL without trailing slash.
  */