Skip to content

Commit 5a20f06

Browse files
waleedlatif1claude
waleedlatif1
and
claude
committed
fix(workflows): close duplicate lock bypass and trim redundant query fields
- Fix workflow duplicate route: when folderId is omitted, resolve source workflow's folder and check its lock status before allowing duplication - Remove unnecessary parentId/isLocked fields from folders reorder existingFolders query (lock checks use the separate allFolders query) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent e325a51 commit 5a20f06

File tree

2 files changed

+14
-4
lines changed

2 files changed

+14
-4
lines changed

apps/sim/app/api/folders/reorder/route.ts

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -48,8 +48,6 @@ export async function PUT(req: NextRequest) {
4848
.select({
4949
id: workflowFolder.id,
5050
workspaceId: workflowFolder.workspaceId,
51-
parentId: workflowFolder.parentId,
52-
isLocked: workflowFolder.isLocked,
5351
})
5452
.from(workflowFolder)
5553
.where(inArray(workflowFolder.id, folderIds))

apps/sim/app/api/workflows/[id]/duplicate/route.ts

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,7 @@
1+
import { db } from '@sim/db'
2+
import { workflow } from '@sim/db/schema'
13
import { createLogger } from '@sim/logger'
4+
import { eq } from 'drizzle-orm'
25
import { type NextRequest, NextResponse } from 'next/server'
36
import { z } from 'zod'
47
import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
@@ -38,8 +41,17 @@ export async function POST(req: NextRequest, { params }: { params: Promise<{ id:
3841
const { name, description, color, workspaceId, folderId, newId } =
3942
DuplicateRequestSchema.parse(body)
4043

41-
if (folderId) {
42-
const folderLocked = await isFolderEffectivelyLockedDb(folderId)
44+
let targetFolderId = folderId
45+
if (targetFolderId === undefined) {
46+
const [source] = await db
47+
.select({ folderId: workflow.folderId })
48+
.from(workflow)
49+
.where(eq(workflow.id, sourceWorkflowId))
50+
.limit(1)
51+
targetFolderId = source?.folderId ?? null
52+
}
53+
if (targetFolderId) {
54+
const folderLocked = await isFolderEffectivelyLockedDb(targetFolderId)
4355
if (folderLocked) {
4456
return NextResponse.json(
4557
{ error: 'Cannot duplicate a workflow into a locked folder' },

0 commit comments

Comments
 (0)