fix: allow users with view-only permissions to execute workflows#19057
Open
vijaygovindaraja wants to merge 1 commit intotwentyhq:mainfrom
Open
fix: allow users with view-only permissions to execute workflows#19057vijaygovindaraja wants to merge 1 commit intotwentyhq:mainfrom
vijaygovindaraja wants to merge 1 commit intotwentyhq:mainfrom
Conversation
The SettingsPermissionGuard for WORKFLOWS was applied at the class level on WorkflowTriggerResolver, requiring the "manage workflow" settings permission for ALL mutations — including runWorkflowVersion. This prevented users with view-only access from executing active workflows they could see. Move the WORKFLOWS permission guard from class-level to method-level on the three management mutations (activateWorkflowVersion, deactivateWorkflowVersion, stopWorkflowRun). The runWorkflowVersion mutation now only requires WorkspaceAuthGuard + UserAuthGuard, allowing any authenticated workspace member to trigger workflows they have view access to. Permission model after this change: - activateWorkflowVersion: requires WORKFLOWS settings permission - deactivateWorkflowVersion: requires WORKFLOWS settings permission - stopWorkflowRun: requires WORKFLOWS settings permission - runWorkflowVersion: requires authentication only (view access) Fixes twentyhq#15231 Signed-off-by: V Govindarajan <vijay.govindarajan91@gmail.com>
![greptile-apps[bot]](https://avatars.githubusercontent.com/in/867647?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.
Contributor
Welcome!
Hello there, congrats on your first PR! We're excited to have you contributing to this project. |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Users with view-only permissions for workflows cannot trigger active workflows (#15231). The
SettingsPermissionGuard(PermissionFlagType.WORKFLOWS)was applied at the class level onWorkflowTriggerResolver, requiring "manage workflow" permission for ALL mutations — includingrunWorkflowVersion.Fix
Move the WORKFLOWS permission guard from class-level to method-level on the three management mutations.
runWorkflowVersionnow only requires authentication (WorkspaceAuthGuard + UserAuthGuard).Before: Class-level guard blocks all mutations for view-only users
After: Method-level guards on management mutations only
Permission model after this change
activateWorkflowVersiondeactivateWorkflowVersionstopWorkflowRunrunWorkflowVersionFixes #15231