Commit 325d83b
committed
fix: allow users with view-only permissions to execute workflows
The SettingsPermissionGuard for WORKFLOWS was applied at the class
level on WorkflowTriggerResolver, requiring the "manage workflow"
settings permission for ALL mutations — including runWorkflowVersion.
This prevented users with view-only access from executing active
workflows they could see.
Move the WORKFLOWS permission guard from class-level to method-level
on the three management mutations (activateWorkflowVersion,
deactivateWorkflowVersion, stopWorkflowRun). The runWorkflowVersion
mutation now only requires WorkspaceAuthGuard + UserAuthGuard,
allowing any authenticated workspace member to trigger workflows
they have view access to.
Permission model after this change:
- activateWorkflowVersion: requires WORKFLOWS settings permission
- deactivateWorkflowVersion: requires WORKFLOWS settings permission
- stopWorkflowRun: requires WORKFLOWS settings permission
- runWorkflowVersion: requires authentication only (view access)
Fixes #15231
Signed-off-by: V Govindarajan <vijay.govindarajan91@gmail.com>1 parent cb44b22 commit 325d83b
File tree
1 file changed
+4
-5
lines changed- packages/twenty-server/src/engine/core-modules/workflow/resolvers
1 file changed
+4
-5
lines changedLines changed: 4 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
29 | | - | |
30 | | - | |
31 | | - | |
32 | | - | |
33 | | - | |
| 29 | + | |
34 | 30 | | |
35 | 31 | | |
36 | 32 | | |
| |||
44 | 40 | | |
45 | 41 | | |
46 | 42 | | |
| 43 | + | |
47 | 44 | | |
48 | 45 | | |
49 | 46 | | |
| |||
56 | 53 | | |
57 | 54 | | |
58 | 55 | | |
| 56 | + | |
59 | 57 | | |
60 | 58 | | |
61 | 59 | | |
| |||
111 | 109 | | |
112 | 110 | | |
113 | 111 | | |
| 112 | + | |
114 | 113 | | |
115 | 114 | | |
116 | 115 | | |
| |||
0 commit comments