fix(credentials): reflect workspace permission in credential member role by minijeong-log · Pull Request #4699 · simstudioai/sim

minijeong-log · 2026-05-21T10:20:02Z

Summary

Workspace admin users were incorrectly assigned member role on credential_member when workspace-scoped secrets were created or synced. Only the workspace owner got admin. Now the workspace permissions table is consulted to determine the correct credential role.

Mapping

Workspace Permission	Credential Role
owner (`workspace.ownerId`)	admin
admin (permissions table)	admin
write	member
read	member

Changes

environment.ts: Query workspace permissions in ensureWorkspaceCredentialMemberships and map admin permission → credential admin role
route.ts POST: Apply same mapping during credential creation

Test Plan

Create workspace with owner + admin + write + read members
Create workspace-scoped secret
Verify credential_member roles match the mapping above
Verify workspace admin can edit/delete secrets
Verify workspace write/read users cannot edit/delete secrets

Workspace admin users were incorrectly assigned 'member' role on credential_member when workspace-scoped secrets were created or synced. Only the workspace owner got 'admin'. Now workspace permissions table is consulted: owner/admin → credential admin, write/read → member. - environment.ts: query workspace permissions in ensureWorkspaceCredentialMemberships - route.ts POST: apply same mapping during credential creation

vercel · 2026-05-21T10:20:09Z

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		May 22, 2026 1:39am

cursor · 2026-05-21T10:20:13Z

PR Summary

Medium Risk
Changes role assignment logic for credential_member on workspace-scoped credentials, which can affect who can edit/delete secrets. Risk is moderate because it alters authorization-relevant data based on workspace permissions rows.

Overview
Workspace-scoped credential creation and env-key sync now consult the workspace permissions table so users with workspace admin permission are recorded as credential_member.role = admin (owner stays admin; write/read remain member).

This removes the shared getWorkspaceMemberUserIds helper and updates ensureWorkspaceCredentialMemberships / bulk membership inserts to compute per-user roles from permissionType, ensuring roles are corrected both when creating new secrets and when syncing existing workspace env credentials.

^{Reviewed by Cursor Bugbot for commit c37e20c. Bugbot is set up for automated code reviews on this repo. Configure here.}

greptile-apps · 2026-05-21T10:21:42Z

Greptile Summary

This PR fixes workspace admin users being incorrectly assigned member role on credential_member when workspace-scoped secrets were created or synced. It adds a permissions table lookup in ensureWorkspaceCredentialMemberships and in the POST route handler so that workspace admins receive admin credential role.

environment.ts: ensureWorkspaceCredentialMemberships now accepts workspaceId, queries workspace permissions, and promotes users with admin workspace permission to admin credential role; the call site in syncWorkspaceEnvCredentials is updated accordingly.
route.ts POST: A parallel permissions query is added alongside the existing member-ID fetch, and the same owner-or-admin check drives the role assigned to each credential_member row.
createWorkspaceEnvCredentials (also in environment.ts) is a third membership-insertion path that was not updated and still uses the old owner-only admin check, leaving workspace admins with member role when credentials are created through that function.

Confidence Score: 3/5

The fix is correct on the two paths it touches but leaves a third membership-insertion path (createWorkspaceEnvCredentials) using the old logic, so workspace admins will still get the wrong role on credentials created through that function.

Two of the three places that write credential_member rows for workspace-scoped credentials are corrected. createWorkspaceEnvCredentials in environment.ts — which bulk-inserts memberships for newly added env keys — was not updated and still only grants admin to the workspace owner, leaving workspace admins incorrectly assigned member through that code path.

apps/sim/lib/credentials/environment.ts — the createWorkspaceEnvCredentials function (lines 272–285) needs the same permissions-table lookup applied to the other two paths.

Important Files Changed

Filename	Overview
apps/sim/lib/credentials/environment.ts	Adds workspace permission lookup to `ensureWorkspaceCredentialMemberships` and its call site, but `createWorkspaceEnvCredentials` (a third membership-insertion path) retains the old owner-only admin check and will still assign `member` to workspace admins.
apps/sim/app/api/credentials/route.ts	Correctly queries the permissions table in parallel and maps workspace `admin` → credential `admin` during credential creation; preserves the pre-existing creator-gets-admin behaviour.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Workspace credential created or synced] --> B{Type: env_workspace or service_account?}
    B -- No --> C[Insert single credentialMember as admin for creator]
    B -- Yes --> D[Fetch workspace member IDs + workspace permissions]
    D --> E[For each member user]
    E --> F{Is owner OR creator OR wsPermission === 'admin'?}
    F -- Yes --> G[role = 'admin']
    F -- No --> H[role = 'member']
    G --> I[Insert/Update credentialMember row]
    H --> I

    subgraph "createWorkspaceEnvCredentials (NOT updated)"
        J[Fetch workspace member IDs ONLY] --> K[For each member user]
        K --> L{Is owner?}
        L -- Yes --> M[role = 'admin']
        L -- No --> N[role = 'member — workspace admins get wrong role']
    end

Comments Outside Diff (1)

apps/sim/lib/credentials/environment.ts, line 272-285 (link)

createWorkspaceEnvCredentials still uses the old role mapping

createWorkspaceEnvCredentials is a third code path that bulk-inserts credential_member rows for newly added workspace env keys (line 278: memberUserId === ownerUserId ? 'admin' : 'member'). It never consults the permissions table, so workspace admins who are enrolled via the permissions table will still receive member role when credentials are created through this path. The fix applied to ensureWorkspaceCredentialMemberships and the POST route needs to be applied here as well.

_{Reviews (1): Last reviewed commit: "fix(credentials): reflect workspace perm..." | Re-trigger Greptile}

…ntials Address Bugbot review: the parallel credential creation path (createWorkspaceEnvCredentials) still used owner-only admin logic. Now queries workspace permissions table for consistent role mapping.

Address Bugbot review: permissions query was executed N times (once per credential) inside ensureWorkspaceCredentialMemberships loop. Now queried once in the caller and passed as a Map parameter.

Derive memberUserIds from wsPermissionRows + workspace owner instead of calling getWorkspaceMemberUserIds separately. This removes a duplicate query on the permissions table at every call site.

…ency The credential creator (session.user.id) was always granted admin role regardless of their workspace permission. This created inconsistency with environment.ts sync logic which correctly derives role solely from workspace permission. Now both paths use the same mapping.

…ransaction

All callers now derive member IDs from workspace permission rows directly, making this function dead code.

cursor

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit c37e20c. Configure here.}

cursor · 2026-05-22T01:41:25Z

-                memberUserId === workspaceRow.ownerId || memberUserId === session.user.id
-                  ? 'admin'
-                  : 'member',
+              role: isAdmin ? 'admin' : 'member',


Service account roles stay stale

Medium Severity

This change assigns credential admin to workspace owners and workspace admin permission holders for service_account credentials, but nothing later realigns those rows when workspace permission is lowered. Permission updates only run syncWorkspaceEnvCredentials, which adjusts env_workspace memberships. A user demoted from workspace admin can keep credential admin on service accounts and still edit or delete them.

^{Reviewed by Cursor Bugbot for commit c37e20c. Configure here.}

vercel Bot temporarily deployed to Preview May 21, 2026 10:20 Inactive