Skip to content

fix(files-upload): enforce workspace authorization on mothership uploads#5604

Merged
waleedlatif1 merged 2 commits into
stagingfrom
fix/files-upload-mothership-authz
Jul 11, 2026
Merged

fix(files-upload): enforce workspace authorization on mothership uploads#5604
waleedlatif1 merged 2 commits into
stagingfrom
fix/files-upload-mothership-authz

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • The mothership context in POST /api/files/upload was missing the workspace permission check that every other context (workspace, knowledge-base, execution) already enforces
  • Added the same write/admin getUserEntityPermissions gate, plus the storage quota check other paths also apply
  • Matches the authorization already enforced for mothership in the multipart and presigned upload routes

Type of Change

  • Bug fix (security)

Testing

Added a Mothership Context Permission Gate test suite covering missing workspaceId, non-member, read-only member, over-quota, and write/admin-permission cases. Full route test suite passes (25/25).

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

The mothership context in POST /api/files/upload skipped the workspace
permission and storage quota checks that every sibling context enforces,
letting a caller write files into a workspace they have no access to.
@vercel

vercel Bot commented Jul 11, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jul 11, 2026 7:41pm

Request Review

@cursor

cursor Bot commented Jul 11, 2026

Copy link
Copy Markdown

PR Summary

High Risk
Fixes unauthorized file uploads to workspace storage; the change is narrow but touches auth, billing quota, and a previously exposed upload path.

Overview
Closes a security gap on POST /api/files/upload where mothership uploads could proceed without the workspace checks other contexts already use.

mothership now requires workspaceId, write/admin via getUserEntityPermissions, and a checkStorageQuota pass against the combined batch size—all resolved once per request before any file is stored. The per-file upload path only runs after that gate, using the validated workspace id.

Tests add a Mothership Context Permission Gate suite (missing workspace, non-member, read-only, over-quota, write/admin, multi-file quota sizing) and mock checkStorageQuota in shared setup.

Reviewed by Cursor Bugbot for commit eb71402. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR tightens authorization for mothership file uploads. The main changes are:

  • Adds a workspace ID requirement for mothership uploads.
  • Requires write or admin workspace access before upload.
  • Checks storage quota once against the full upload batch.
  • Adds route tests for denied and allowed mothership upload cases.

Confidence Score: 5/5

This looks safe to merge.

  • No blocking issues found in the changed code.

Important Files Changed

Filename Overview
apps/sim/app/api/files/upload/route.ts Adds the mothership workspace permission check and combined batch quota check before uploads run.
apps/sim/app/api/files/upload/route.test.ts Adds tests for mothership permission failures, quota failure, allowed uploads, and combined batch quota handling.

Reviews (2): Last reviewed commit: "fix(files-upload): check mothership quot..." | Re-trigger Greptile

Comment thread apps/sim/app/api/files/upload/route.ts Outdated
Resolve the mothership permission and quota check once per request
(mirroring the existing execution-context pattern) instead of per file:
a per-file quota check let a multi-file batch exceed the caller's quota
since each file's own size fit even when the combined total did not.
Also corrects the missing-workspaceId error message, which named the
chat context instead of mothership.
@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

Addressed both findings in eb71402:

  • Batch-quota bypass: fixed (replied inline, thread resolved).
  • Missing-workspaceId error naming "Chat" instead of mothership: fixed — now reads "Mothership context requires workspaceId parameter".

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@greptile review

@waleedlatif1

Copy link
Copy Markdown
Collaborator Author

@cursor review

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

Reviewed by Cursor Bugbot for commit eb71402. Configure here.

@waleedlatif1 waleedlatif1 merged commit d165712 into staging Jul 11, 2026
18 checks passed
@waleedlatif1 waleedlatif1 deleted the fix/files-upload-mothership-authz branch July 11, 2026 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant