unstract icon indicating copy to clipboard operation
unstract copied to clipboard
verified publisher icon Zipstack

UN-2868 [FIX] Restrict workflow modifications to owners in shared workflows

Open johnyrahul opened this issue 2 months ago • 3 comments

Summary

This PR implements ownership restrictions for shared workflows to prevent non-owners from modifying workflow configurations. This ensures data integrity and proper access control when workflows are shared across users.

Changes Made

1. Display Tool Name Instead of Tool ID

  • Added getToolName() helper function to resolve tool names from tool IDs
  • Implements three-tier fallback strategy:
    • First checks tool_instances from backend (includes name even if tool is no longer exported)
    • Falls back to exportedTools list
    • Finally displays tool ID if name cannot be resolved

2. Restrict Tool Modification to Workflow Owners

  • Added isWorkflowOwner() helper function to compare current user ID with workflow creator ID
  • Handles type differences between user IDs (integer vs string) by converting both to strings
  • Disabled "Change Prompt Studio project" button for non-owners
  • Disabled "Configure Settings" button for non-owners

3. Restrict Connector Configuration to Workflow Owners

  • Extended ownership restrictions to source and destination connectors
  • Disabled connector type dropdown for non-owners
  • Disabled Configure button for non-owners
  • Added helpful tooltip messages explaining ownership requirements
  • Properly passed isWorkflowOwner prop through component hierarchy:
    • Agency → WorkflowCard → DsSettingsCard

Technical Details

  • All ownership checks use string comparison to handle type differences between UUID strings and integers
  • Components properly handle cases where workflow data hasn't loaded yet
  • Maintains backward compatibility with existing deployment restrictions (allowChangeEndpoint)

Components Modified

  • frontend/src/components/agency/agency/Agency.jsx
  • frontend/src/components/agency/ds-settings-card/DsSettingsCard.jsx
  • frontend/src/components/agency/workflow-card/WorkflowCard.jsx

Testing Checklist

  • [ ] Workflow owner can modify all settings
  • [ ] Non-owner cannot change Prompt Studio project
  • [ ] Non-owner cannot configure tool settings
  • [ ] Non-owner cannot modify source connector
  • [ ] Non-owner cannot modify destination connector
  • [ ] Tooltips display correct messages for non-owners
  • [ ] Tool names display correctly even when tool is no longer exported
  • [ ] Ownership check handles type differences correctly

🤖 Generated with Claude Code

johnyrahul avatar Oct 13 '25 12:10 johnyrahul

Summary by CodeRabbit

  • New Features
    • Workflow ownership controls: Only the workflow owner can change the Prompt Studio project or configure settings. Non-owners see disabled actions with clear tooltips explaining restrictions.
    • Improved tool labeling: Tool names are resolved more reliably, with graceful fallbacks when a name isn’t available.
    • Consistent ownership handling: Ownership status is applied across workflow cards and settings, ensuring a unified permission experience throughout the interface.

Walkthrough

Introduces isWorkflowOwner ownership checks into Agency, WorkflowCard, and DsSettingsCard components, wiring the prop through and using it to disable actions and show tooltips. Adds helper getToolName in Agency for resolving tool names. Updates UI to restrict changing Prompt Studio project and settings to workflow owners.

Changes

Cohort / File(s) Summary
Ownership gating propagation
frontend/src/components/agency/agency/Agency.jsx, frontend/src/components/agency/workflow-card/WorkflowCard.jsx, frontend/src/components/agency/ds-settings-card/DsSettingsCard.jsx		 Adds isWorkflowOwner determination in Agency and passes it to WorkflowCard and DsSettingsCard. Disables action buttons and shows tooltips when user is not the owner. Updates prop signatures and PropTypes to include isWorkflowOwner.
Tool name resolution
frontend/src/components/agency/agency/Agency.jsx		 Adds getToolName(toolId) to resolve names via tool_instances, then exportedTools, else fallback to toolId. Replaces direct lookup with getToolName in exported Prompt Studio project selector.
Component API updates
frontend/src/components/agency/workflow-card/WorkflowCard.jsx, frontend/src/components/agency/ds-settings-card/DsSettingsCard.jsx		 WorkflowCard and DsSettingsCard now accept isWorkflowOwner boolean prop; DsSettingsCard uses it alongside allowChangeEndpoint to control UI disablement and tooltips. PropTypes updated accordingly.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor User
  participant Agency as Agency.jsx
  participant WF as WorkflowCard.jsx
  participant DS as DsSettingsCard.jsx

  Note over Agency: Compute isWorkflowOwner by comparing<br/>details.created_by with sessionDetails.id
  User->>Agency: Open workflow
  Agency->>Agency: getToolName(selectedTool)
  Agency->>WF: Render WorkflowCard(isWorkflowOwner)
  WF->>DS: Render DsSettingsCard(isWorkflowOwner)

  alt isWorkflowOwner == true
    DS-->>User: Enable "Change Connector" and "Configure Settings"
    Agency-->>User: Enable "Change Prompt Studio project"
  else
    DS-->>User: Disable actions + show tooltips
    Agency-->>User: Disable project change + settings config
  end

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks and finishing touches

❌ Failed checks (2 warnings)
Check name Status Explanation Resolution
Description Check ⚠️ Warning The pull request description uses custom headings like Summary and Changes Made instead of the repository’s required template and omits mandatory sections such as What, Why, How, break impact assessment, Database Migrations, Env Config, Relevant Docs, Related Issues or PRs, Dependencies Versions, Notes on Testing, Screenshots, and the Checklist. Please revise the description to match the repository template by including the required headings What, Why, How, Can this PR break any existing features, Database Migrations, Env Config, Relevant Docs, Related Issues or PRs, Dependencies Versions, Notes on Testing, Screenshots, and the Checklist.
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. You can run @coderabbitai generate docstrings to improve docstring coverage.
✅ Passed checks (1 passed)
Check name Status Explanation
Title Check ✅ Passed The title clearly and concisely summarizes the primary change by stating that workflow modifications are now restricted to owners in shared workflows and includes the relevant ticket identifier without extraneous details.
✨ Finishing touches
  • [ ] 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • [ ] Create PR with unit tests
  • [ ] Post copyable unit tests in a comment
  • [ ] Commit unit tests in branch UN-2868-sharing-of-workflow-and-etl-api-deployment-improvements

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot] avatar Oct 13 '25 12:10 coderabbitai[bot]

Quality Gate Passed Quality Gate passed

Issues
4 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Oct 15 '25 05:10 sonarqubecloud[bot]

@johnyrahul just to be on the safer side, do we have checks in place to prevent this from the backend?

@chandrasekharan-zipstack Not yet. When I checked, since it is a workflow level edits, it should ideally be available under the workflow view set, but instead, a few of the settings are under the tool_instance view set and models. Let me give it a try at how to restrict such actions based on workflow ownership

johnyrahul avatar Oct 15 '25 05:10 johnyrahul