Browser extension shows chatflows from wrong workspaces and ignores visibility settings

[diecoscai]

Bug Description

Three related bugs in getBrowserExtensionChatflows caused the browser extension to display incorrect chatflows and ignore the "Browser Extension" visibility checkbox entirely.

User-Facing Symptoms

• Users saw chatflows in the browser extension that did not appear on their main chatflows page (e.g. chatflows from old or unrelated workspaces like "dailylog generator")
• Toggling the "Browser Extension" checkbox in Visibility Settings had no effect on which chatflows appeared in the extension
• Extension displayed every chatflow the user could access, regardless of visibility configuration

Root Cause

Three bugs in packages/server/src/services/browser-extension/index.ts (getBrowserExtensionChatflows):

1. Workspace / Organization Leak

The query filtered only by userId, not workspaceId or organizationId. A user who ever belonged to multiple workspaces would see chatflows from all of them in the extension, not just their current workspace.

// Before: only userId filter — leaks across workspaces
.where('chatflow.userId = :userId', { userId })

2. Missing Visibility Filter

The endpoint's own Swagger documentation states it should return only chatflows that include "Browser Extension" in their visibility array. The query contained no such filter, so all chatflows were returned regardless of the visibility checkbox state.

// Before: no visibility filter — checkbox had no effect
// Expected: .andWhere("chatflow.visibility LIKE :ext", { ext: '%Browser Extension%' })

3. Missing Enum Value

ChatflowVisibility enum in packages/server/src/database/entities/ChatFlow.ts was missing the BROWSER_EXTENSION variant, forcing as any type casts throughout updateBrowserExtensionVisibility and making the enum incomplete.

// Before: enum had no BROWSER_EXTENSION member
export enum ChatflowVisibility {
  PRIVATE = 'Private',
  ORGANIZATION = 'Organization',
  // BROWSER_EXTENSION missing
}

Fix

All three issues were resolved in PR #1053:

• Added BROWSER_EXTENSION = 'Browser Extension' to the ChatflowVisibility enum
• Added .andWhere('chatflow.workspaceId = :workspaceId', { workspaceId }) to scope results to the active workspace
• Added .andWhere('chatflow.visibility LIKE :ext', { ext: '%Browser Extension%' }) to enforce the visibility filter
• Replaced all as any casts with ChatflowVisibility.BROWSER_EXTENSION

Affected Files

• packages/server/src/services/browser-extension/index.ts — query missing workspace + visibility filters
• packages/server/src/database/entities/ChatFlow.ts — ChatflowVisibility enum missing BROWSER_EXTENSION

Steps to Reproduce (Before Fix)

1. Have a user account that has been a member of more than one workspace
2. Open the browser extension — chatflows from all past workspaces appear
3. Go to a chatflow's Visibility Settings, uncheck "Browser Extension", save
4. Re-open the extension — the chatflow still appears (visibility filter ignored)

Expected Behavior

• Extension only shows chatflows belonging to the user's current workspace
• Only chatflows with "Browser Extension" checked in Visibility Settings appear in the extension

Related

Closes via PR #1053 (fix already merged to staging)
See also #326 (separate but related browser extension visibility issue — org-wide vs user-specific settings)

[linear]

AGENT-765

[diecoscai]

Implementation Plan: Scope by workspace + show shared chatflows

PR #1053 fixes the three bugs described in this issue. After deep review (13 parallel analysis agents), we identified additional improvements to align the browser extension service with the workspace pattern used across the codebase.

Current state (PR #1053)

The query filters by userId + workspaceId + organizationId + visibility. This correctly scopes to the user's own chatflows, but:

• organizationId is redundant — every other service (chatflows, tools, assistants, credentials) scopes by workspaceId only
• Org-shared chatflows (['Organization', 'Browser Extension']) are excluded — the Sidekick extension has "My Sidekicks" vs "Shared Chatbots" UI buckets via isOwner, but the "Shared" bucket is always empty

Planned changes: 3 diffs, 1 file, -6 lines net

File: packages/server/src/services/browser-extension/index.ts

Diff 1 — GET query: show owned + org-shared chatflows (lines 36-41)

         const queryBuilder = chatFlowRepository
             .createQueryBuilder('chatflow')
-            .where('chatflow.userId = :userId', { userId: user.id })
-            .andWhere('chatflow.workspaceId = :workspaceId', { workspaceId: user.activeWorkspaceId })
-            .andWhere('chatflow.organizationId = :organizationId', { organizationId: user.organizationId })
-            .andWhere('chatflow.visibility LIKE :ext', { ext: '%Browser Extension%' })
+            .where('chatflow.workspaceId = :workspaceId', { workspaceId: user.activeWorkspaceId })
+            .andWhere('chatflow.visibility LIKE :ext', { ext: '%Browser Extension%' })
+            .andWhere('(chatflow.userId = :userId OR chatflow.visibility LIKE :org)', {
+                userId: user.id,
+                org: '%Organization%'
+            })

Means: "Show chatflows in my workspace with Browser Extension visibility that I either own OR that are shared with the organization."

• ['Private', 'Browser Extension'] → visible only to owner (userId match)
• ['Organization', 'Browser Extension'] → visible to all workspace members (Organization match)
• isOwner becomes meaningful (true for own, false for shared)

Diff 2 — PUT: remove redundant organizationId guard (lines 83-88)

Remove the 6-line if (!user.organizationId) guard block. checkOwnership at line 101 already validates org membership.

Diff 3 — PUT: remove organizationId from findOneBy (line 93)

Change findOneBy({ id, workspaceId, organizationId }) to findOneBy({ id, workspaceId }). Matches updateTool and updateAssistant patterns.

Validations completed

• ✅ SQL correctness — .andWhere('(A OR B)', { params }) confirmed via existing pattern at chatflows/index.ts:928
• ✅ All 5 data scenarios tested — no leaks, correct scoping
• ✅ enforceAbility does NOT block GET list requests (no params.id)
• ✅ enforceAbility DOES check PUT ownership — non-owners blocked on private chatflows (403)
• ✅ UI supports ['Organization', 'Browser Extension'] combo — both checkboxes gated behind org:manage
• ✅ No migration needed — simple-array is TEXT, not a DB enum
• ✅ Removing organizationId is safe — enforceAbility + checkOwnership + structural activeWorkspaceId scoping all still protect

Known gap (out of scope)

defaultChatflowId on User entity is global, not workspace-scoped. When activeWorkspaceId differs from Personal Workspace, isUserDefaultChatflow will be false for all returned chatflows. Pre-existing issue, not introduced or fixed here.

Deferred to follow-up

• Unit tests (20 tests planned)
• Swagger docs (missing 428 response)
• Controller param validation fix
• defaultChatflowId workspace scoping

---

🤖 Generated with Claude Code