fix(visibility): allow chatflow owners to change visibility settings#1055
Open
diecoscai wants to merge 15 commits into
Open
fix(visibility): allow chatflow owners to change visibility settings#1055diecoscai wants to merge 15 commits into
diecoscai wants to merge 15 commits into
Conversation
…rsation fix(chat): restore chatId/sessionId filtering lost during Flowise 3.0.11 merge
The mergeUsers function was overwriting server-enriched permission data
(roles, permissions, features) with client-side Auth0 data that lacks
these fields. This caused Admin users to fail permission checks because
hasFeature('org:manage') would return false despite having the role.
The fix explicitly preserves auth fields from the server (initialUser)
and only allows runtime updates for non-auth fields (name, email, picture).
Fixes visibility settings not working for Admin users.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
…s token lacks claim The access token sent to Flowise does not carry the https://theanswer.ai/roles custom claim (only the ID token does). verifyAAIToken extracts roles from the access token and gets roles=[], causing enrichUserWithAAIData to return empty roles/permissions/features, which then overwrites the correct roles from the Auth0 session in the merge. Save https://theanswer.ai/roles from the session before the Flowise merge and restore it afterward if Flowise returned an empty roles array. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…ider Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
useAuth0() from @auth0/auth0-react has no Auth0Provider in the Flowise UI component tree — only UserProvider from @auth0/nextjs-auth0/client is present. This caused useAuth0() to return undefined, making createPermissionManager receive an empty object, which disabled all visibility checkboxes for every user. Fix: read from Redux state.auth.user, which is populated by useAuth0Setup after /auth/me enrichment and contains the correct roles and permissions.
…d Browser Extension visibility Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…er, guard, error re-throw - Add organizationId filter to getBrowserExtensionChatflows query for multi-tenancy compliance - Add activeWorkspaceId guard that throws PRECONDITION_FAILED before the query runs - Re-throw InternalFlowiseError in both catch blocks so NOT_FOUND/FORBIDDEN preserve their status codes Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
…kspace and org
Add activeWorkspaceId and organizationId guards before query, then scope
findOneBy to { id, workspaceId, organizationId } — matching the pattern
in getBrowserExtensionChatflows and all other services (tools, assistants,
credentials, variables). Prevents cross-workspace visibility toggling.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace triple-key filter (userId + workspaceId + organizationId) with workspace-scoped dual-path query: show user's own chatflows AND chatflows shared with the organization via (userId OR Organization visibility). Remove redundant organizationId guard and filter from update path — checkOwnership and enforceAbility already handle org-level auth. Closes #1054 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add ownership check to VisibilitySettings — chatflow owners can now toggle Organization and Browser Extension visibility on their own chatflows, not just org admins. Non-owners without admin role remain blocked. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
staging-reset-bot
Bot
force-pushed
the
staging
branch
from
b3cc76c to
b1e0ba2
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
org:manage) could change these settings — owners of chatflows were locked outChanges
packages/ui/src/ui-component/extended/VisibilitySettings.jsx:userselector andisOwnerownership check (user.id === chatflow.userId)!canManageOrgto!canManageOrg && !isOwnerfor Organization and Browser Extension checkboxesPermission matrix
Test plan
chatflow.userIdis present in Redux after loading a chatflow🤖 Generated with Claude Code