simstudioai
diff --git a/‎apps/sim/app/api/folders/[id]/route.test.ts‎
Lines changed: 135 additions & 0 deletions b/‎apps/sim/app/api/folders/[id]/route.test.ts‎
Lines changed: 135 additions & 0 deletions
diff --git a/‎apps/sim/app/api/folders/[id]/route.ts‎
Lines changed: 42 additions & 15 deletions b/‎apps/sim/app/api/folders/[id]/route.ts‎
Lines changed: 42 additions & 15 deletions
@@ -40,6 +40,7 @@ describe('Individual Folder API Route', () => {
   }
 
   const { mockAuthenticatedUser, mockUnauthenticated } = mockAuth(TEST_USER)
+  const mockGetUserEntityPermissions = vi.fn()
 
   function createFolderDbMock(options: FolderDbMockOptions = {}) {
     const {
@@ -109,6 +110,12 @@ describe('Individual Folder API Route', () => {
     vi.resetModules()
     vi.clearAllMocks()
     setupCommonApiMocks()
+
+    mockGetUserEntityPermissions.mockResolvedValue('admin')
+
+    vi.doMock('@/lib/permissions/utils', () => ({
+      getUserEntityPermissions: mockGetUserEntityPermissions,
+    }))
   })
 
   afterEach(() => {
@@ -181,6 +188,72 @@ describe('Individual Folder API Route', () => {
       expect(data).toHaveProperty('error', 'Unauthorized')
     })
 
+    it('should return 403 when user has only read permissions', async () => {
+      mockAuthenticatedUser()
+      mockGetUserEntityPermissions.mockResolvedValue('read') // Read-only permissions
+
+      const dbMock = createFolderDbMock()
+      vi.doMock('@/db', () => dbMock)
+
+      const req = createMockRequest('PUT', {
+        name: 'Updated Folder',
+      })
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      const { PUT } = await import('./route')
+
+      const response = await PUT(req, { params })
+
+      expect(response.status).toBe(403)
+
+      const data = await response.json()
+      expect(data).toHaveProperty('error', 'Write access required to update folders')
+    })
+
+    it('should allow folder update for write permissions', async () => {
+      mockAuthenticatedUser()
+      mockGetUserEntityPermissions.mockResolvedValue('write') // Write permissions
+
+      const dbMock = createFolderDbMock()
+      vi.doMock('@/db', () => dbMock)
+
+      const req = createMockRequest('PUT', {
+        name: 'Updated Folder',
+      })
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      const { PUT } = await import('./route')
+
+      const response = await PUT(req, { params })
+
+      expect(response.status).toBe(200)
+
+      const data = await response.json()
+      expect(data).toHaveProperty('folder')
+    })
+
+    it('should allow folder update for admin permissions', async () => {
+      mockAuthenticatedUser()
+      mockGetUserEntityPermissions.mockResolvedValue('admin') // Admin permissions
+
+      const dbMock = createFolderDbMock()
+      vi.doMock('@/db', () => dbMock)
+
+      const req = createMockRequest('PUT', {
+        name: 'Updated Folder',
+      })
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      const { PUT } = await import('./route')
+
+      const response = await PUT(req, { params })
+
+      expect(response.status).toBe(200)
+
+      const data = await response.json()
+      expect(data).toHaveProperty('folder')
+    })
+
     it('should return 400 when trying to set folder as its own parent', async () => {
       mockAuthenticatedUser()
 
@@ -387,6 +460,68 @@ describe('Individual Folder API Route', () => {
       expect(data).toHaveProperty('error', 'Unauthorized')
     })
 
+    it('should return 403 when user has only read permissions for delete', async () => {
+      mockAuthenticatedUser()
+      mockGetUserEntityPermissions.mockResolvedValue('read') // Read-only permissions
+
+      const dbMock = createFolderDbMock()
+      vi.doMock('@/db', () => dbMock)
+
+      const req = createMockRequest('DELETE')
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      const { DELETE } = await import('./route')
+
+      const response = await DELETE(req, { params })
+
+      expect(response.status).toBe(403)
+
+      const data = await response.json()
+      expect(data).toHaveProperty('error', 'Admin access required to delete folders')
+    })
+
+    it('should return 403 when user has only write permissions for delete', async () => {
+      mockAuthenticatedUser()
+      mockGetUserEntityPermissions.mockResolvedValue('write') // Write permissions (not enough for delete)
+
+      const dbMock = createFolderDbMock()
+      vi.doMock('@/db', () => dbMock)
+
+      const req = createMockRequest('DELETE')
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      const { DELETE } = await import('./route')
+
+      const response = await DELETE(req, { params })
+
+      expect(response.status).toBe(403)
+
+      const data = await response.json()
+      expect(data).toHaveProperty('error', 'Admin access required to delete folders')
+    })
+
+    it('should allow folder deletion for admin permissions', async () => {
+      mockAuthenticatedUser()
+      mockGetUserEntityPermissions.mockResolvedValue('admin') // Admin permissions
+
+      const dbMock = createFolderDbMock({
+        folderLookupResult: mockFolder,
+      })
+      vi.doMock('@/db', () => dbMock)
+
+      const req = createMockRequest('DELETE')
+      const params = Promise.resolve({ id: 'folder-1' })
+
+      const { DELETE } = await import('./route')
+
+      const response = await DELETE(req, { params })
+
+      expect(response.status).toBe(200)
+
+      const data = await response.json()
+      expect(data).toHaveProperty('success', true)
+    })
+
     it('should handle database errors during deletion', async () => {
       mockAuthenticatedUser()
 
 
@@ -2,6 +2,7 @@ import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { createLogger } from '@/lib/logs/console-logger'
+import { getUserEntityPermissions } from '@/lib/permissions/utils'
 import { db } from '@/db'
 import { workflow, workflowFolder } from '@/db/schema'
 
@@ -19,17 +20,31 @@ export async function PUT(request: NextRequest, { params }: { params: Promise<{
     const body = await request.json()
     const { name, color, isExpanded, parentId } = body
 
-    // Verify the folder exists and belongs to the user
+    // Verify the folder exists
     const existingFolder = await db
       .select()
       .from(workflowFolder)
-      .where(and(eq(workflowFolder.id, id), eq(workflowFolder.userId, session.user.id)))
+      .where(eq(workflowFolder.id, id))
       .then((rows) => rows[0])
 
     if (!existingFolder) {
       return NextResponse.json({ error: 'Folder not found' }, { status: 404 })
     }
 
+    // Check if user has write permissions for the workspace
+    const workspacePermission = await getUserEntityPermissions(
+      session.user.id,
+      'workspace',
+      existingFolder.workspaceId
+    )
+
+    if (!workspacePermission || workspacePermission === 'read') {
+      return NextResponse.json(
+        { error: 'Write access required to update folders' },
+        { status: 403 }
+      )
+    }
+
     // Prevent setting a folder as its own parent or creating circular references
     if (parentId && parentId === id) {
       return NextResponse.json({ error: 'Folder cannot be its own parent' }, { status: 400 })
@@ -81,19 +96,33 @@ export async function DELETE(
 
     const { id } = await params
 
-    // Verify the folder exists and belongs to the user
+    // Verify the folder exists
     const existingFolder = await db
       .select()
       .from(workflowFolder)
-      .where(and(eq(workflowFolder.id, id), eq(workflowFolder.userId, session.user.id)))
+      .where(eq(workflowFolder.id, id))
       .then((rows) => rows[0])
 
     if (!existingFolder) {
       return NextResponse.json({ error: 'Folder not found' }, { status: 404 })
     }
 
+    // Check if user has admin permissions for the workspace (admin-only for deletions)
+    const workspacePermission = await getUserEntityPermissions(
+      session.user.id,
+      'workspace',
+      existingFolder.workspaceId
+    )
+
+    if (workspacePermission !== 'admin') {
+      return NextResponse.json(
+        { error: 'Admin access required to delete folders' },
+        { status: 403 }
+      )
+    }
+
     // Recursively delete folder and all its contents
-    const deletionStats = await deleteFolderRecursively(id, session.user.id)
+    const deletionStats = await deleteFolderRecursively(id, existingFolder.workspaceId)
 
     logger.info('Deleted folder and all contents:', {
       id,
@@ -113,41 +142,39 @@ export async function DELETE(
 // Helper function to recursively delete a folder and all its contents
 async function deleteFolderRecursively(
   folderId: string,
-  userId: string
+  workspaceId: string
 ): Promise<{ folders: number; workflows: number }> {
   const stats = { folders: 0, workflows: 0 }
 
-  // Get all child folders first
+  // Get all child folders first (workspace-scoped, not user-scoped)
   const childFolders = await db
     .select({ id: workflowFolder.id })
     .from(workflowFolder)
-    .where(and(eq(workflowFolder.parentId, folderId), eq(workflowFolder.userId, userId)))
+    .where(and(eq(workflowFolder.parentId, folderId), eq(workflowFolder.workspaceId, workspaceId)))
 
   // Recursively delete child folders
   for (const childFolder of childFolders) {
-    const childStats = await deleteFolderRecursively(childFolder.id, userId)
+    const childStats = await deleteFolderRecursively(childFolder.id, workspaceId)
     stats.folders += childStats.folders
     stats.workflows += childStats.workflows
   }
 
-  // Delete all workflows in this folder
+  // Delete all workflows in this folder (workspace-scoped, not user-scoped)
   const workflowsInFolder = await db
     .select({ id: workflow.id })
     .from(workflow)
-    .where(and(eq(workflow.folderId, folderId), eq(workflow.userId, userId)))
+    .where(and(eq(workflow.folderId, folderId), eq(workflow.workspaceId, workspaceId)))
 
   if (workflowsInFolder.length > 0) {
     await db
       .delete(workflow)
-      .where(and(eq(workflow.folderId, folderId), eq(workflow.userId, userId)))
+      .where(and(eq(workflow.folderId, folderId), eq(workflow.workspaceId, workspaceId)))
 
     stats.workflows += workflowsInFolder.length
   }
 
   // Delete this folder
-  await db
-    .delete(workflowFolder)
-    .where(and(eq(workflowFolder.id, folderId), eq(workflowFolder.userId, userId)))
+  await db.delete(workflowFolder).where(eq(workflowFolder.id, folderId))
 
   stats.folders += 1