fix: permissions check for duplicating workflow

[emir-karabeg]

Description

Fixed the 404 error for duplicating a workflow where the user is not the owner. Now users with admin or write permissions can duplicate.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Security enhancement
• Performance improvement
• Code refactoring (no functional changes)

How Has This Been Tested?

Test in staging.

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have added tests that prove my fix is effective or that my feature works
• All tests pass locally and in CI (bun run test)
• My changes generate no new warnings
• Any dependent changes have been merged and published in downstream modules
• I have updated version numbers as needed (if needed)
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Security Considerations:

• My changes do not introduce any new security vulnerabilities
• I have considered the security implications of my changes

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
sim	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 16, 2025 8:51pm

1 Skipped Deployment

Name	Status	Preview	Comments	Updated (UTC)
docs	⬜️ Skipped (Inspect)			Jul 16, 2025 8:51pm

[greptile-apps]

Greptile Summary

This PR fixes a permission-related issue in the workflow duplication functionality. Previously, only workflow owners could duplicate workflows, which was too restrictive. The changes now allow users with admin or write permissions in a workspace to duplicate workflows within that workspace, even if they don't own them directly.

The key changes include:

1. Removing the user ID restriction from the initial workflow query
2. Adding a proper permission check that validates either workflow ownership or workspace permissions
3. Improving error handling to properly distinguish between 404 (not found) and 403 (access denied) cases

The changes align with the workspace-based permission model and improve the collaborative workflow experience.

PR Description Notes:

• The PR description has marked all types of changes which seems excessive - this appears to be primarily a bug fix with some security enhancement
• The testing section could be more detailed about specific test cases

Confidence score: 4/5

1. This PR is safe to merge with proper testing in staging
2. The code changes are well-structured with clear permission checks and error handling
3. The route.ts file needs careful testing to verify all permission scenarios work as expected

_{1 file reviewed, 1 comment
Edit PR Review Bot Settings | Greptile}

[greptile-apps]

style: Consider moving error message to a const variable at the top of the file since it's referenced in two places (here and error handling)

[delve-auditor]

✅ No security or compliance issues detected. Reviewed everything up to 3c7342a.

Security Overview

• 🔎 Scanned files: 1 changed file(s)

Detected Code Changes

Change Type	Relevant files
Bug Fix	► apps/sim/app/api/workflows/[id]/duplicate/route.ts     Add proper permissions check for workflow duplication ► apps/sim/app/chat/[subdomain]/chat-client.tsx     Remove excessive logging ► apps/sim/app/chat/[subdomain]/components/voice-interface/voice-interface.tsx     Refactor voice interface for improved reliability

Reply to this PR with @delve-auditor followed by a description of what change you want and we'll auto-submit a change to this PR to implement it.