fix(misc): keep block-tool params selected across store replace, perms parity for delete (#4840)

* fix(tool-input): keep block-tool params selected across store replace

* fix tests and extract kb ownership helper

Author: icecrasher321

apps/sim/app/api/files/authorization.ts

@@ -28,6 +28,21 @@ interface AuthorizationResult {
   workspaceId?: string
 }
 
+type WorkspacePermission = 'read' | 'write' | 'admin'
+
+/**
+ * Whether a resolved workspace permission satisfies a file operation. Read and
+ * download paths accept any membership; destructive operations (`requireWrite`)
+ * require write or admin, matching the permission needed to create the file.
+ */
+function workspacePermissionSatisfies(
+  permission: WorkspacePermission | null,
+  requireWrite: boolean
+): boolean {
+  if (permission === null) return false
+  return requireWrite ? permission === 'write' || permission === 'admin' : true
+}
+
 /**
  * Lookup workspace file by storage key from database
  * @param key Storage key to lookup
@@ -117,11 +132,13 @@ export async function verifyFileAccess(
   userId: string,
   customConfig?: StorageConfig,
   context?: StorageContext | 'general',
-  isLocal?: boolean
+  isLocal?: boolean,
+  options?: { requireWrite?: boolean }
 ): Promise<boolean> {
+  const requireWrite = options?.requireWrite ?? false
   try {
     if (context === 'general') {
-      return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal)
+      return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite)
     }
 
     // Infer context from key if not explicitly provided
@@ -139,12 +156,12 @@ export async function verifyFileAccess(
 
     // 1. Workspace / mothership files: Check database first (most reliable for both local and cloud)
     if (inferredContext === 'workspace' || inferredContext === 'mothership') {
-      return await verifyWorkspaceFileAccess(cloudKey, userId, customConfig, isLocal)
+      return await verifyWorkspaceFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite)
     }
 
     // 2. Execution files: workspace_id/workflow_id/execution_id/filename
     if (inferredContext === 'execution') {
-      return await verifyExecutionFileAccess(cloudKey, userId, customConfig)
+      return await verifyExecutionFileAccess(cloudKey, userId, customConfig, requireWrite)
     }
 
     // 3. Copilot files: Check database first, then metadata, then path pattern (legacy)
@@ -159,12 +176,12 @@ export async function verifyFileAccess(
 
     // 5. Chat files: chat/filename
     if (inferredContext === 'chat') {
-      return await verifyChatFileAccess(cloudKey, userId, customConfig)
+      return await verifyChatFileAccess(cloudKey, userId, customConfig, requireWrite)
     }
 
     // 6. Regular uploads: UUID-filename or timestamp-filename
     // Check metadata for userId/workspaceId, or database for workspace files
-    return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal)
+    return await verifyRegularFileAccess(cloudKey, userId, customConfig, isLocal, requireWrite)
   } catch (error) {
     logger.error('Error verifying file access:', { cloudKey, userId, error })
     // Deny access on error to be safe
@@ -180,7 +197,8 @@ async function verifyWorkspaceFileAccess(
   cloudKey: string,
   userId: string,
   customConfig?: StorageConfig,
-  isLocal?: boolean
+  isLocal?: boolean,
+  requireWrite = false
 ): Promise<boolean> {
   try {
     const anyWorkspaceFileRecord = await getFileMetadataByKey(cloudKey, 'workspace', {
@@ -202,7 +220,7 @@ async function verifyWorkspaceFileAccess(
         'workspace',
         workspaceFileRecord.workspaceId
       )
-      if (permission !== null) {
+      if (workspacePermissionSatisfies(permission, requireWrite)) {
         logger.debug('Workspace file access granted (database lookup)', {
           userId,
           workspaceId: workspaceFileRecord.workspaceId,
@@ -225,7 +243,7 @@ async function verifyWorkspaceFileAccess(
 
     if (workspaceId) {
       const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
-      if (permission !== null) {
+      if (workspacePermissionSatisfies(permission, requireWrite)) {
         logger.debug('Workspace file access granted (metadata)', {
           userId,
           workspaceId,
@@ -257,7 +275,8 @@ async function verifyWorkspaceFileAccess(
 async function verifyExecutionFileAccess(
   cloudKey: string,
   userId: string,
-  customConfig?: StorageConfig
+  customConfig?: StorageConfig,
+  requireWrite = false
 ): Promise<boolean> {
   const parts = cloudKey.split('/')
 
@@ -285,7 +304,7 @@ async function verifyExecutionFileAccess(
   }
 
   const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
-  if (permission === null) {
+  if (!workspacePermissionSatisfies(permission, requireWrite)) {
     logger.warn('User does not have workspace access for execution file', {
       userId,
       workspaceId,
@@ -502,7 +521,8 @@ export async function verifyKBFileWriteAccess(cloudKey: string, userId: string):
 async function verifyChatFileAccess(
   cloudKey: string,
   userId: string,
-  customConfig?: StorageConfig
+  customConfig?: StorageConfig,
+  requireWrite = false
 ): Promise<boolean> {
   try {
     const config: StorageConfig = customConfig || (await getChatStorageConfig())
@@ -516,7 +536,7 @@ async function verifyChatFileAccess(
     }
 
     const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
-    if (permission === null) {
+    if (!workspacePermissionSatisfies(permission, requireWrite)) {
       logger.warn('User does not have workspace access for chat file', {
         userId,
         workspaceId,
@@ -542,7 +562,8 @@ async function verifyRegularFileAccess(
   cloudKey: string,
   userId: string,
   customConfig?: StorageConfig,
-  isLocal?: boolean
+  isLocal?: boolean,
+  requireWrite = false
 ): Promise<boolean> {
   try {
     // Priority 1: Check if this might be a workspace file (check database)
@@ -554,7 +575,7 @@ async function verifyRegularFileAccess(
         'workspace',
         workspaceFileRecord.workspaceId
       )
-      if (permission !== null) {
+      if (workspacePermissionSatisfies(permission, requireWrite)) {
         logger.debug('Regular file access granted (workspace file from database)', {
           userId,
           workspaceId: workspaceFileRecord.workspaceId,
@@ -589,7 +610,7 @@ async function verifyRegularFileAccess(
     // If file has workspaceId, verify workspace membership
     if (workspaceId) {
       const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
-      if (permission !== null) {
+      if (workspacePermissionSatisfies(permission, requireWrite)) {
         logger.debug('Regular file access granted (workspace membership)', {
           userId,
           workspaceId,

apps/sim/app/api/files/delete/route.ts

@@ -64,8 +64,10 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
 
       const storageContext: StorageContext = context || inferContextFromKey(key)
 
-      // KB deletes are binding-only and require write/admin on the owning workspace;
-      // they never use the transitional read fallback that file serving allows.
+      // Deletes require write/admin on the owning workspace (owner-scoped files
+      // like copilot/regular uploads still authorize by ownership). KB deletes
+      // are binding-only and never use the transitional read fallback that file
+      // serving allows.
       const hasAccess =
         storageContext === 'knowledge-base'
           ? await verifyKBFileWriteAccess(key, userId)
@@ -74,7 +76,8 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
               userId,
               undefined, // customConfig
               storageContext, // context
-              !hasCloudStorage() // isLocal
+              !hasCloudStorage(), // isLocal
+              { requireWrite: true }
             )
 
       if (!hasAccess) {

apps/sim/app/api/files/multipart/route.ts

@@ -24,7 +24,7 @@ import {
   type UploadTokenPayload,
   verifyUploadToken,
 } from '@/lib/uploads/core/upload-token'
-import { insertFileMetadata } from '@/lib/uploads/server/metadata'
+import { recordKnowledgeBaseFileOwnership } from '@/lib/uploads/server/metadata'
 import { QUOTA_EXEMPT_STORAGE_CONTEXTS, type StorageConfig } from '@/lib/uploads/shared/types'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 
@@ -96,11 +96,10 @@ const recordKnowledgeBaseOwnership = async (
   if (payload.context !== 'knowledge-base' || !payload.workspaceId) {
     return
   }
-  await insertFileMetadata({
+  await recordKnowledgeBaseFileOwnership({
     key,
     userId: payload.userId,
     workspaceId: payload.workspaceId,
-    context: 'knowledge-base',
     originalName: payload.fileName ?? key.split('/').pop() ?? key,
     contentType: payload.contentType ?? 'application/octet-stream',
     size: typeof payload.fileSize === 'number' ? payload.fileSize : 0,

apps/sim/app/api/files/presigned/batch/route.ts

@@ -13,7 +13,7 @@ import {
   generateBatchPresignedUploadUrls,
   hasCloudStorage,
 } from '@/lib/uploads/core/storage-service'
-import { insertFileMetadataMany } from '@/lib/uploads/server/metadata'
+import { recordKnowledgeBaseFileOwnershipMany } from '@/lib/uploads/server/metadata'
 import { validateFileType } from '@/lib/uploads/utils/validation'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
 import { createErrorResponse } from '@/app/api/files/utils'
@@ -151,12 +151,11 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
 
     if (uploadType === 'knowledge-base' && knowledgeBaseWorkspaceId) {
       const ownerWorkspaceId = knowledgeBaseWorkspaceId
-      await insertFileMetadataMany(
+      await recordKnowledgeBaseFileOwnershipMany(
         presignedUrls.map((urlResponse, index) => ({
           key: urlResponse.key,
           userId: sessionUserId,
           workspaceId: ownerWorkspaceId,
-          context: 'knowledge-base',
           originalName: files[index].fileName,
           contentType: files[index].contentType,
           size: files[index].fileSize,

apps/sim/app/api/files/presigned/route.test.ts

@@ -93,6 +93,8 @@ vi.mock('@/lib/uploads/contexts/execution/utils', () => ({
 
 vi.mock('@/lib/uploads/server/metadata', () => ({
   insertFileMetadata: mockInsertFileMetadata,
+  recordKnowledgeBaseFileOwnership: (ownership: Record<string, unknown>) =>
+    mockInsertFileMetadata({ ...ownership, context: 'knowledge-base' }),
 }))
 
 vi.mock('@/lib/uploads/utils/file-utils', () => ({

apps/sim/app/api/files/presigned/route.ts

@@ -11,7 +11,7 @@ import { USE_BLOB_STORAGE } from '@/lib/uploads/config'
 import { generateExecutionFileKey } from '@/lib/uploads/contexts/execution/utils'
 import { generateWorkspaceFileKey } from '@/lib/uploads/contexts/workspace/workspace-file-manager'
 import { generatePresignedUploadUrl, hasCloudStorage } from '@/lib/uploads/core/storage-service'
-import { insertFileMetadata } from '@/lib/uploads/server/metadata'
+import { insertFileMetadata, recordKnowledgeBaseFileOwnership } from '@/lib/uploads/server/metadata'
 import { isImageFileType } from '@/lib/uploads/utils/file-utils'
 import { validateAttachmentFileType, validateFileType } from '@/lib/uploads/utils/validation'
 import { getUserEntityPermissions } from '@/lib/workspaces/permissions/utils'
@@ -278,11 +278,10 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
         metadata: { workspaceId },
       })
 
-      await insertFileMetadata({
+      await recordKnowledgeBaseFileOwnership({
         key: presignedUrlResponse.key,
         userId: sessionUserId,
         workspaceId,
-        context: 'knowledge-base',
         originalName: fileName,
         contentType,
         size: fileSize,

apps/sim/app/api/folders/[id]/route.test.ts

@@ -465,22 +465,27 @@ describe('Individual Folder API Route', () => {
       expect(response.status).toBe(403)
 
       const data = await response.json()
-      expect(data).toHaveProperty('error', 'Admin access required to delete folders')
+      expect(data).toHaveProperty('error', 'Write or Admin access required to delete folders')
     })
 
-    it('should return 403 when user has only write permissions for delete', async () => {
+    it('should allow folder deletion for write permissions', async () => {
       mockAuthenticatedUser()
       mockGetUserEntityPermissions.mockResolvedValue('write')
 
+      mockDbRef.current = createFolderDbMock({
+        folderLookupResult: mockFolder,
+      })
+
       const req = createMockRequest('DELETE')
       const params = Promise.resolve({ id: 'folder-1' })
 
       const response = await DELETE(req, { params })
 
-      expect(response.status).toBe(403)
+      expect(response.status).toBe(200)
 
       const data = await response.json()
-      expect(data).toHaveProperty('error', 'Admin access required to delete folders')
+      expect(data).toHaveProperty('success', true)
+      expect(mockPerformDeleteFolder).toHaveBeenCalled()
     })
 
     it('should allow folder deletion for admin permissions', async () => {

apps/sim/app/api/folders/[id]/route.ts

@@ -140,9 +140,9 @@ export const DELETE = withRouteHandler(
         existingFolder.workspaceId
       )
 
-      if (workspacePermission !== 'admin') {
+      if (!workspacePermission || workspacePermission === 'read') {
         return NextResponse.json(
-          { error: 'Admin access required to delete folders' },
+          { error: 'Write or Admin access required to delete folders' },
           { status: 403 }
         )
       }

apps/sim/app/api/knowledge/[id]/documents/[documentId]/chunks/[chunkId]/route.ts

@@ -6,7 +6,7 @@ import { parseRequest } from '@/lib/api/server'
 import { getSession } from '@/lib/auth'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { deleteChunk, updateChunk } from '@/lib/knowledge/chunks/service'
-import { checkChunkAccess } from '@/app/api/knowledge/utils'
+import { checkChunkAccess, checkChunkWriteAccess } from '@/app/api/knowledge/utils'
 
 const logger = createLogger('ChunkByIdAPI')
 
@@ -75,7 +75,7 @@ export const PUT = withRouteHandler(
         return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
       }
 
-      const accessCheck = await checkChunkAccess(
+      const accessCheck = await checkChunkWriteAccess(
         knowledgeBaseId,
         documentId,
         chunkId,
@@ -147,7 +147,7 @@ export const DELETE = withRouteHandler(
         return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
       }
 
-      const accessCheck = await checkChunkAccess(
+      const accessCheck = await checkChunkWriteAccess(
         knowledgeBaseId,
         documentId,
         chunkId,