feat(access-control): org admins can restrict allowed file-share auth types

Author: TheodoreSpeaks

apps/sim/app/api/workspaces/[id]/files/[fileId]/share/route.ts

@@ -100,11 +100,12 @@ export const PUT = withRouteHandler(
         return NextResponse.json({ error: 'File not found' }, { status: 404 })
       }
 
-      // Enabling a public link is gated by the org's access-control policy; disabling
-      // is always allowed so users can still un-share after the policy is turned on.
+      // Enabling a share is gated by the org's access-control policy (both the
+      // master on/off and the per-auth-type allow-list); disabling is always
+      // allowed so users can still un-share after the policy is turned on.
       if (isActive) {
         try {
-          await validatePublicFileSharing(session.user.id, workspaceId)
+          await validatePublicFileSharing(session.user.id, workspaceId, authType ?? 'public')
         } catch (error) {
           if (error instanceof PublicFileSharingNotAllowedError) {
             logger.warn(`[${requestId}] Public file sharing disabled for workspace ${workspaceId}`)

apps/sim/app/workspace/[workspaceId]/files/components/share-modal/share-modal.tsx

@@ -85,18 +85,30 @@ export function ShareModal({
   const effectiveActive = effectiveMode !== 'private'
   const effectiveEmails = draftEmails ?? saved?.allowedEmails ?? []
 
+  // Org access-control may restrict which auth modes are allowed (`null` = all).
+  // The route is the source of truth; this just hides disallowed options.
+  const allowedAuthTypes = permissionConfig.allowedFileShareAuthTypes
+  const isAuthTypeAllowed = (mode: ShareAuthType) =>
+    allowedAuthTypes === null || allowedAuthTypes.includes(mode)
+
   const ssoEnabled = isTruthy(getEnv('NEXT_PUBLIC_SSO_ENABLED')) || savedAccessMode === 'sso'
-  const accessModes: AccessMode[] = [
-    'private',
+  const candidateAuthTypes: ShareAuthType[] = [
     'public',
     'password',
     'email',
     ...(ssoEnabled ? (['sso'] as const) : []),
   ]
+  // Keep the saved mode visible even if newly disallowed, so the current state shows.
+  const accessModes: AccessMode[] = [
+    'private',
+    ...candidateAuthTypes.filter((mode) => isAuthTypeAllowed(mode) || mode === savedAccessMode),
+  ]
 
-  // Org access-control policy can disable enabling new public links (the route is the
-  // source of truth; this just reflects it). Disabling an existing share stays allowed.
-  const enableBlockedByPolicy = permissionConfig.disablePublicFileSharing && !saved?.isActive
+  // The selected mode is blocked when org policy disables public sharing entirely
+  // (enabling a new share) or when the chosen auth mode isn't allowed.
+  const modeDisallowed = effectiveMode !== 'private' && !isAuthTypeAllowed(effectiveMode)
+  const enableBlockedByPolicy =
+    (permissionConfig.disablePublicFileSharing && !saved?.isActive) || modeDisallowed
 
   // A password share needs a secret: either one already stored or a freshly typed one.
   const passwordMissing =
@@ -169,6 +181,7 @@ export function ShareModal({
   }
 
   const accessHint = (() => {
+    if (modeDisallowed) return 'This sharing method is disabled by an administrator.'
     if (enableBlockedByPolicy)
       return 'Public sharing is disabled for this workspace by an administrator.'
     if (effectiveMode === 'private') return 'Only workspace members can access this file.'

apps/sim/ee/access-control/components/access-control.tsx

@@ -35,6 +35,7 @@ import {
   toast,
 } from '@/components/emcn'
 import { ArrowLeft } from '@/components/emcn/icons'
+import type { ShareAuthType } from '@/lib/api/contracts/public-shares'
 import { getEnv, isTruthy } from '@/lib/core/config/env'
 import { cn } from '@/lib/core/utils/cn'
 import { isBlockTypeAccessControlExempt } from '@/lib/permission-groups/block-access'
@@ -69,6 +70,15 @@ import type { ProviderName } from '@/stores/providers'
 
 const logger = createLogger('AccessControl')
 
+/** Public-file-share auth modes an admin can allow/disallow. `null` config = all allowed. */
+const FILE_SHARE_AUTH_TYPE_OPTIONS: { value: ShareAuthType; label: string }[] = [
+  { value: 'public', label: 'Anyone with link' },
+  { value: 'password', label: 'Password' },
+  { value: 'email', label: 'Email' },
+  { value: 'sso', label: 'SSO' },
+]
+const ALL_FILE_SHARE_AUTH_TYPES: ShareAuthType[] = FILE_SHARE_AUTH_TYPE_OPTIONS.map((o) => o.value)
+
 interface OrganizationMemberOption {
   userId: string
   user: {
@@ -1070,6 +1080,36 @@ export function AccessControl() {
     [editingConfig, allProviderIds]
   )
 
+  const isFileShareAuthAllowed = useCallback(
+    (authType: ShareAuthType) => {
+      if (!editingConfig) return true
+      return (
+        editingConfig.allowedFileShareAuthTypes === null ||
+        editingConfig.allowedFileShareAuthTypes.includes(authType)
+      )
+    },
+    [editingConfig]
+  )
+
+  const toggleFileShareAuthType = useCallback(
+    (authType: ShareAuthType) => {
+      if (!editingConfig) return
+      const current = editingConfig.allowedFileShareAuthTypes
+      const next =
+        current === null
+          ? ALL_FILE_SHARE_AUTH_TYPES.filter((t) => t !== authType)
+          : current.includes(authType)
+            ? current.filter((t) => t !== authType)
+            : [...current, authType]
+      // A full list collapses back to `null` ("all allowed").
+      setEditingConfig({
+        ...editingConfig,
+        allowedFileShareAuthTypes: next.length === ALL_FILE_SHARE_AUTH_TYPES.length ? null : next,
+      })
+    },
+    [editingConfig]
+  )
+
   const isIntegrationAllowed = useCallback(
     (blockType: string) => {
       if (!editingConfig) return true
@@ -1603,6 +1643,30 @@ export function AccessControl() {
                     </div>
                   ))}
                 </div>
+                <div className='mt-8 flex flex-col gap-1.5'>
+                  <span className='font-medium text-[var(--text-tertiary)] text-xs uppercase tracking-wide'>
+                    File Sharing Methods
+                  </span>
+                  <p className='text-[var(--text-secondary)] text-xs'>
+                    Auth modes that public file-share links may use.
+                  </p>
+                  <div className='flex max-w-md flex-col gap-0.5 pt-1'>
+                    {FILE_SHARE_AUTH_TYPE_OPTIONS.map(({ value, label }) => (
+                      <label
+                        key={value}
+                        htmlFor={`fsauth-${value}`}
+                        className='flex cursor-pointer items-center gap-2 rounded-md px-2 py-[5px] transition-colors hover-hover:bg-[var(--surface-active)]'
+                      >
+                        <Checkbox
+                          id={`fsauth-${value}`}
+                          checked={isFileShareAuthAllowed(value)}
+                          onCheckedChange={() => toggleFileShareAuthType(value)}
+                        />
+                        <span className='font-normal text-sm'>{label}</span>
+                      </label>
+                    ))}
+                  </div>
+                </div>
               </div>
             )}
           </ChipModalBody>

apps/sim/ee/access-control/utils/permission-check.test.ts

@@ -33,6 +33,7 @@ const {
     disableInvitations: false,
     disablePublicApi: false,
     disablePublicFileSharing: false,
+    allowedFileShareAuthTypes: null,
     hideDeployApi: false,
     hideDeployMcp: false,
     hideDeployA2a: false,
@@ -149,10 +150,12 @@ import {
   McpToolsNotAllowedError,
   ModelNotAllowedError,
   ProviderNotAllowedError,
+  PublicFileSharingNotAllowedError,
   SkillsNotAllowedError,
   validateBlockType,
   validateMcpToolsAllowed,
   validateModelProvider,
+  validatePublicFileSharing,
 } from './permission-check'
 
 /** Default an org-backed, enterprise-entitled workspace so resolution reaches the group queries. */
@@ -532,6 +535,46 @@ describe('validateMcpToolsAllowed', () => {
   })
 })
 
+describe('validatePublicFileSharing', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+    mockExplicitGroup.value = []
+    mockAllWorkspacesGroup.value = []
+    mockDefaultGroup.value = []
+    mockGetAllowedIntegrationsFromEnv.mockReturnValue(null)
+    setEnterpriseOrgWorkspace()
+  })
+
+  it('throws when public file sharing is fully disabled', async () => {
+    mockExplicitGroup.value = [{ config: { disablePublicFileSharing: true } }]
+    await expect(
+      validatePublicFileSharing('user-123', 'workspace-1', 'password')
+    ).rejects.toBeInstanceOf(PublicFileSharingNotAllowedError)
+  })
+
+  it('throws when the auth type is not in the allow-list', async () => {
+    mockExplicitGroup.value = [{ config: { allowedFileShareAuthTypes: ['password', 'sso'] } }]
+    await expect(
+      validatePublicFileSharing('user-123', 'workspace-1', 'public')
+    ).rejects.toBeInstanceOf(PublicFileSharingNotAllowedError)
+  })
+
+  it('allows an auth type that is in the allow-list', async () => {
+    mockExplicitGroup.value = [{ config: { allowedFileShareAuthTypes: ['password', 'sso'] } }]
+    await validatePublicFileSharing('user-123', 'workspace-1', 'password')
+  })
+
+  it('allows any auth type when the allow-list is null', async () => {
+    mockExplicitGroup.value = [{ config: { allowedFileShareAuthTypes: null } }]
+    await validatePublicFileSharing('user-123', 'workspace-1', 'email')
+  })
+
+  it('no-ops when no auth type is provided (master switch only)', async () => {
+    mockExplicitGroup.value = [{ config: { allowedFileShareAuthTypes: ['password'] } }]
+    await validatePublicFileSharing('user-123', 'workspace-1')
+  })
+})
+
 describe('assertPermissionsAllowed', () => {
   beforeEach(() => {
     vi.clearAllMocks()

apps/sim/ee/access-control/utils/permission-check.ts

@@ -2,6 +2,7 @@ import { db } from '@sim/db'
 import { permissionGroup, permissionGroupMember, permissionGroupWorkspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { and, asc, eq } from 'drizzle-orm'
+import type { ShareAuthType } from '@/lib/api/contracts/public-shares'
 import { isOrganizationOnEnterprisePlan } from '@/lib/billing'
 import {
   getAllowedIntegrationsFromEnv,
@@ -293,15 +294,33 @@ export async function getUserPermissionConfig(
 
 /**
  * Throws {@link PublicFileSharingNotAllowedError} if the user's effective permission
- * group for the workspace disables public file sharing. No-op when access control
- * doesn't apply (non-enterprise / disabled), so non-governed orgs are unaffected.
+ * group for the workspace disables public file sharing, or — when `authType` is
+ * given — if that auth mode isn't in the group's `allowedFileShareAuthTypes`
+ * allow-list (`null` allows all). No-op when access control doesn't apply
+ * (non-enterprise / disabled), so non-governed orgs are unaffected.
  */
 export async function validatePublicFileSharing(
   userId: string,
-  workspaceId: string
+  workspaceId: string,
+  authType?: ShareAuthType
 ): Promise<void> {
   const config = await getUserPermissionConfig(userId, workspaceId)
-  if (config?.disablePublicFileSharing) {
+  if (!config) {
+    return
+  }
+  if (config.disablePublicFileSharing) {
+    throw new PublicFileSharingNotAllowedError()
+  }
+  if (
+    authType &&
+    config.allowedFileShareAuthTypes !== null &&
+    !config.allowedFileShareAuthTypes.includes(authType)
+  ) {
+    logger.warn('File share auth type blocked by permission group', {
+      userId,
+      workspaceId,
+      authType,
+    })
     throw new PublicFileSharingNotAllowedError()
   }
 }

apps/sim/lib/api/contracts/permission-groups.ts

@@ -1,5 +1,6 @@
 import { z } from 'zod'
 import { organizationIdSchema } from '@/lib/api/contracts/primitives'
+import { shareAuthTypeSchema } from '@/lib/api/contracts/public-shares'
 import { defineRouteContract } from '@/lib/api/contracts/types'
 import { permissionGroupConfigSchema } from '@/lib/permission-groups/types'
 
@@ -22,6 +23,7 @@ export const permissionGroupFullConfigSchema = z.object({
   disableInvitations: z.boolean(),
   disablePublicApi: z.boolean(),
   disablePublicFileSharing: z.boolean(),
+  allowedFileShareAuthTypes: z.array(shareAuthTypeSchema).nullable(),
   hideDeployApi: z.boolean(),
   hideDeployMcp: z.boolean(),
   hideDeployA2a: z.boolean(),

apps/sim/lib/permission-groups/types.ts

@@ -1,4 +1,8 @@
 import { z } from 'zod'
+import type { ShareAuthType } from '@/lib/api/contracts/public-shares'
+
+/** Auth modes a public file share can use; admins may restrict the allowed subset. */
+export const FILE_SHARE_AUTH_TYPES = ['public', 'password', 'email', 'sso'] as const
 
 export const PERMISSION_GROUP_CONSTRAINTS = {
   organizationName: 'permission_group_organization_name_unique',
@@ -32,6 +36,7 @@ export const permissionGroupConfigSchema = z.object({
   disableInvitations: z.boolean().optional(),
   disablePublicApi: z.boolean().optional(),
   disablePublicFileSharing: z.boolean().optional(),
+  allowedFileShareAuthTypes: z.array(z.enum(FILE_SHARE_AUTH_TYPES)).nullable().optional(),
   hideDeployApi: z.boolean().optional(),
   hideDeployMcp: z.boolean().optional(),
   hideDeployA2a: z.boolean().optional(),
@@ -62,6 +67,8 @@ export interface PermissionGroupConfig {
   disableInvitations: boolean
   disablePublicApi: boolean
   disablePublicFileSharing: boolean
+  /** Allowed public-file-share auth modes; `null` means all are allowed. */
+  allowedFileShareAuthTypes: ShareAuthType[] | null
   hideDeployApi: boolean
   hideDeployMcp: boolean
   hideDeployA2a: boolean
@@ -88,6 +95,7 @@ export const DEFAULT_PERMISSION_GROUP_CONFIG: PermissionGroupConfig = {
   disableInvitations: false,
   disablePublicApi: false,
   disablePublicFileSharing: false,
+  allowedFileShareAuthTypes: null,
   hideDeployApi: false,
   hideDeployMcp: false,
   hideDeployA2a: false,
@@ -125,6 +133,11 @@ export function parsePermissionGroupConfig(config: unknown): PermissionGroupConf
     disablePublicApi: typeof c.disablePublicApi === 'boolean' ? c.disablePublicApi : false,
     disablePublicFileSharing:
       typeof c.disablePublicFileSharing === 'boolean' ? c.disablePublicFileSharing : false,
+    allowedFileShareAuthTypes: Array.isArray(c.allowedFileShareAuthTypes)
+      ? c.allowedFileShareAuthTypes.filter((t): t is ShareAuthType =>
+          (FILE_SHARE_AUTH_TYPES as readonly string[]).includes(t as string)
+        )
+      : null,
     hideDeployApi: typeof c.hideDeployApi === 'boolean' ? c.hideDeployApi : false,
     hideDeployMcp: typeof c.hideDeployMcp === 'boolean' ? c.hideDeployMcp : false,
     hideDeployA2a: typeof c.hideDeployA2a === 'boolean' ? c.hideDeployA2a : false,