Skip to content

feat(file): add Manage Sharing operation to the File block#5177

Open
TheodoreSpeaks wants to merge 5 commits into
stagingfrom
feat/file-permission-block
Open

feat(file): add Manage Sharing operation to the File block#5177
TheodoreSpeaks wants to merge 5 commits into
stagingfrom
feat/file-permission-block

Conversation

@TheodoreSpeaks

@TheodoreSpeaks TheodoreSpeaks commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add a new "Set File Sharing" operation to the File block (file_v5) that idempotently enables/disables a file's public share link and sets its access mode (public, password, email, SSO)
  • New set_sharing case on /api/tools/file/manage reuses the existing upsertFileShare domain logic, requires write/admin, gates enabling through the EE public-sharing policy, and records a FILE_SHARED/FILE_SHARE_DISABLED audit
  • New file_set_sharing tool + contract schema; wired into the block via a Visibility dropdown with conditional password / allowed-emails fields
  • Returns an empty url when set to private so a disabled link isn't handed back as a dead link

Type of Change

  • New feature

Testing

  • Added unit tests for the block's operation→params mapping (public/private/password/email + file-object resolution)
  • bun run lint, bun run check:api-validation:strict, tsc --noEmit, and block tests all pass

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@TheodoreSpeaks
feat(file): add Set File Sharing operation to the File block
0d59177 
Adds a new file_set_sharing operation to the File block (file_v5) that
idempotently enables/disables a file's public share link and sets its
access mode (public, password, email, SSO). The set_sharing route case
reuses upsertFileShare, requires write/admin, gates enabling through the
EE public-sharing policy, and records a share audit. Returns an empty url
when set to private so a disabled link isn't handed back as a dead link.
@vercel

vercel Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
docs Skipped Skipped Jun 23, 2026 9:33am

Request Review

@cursor

cursor Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown

PR Summary

Medium Risk
Exposes public file sharing from workflows/tools with password and allowlist handling; mitigations mirror the existing share API (write/admin, policy gate, audit), but misconfiguration could still widen file access.

Overview
Adds Manage Sharing to the file_v5 File block so workflows can turn a workspace file’s public link on or off and set access (private, public, password, email allowlist, SSO).

A new manage_sharing operation on POST /api/tools/file/manage calls existing upsertFileShare logic: write/admin is required (checked before file lookup), enabling shares runs EE public-sharing policy validation (with resolved authType so re-enable can’t bypass policy), disabling is always allowed, audit events are recorded, and the API returns an empty url when the link is disabled.

The file_manage_sharing tool and Zod contract wire this through the block UI (file picker/ID, visibility dropdown, conditional password/emails) and expose share metadata on block outputs (url, isActive, authType, etc.). Unit tests cover block param mapping and registry exposure.

Reviewed by Cursor Bugbot for commit 80bb8ed. Bugbot is set up for automated code reviews on this repo. Configure here.

@TheodoreSpeaks

TheodoreSpeaks commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

@greptile review

cursor[bot]
cursor Bot reviewed Jun 23, 2026
View reviewed changes
Comment thread apps/sim/lib/api/contracts/tools/file.ts Outdated
@greptile-apps

greptile-apps Bot commented Jun 23, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Greptile Summary

Adds a new Manage Sharing operation to the file_v5 block that idempotently enables or disables a workspace file's public share link and controls its access mode (public, password, email allowlist, or SSO). The route case, Zod contract, tool definition, block UI fields, and block params builder are all consistent end-to-end.

  • Permission check runs before the file lookup to prevent information leakage, and the EE public-sharing policy is enforced by resolving the same authType fallback that upsertFileShare uses internally (querying the existing share when authType is absent).
  • isActive, authType, and allowedEmails are correctly marked user-or-llm; only password is user-only. The response omits the URL when the link is disabled so callers never receive a dead link.

Confidence Score: 5/5

Safe to merge; all three issues raised in prior review rounds have been addressed in this revision.

The new operation correctly gates enabling on the EE policy, resolves the same authType fallback used by upsertFileShare to prevent bypass, and performs the permission check before the file lookup to avoid an existence side-channel. Tool param visibility is correct across the board.

No files require special attention.

Important Files Changed

Filename Overview
apps/sim/app/api/tools/file/manage/route.ts Adds manage_sharing case with permission check before file lookup, correct authType resolution for policy gating, and audit logging; ShareValidationError is caught in the outer handler.
apps/sim/tools/file/manage-sharing.ts New tool definition; isActive/authType/allowedEmails are correctly user-or-llm visible, password is user-only, and the body builder correctly threads workspaceId from context.
apps/sim/lib/api/contracts/tools/file.ts Adds fileManageSharingBodySchema reusing shareAuthTypeSchema; isActive is non-optional, allowedEmails capped at 200 items. No cross-field validation (password/allowedEmails conditioned on authType), but domain logic in upsertFileShare handles those.
apps/sim/blocks/blocks/file.ts New Manage Sharing operation added to FileV5Block; params builder handles file-object and raw-ID inputs, maps visibility to isActive+authType, and splits allowedEmails by newline/comma.
apps/sim/blocks/blocks/file.test.ts Tests cover public, private, password, email, file-object resolution, and multi-file rejection, but no test for sso visibility.
apps/sim/blocks/blocks.test.ts Registers file_manage_sharing in the expected tools list for the file block.
apps/sim/tools/file/index.ts Exports fileManageSharingTool from the file tools index.
apps/sim/tools/registry.ts Registers file_manage_sharing in the global tools record.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["POST /api/tools/file/manage\noperation: manage_sharing"] --> B["Validate body\nfileManageSharingBodySchema"]
    B --> C{"workspaceId?"}
    C -- No --> ERR1["400 workspaceId required"]
    C -- Yes --> D["assertActiveWorkspaceAccess"]
    D --> E["getUserEntityPermissions"]
    E -- read --> ERR2["403 Insufficient permissions"]
    E -- write/admin --> F["getWorkspaceFile(workspaceId, fileId)"]
    F -- not found --> ERR3["404 File not found"]
    F -- found --> G{"isActive?"}
    G -- false --> I["upsertFileShare\nisActive: false"]
    G -- true --> H["getShareForResource\nresolve authType fallback"]
    H --> J["validatePublicFileSharing\nEE policy gate"]
    J -- not allowed --> ERR4["403 Policy violation"]
    J -- allowed --> I
    I --> K["recordAudit\nFILE_SHARED / FILE_SHARE_DISABLED"]
    K --> L{"share.isActive?"}
    L -- Yes --> M["200 {share}"]
    L -- No --> N["200 {share, url: ''}"]
Loading 
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A["POST /api/tools/file/manage\noperation: manage_sharing"] --> B["Validate body\nfileManageSharingBodySchema"]
    B --> C{"workspaceId?"}
    C -- No --> ERR1["400 workspaceId required"]
    C -- Yes --> D["assertActiveWorkspaceAccess"]
    D --> E["getUserEntityPermissions"]
    E -- read --> ERR2["403 Insufficient permissions"]
    E -- write/admin --> F["getWorkspaceFile(workspaceId, fileId)"]
    F -- not found --> ERR3["404 File not found"]
    F -- found --> G{"isActive?"}
    G -- false --> I["upsertFileShare\nisActive: false"]
    G -- true --> H["getShareForResource\nresolve authType fallback"]
    H --> J["validatePublicFileSharing\nEE policy gate"]
    J -- not allowed --> ERR4["403 Policy violation"]
    J -- allowed --> I
    I --> K["recordAudit\nFILE_SHARED / FILE_SHARE_DISABLED"]
    K --> L{"share.isActive?"}
    L -- Yes --> M["200 {share}"]
    L -- No --> N["200 {share, url: ''}"]
Loading

Reviews (6): Last reviewed commit: "fix(file): require isActive in tool para..." | Re-trigger Greptile

@greptile-apps

greptile-apps Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR adds a Set File Sharing operation to the file_v5 block, wiring a new file_set_sharing tool through a set_sharing API case that idempotently enables/disables a file's public share link with configurable access modes (public, password, email, SSO).

  • The block, tool, and contract schema are cleanly structured: conditional password/email subblocks, correct user-only visibility on sensitive params, a Zod schema with sensible field constraints, and a url: '' sentinel on disabled shares.
  • The route adds write/admin permission enforcement and EE access-control policy gating, but contains a logic gap: validatePublicFileSharing is called with authType ?? 'public' while upsertFileShare resolves the effective auth type as authType ?? existingShare.authType ?? 'public' — diverging when authType is omitted and an existing share has a restricted auth mode.

Confidence Score: 3/5

The block, tool, and contract changes are safe to merge; the route's set_sharing handler needs a fix before shipping to production.

The set_sharing route validates the effective sharing auth type against the org's EE policy using 'public' as a hard-coded fallback when authType is absent. upsertFileShare independently computes the real effective auth type from the existing share row, so the two values can diverge: a user on a workspace that restricts sharing to 'public' only can re-enable a previously-disabled 'sso' share by omitting authType, bypassing the allowedFileShareAuthTypes gate. The rest of the PR — tool definition, block wiring, contract schema, and tests — is well-implemented and low-risk.

apps/sim/app/api/tools/file/manage/route.ts — the set_sharing switch case needs the effective auth type resolved (from the existing share record) before calling validatePublicFileSharing.

Security Review
  • allowedFileShareAuthTypes policy bypass (apps/sim/app/api/tools/file/manage/route.ts, set_sharing case): validatePublicFileSharing is called with authType ?? 'public' as the hard-coded fallback, but upsertFileShare resolves the effective auth type as authType ?? existingShare.authType ?? 'public'. On an enterprise workspace that permits only public sharing, a user can re-enable a previously-disabled sso or email share by omitting authType from the request: the policy check sees 'public' (allowed) but the upsert persists the old 'sso' or 'email' type.
  • File-existence side-channel for read-only users (apps/sim/app/api/tools/file/manage/route.ts, set_sharing case): the file lookup occurs before the write/admin permission check, leaking whether a file ID exists via 404 vs 403 differential to callers who only have read-level workspace access.

Important Files Changed

Filename Overview
apps/sim/app/api/tools/file/manage/route.ts Adds set_sharing case with write/admin guard, EE policy validation, and audit logging; two issues: policy check uses wrong fallback authType for existing shares (allowing auth-type bypass), and file existence is probed before the permission check.
apps/sim/tools/file/set-sharing.ts New tool definition for file_set_sharing; well-structured with correct visibility settings and proper response transformation.
apps/sim/blocks/blocks/file.ts Adds file_set_sharing operation to FileV5Block with correct conditional subblocks, params mapping, and output declarations; password/email/SSO conditional fields are wired correctly.
apps/sim/lib/api/contracts/tools/file.ts New fileManageSetSharingBodySchema added to the union; field constraints (min lengths, max 200 emails, max 1024 password) look sensible.
apps/sim/blocks/blocks/file.test.ts Good coverage of public/private/password/email visibility mappings and file-object resolution; missing a test case for the sso visibility path.
apps/sim/tools/registry.ts Registers file_set_sharing tool in the correct alphabetical position.
apps/sim/blocks/blocks.test.ts Adds file_set_sharing to the known-tools assertion; straightforward and correct.
apps/sim/tools/file/index.ts Exports the new fileSetSharingTool following the existing barrel pattern.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant Block as FileV5Block (file.ts)
    participant Tool as fileSetSharingTool (set-sharing.ts)
    participant Route as /api/tools/file/manage
    participant Auth as checkInternalAuth
    participant Perm as getUserEntityPermissions
    participant Policy as validatePublicFileSharing
    participant DB as upsertFileShare (share-manager)
    participant Audit as recordAudit

    Block->>Tool: "buildParams() → { fileId, isActive, authType, password, allowedEmails }"
    Tool->>Route: "POST { operation: 'set_sharing', ... }"
    Route->>Auth: checkInternalAuth(request)
    Auth-->>Route: "{ userId }"
    Route->>Route: assertActiveWorkspaceAccess(workspaceId, userId)
    Route->>DB: getWorkspaceFile(workspaceId, fileId)
    DB-->>Route: "file | null (404 if missing)"
    Route->>Perm: getUserEntityPermissions(userId, 'workspace', workspaceId)
    Perm-->>Route: "'admin' | 'write' | 'read' (403 if read)"
    alt "isActive = true"
        Route->>Policy: validatePublicFileSharing(userId, workspaceId, authType ?? 'public')
        Note over Route,Policy: uses 'public' fallback, not existing share's authType
        Policy-->>Route: throws PublicFileSharingNotAllowedError on policy violation
    end
    Route->>DB: "upsertFileShare({ workspaceId, fileId, isActive, authType, ... })"
    Note over DB: finalAuthType = authType ?? existing.authType ?? 'public'
    DB-->>Route: ShareRecord
    Route->>Audit: "recordAudit(FILE_SHARED | FILE_SHARE_DISABLED) fire-and-forget"
    Route-->>Tool: "{ success: true, data: { share } }"
    Tool-->>Block: "{ url, isActive, authType, hasPassword, allowedEmails }"
Loading 
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant Block as FileV5Block (file.ts)
    participant Tool as fileSetSharingTool (set-sharing.ts)
    participant Route as /api/tools/file/manage
    participant Auth as checkInternalAuth
    participant Perm as getUserEntityPermissions
    participant Policy as validatePublicFileSharing
    participant DB as upsertFileShare (share-manager)
    participant Audit as recordAudit

    Block->>Tool: "buildParams() → { fileId, isActive, authType, password, allowedEmails }"
    Tool->>Route: "POST { operation: 'set_sharing', ... }"
    Route->>Auth: checkInternalAuth(request)
    Auth-->>Route: "{ userId }"
    Route->>Route: assertActiveWorkspaceAccess(workspaceId, userId)
    Route->>DB: getWorkspaceFile(workspaceId, fileId)
    DB-->>Route: "file | null (404 if missing)"
    Route->>Perm: getUserEntityPermissions(userId, 'workspace', workspaceId)
    Perm-->>Route: "'admin' | 'write' | 'read' (403 if read)"
    alt "isActive = true"
        Route->>Policy: validatePublicFileSharing(userId, workspaceId, authType ?? 'public')
        Note over Route,Policy: uses 'public' fallback, not existing share's authType
        Policy-->>Route: throws PublicFileSharingNotAllowedError on policy violation
    end
    Route->>DB: "upsertFileShare({ workspaceId, fileId, isActive, authType, ... })"
    Note over DB: finalAuthType = authType ?? existing.authType ?? 'public'
    DB-->>Route: ShareRecord
    Route->>Audit: "recordAudit(FILE_SHARED | FILE_SHARE_DISABLED) fire-and-forget"
    Route-->>Tool: "{ success: true, data: { share } }"
    Tool-->>Block: "{ url, isActive, authType, hasPassword, allowedEmails }"
Loading

Reviews (1): Last reviewed commit: "feat(file): add Set File Sharing operati..." | Re-trigger Greptile

greptile-apps[bot]
greptile-apps Bot reviewed Jun 23, 2026
View reviewed changes
Comment thread apps/sim/tools/file/manage-sharing.ts
greptile-apps[bot]
greptile-apps Bot reviewed Jun 23, 2026
View reviewed changes
Comment thread apps/sim/app/api/tools/file/manage/route.ts
Comment thread apps/sim/app/api/tools/file/manage/route.ts Outdated
@TheodoreSpeaks
fix(file): harden set_sharing — explicit isActive, agent-controllable…
75f229f 
… params, policy gate + perm-check ordering

Addresses review findings:
- Make isActive explicit/required so a bare call no longer silently enables a public link
- Expose isActive/authType/allowedEmails as user-or-llm so agents can disable/configure shares (password stays user-only)
- Resolve authType from the existing share before the EE policy gate to close a re-enable bypass
- Run the write/admin permission check before the file lookup to remove a file-existence side channel
@TheodoreSpeaks

TheodoreSpeaks commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

@greptile review

@TheodoreSpeaks

TheodoreSpeaks commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

Addressed the review findings in 75f229f (Bugbot re-ran clean; the Greptile notes above are the original review re-anchored to the new commit):

  • isActive silently enabling sharingisActive is now explicit/required in the contract (no .default(true)), so a bare call can't accidentally publish.
  • Agents can't control share stateisActive, authType, and allowedEmails are now user-or-llm (only password stays user-only).
  • Policy gate fallback authType — the gate now resolves authType ?? existingShare.authType ?? 'public' (via getShareForResource) before validatePublicFileSharing, matching what upsertFileShare persists, closing the re-enable bypass.
  • File-existence side channel — the write/admin permission check now runs before getWorkspaceFile.

@TheodoreSpeaks
refactor(file): rename file operation to Manage Sharing
e175b6d 
Renames the file_set_sharing operation to file_manage_sharing (route literal
manage_sharing, tool Manage Sharing) across the contract, route, tool, block,
registry, and tests.
@TheodoreSpeaks TheodoreSpeaks changed the title feat(file): add Set File Sharing operation to the File block feat(file): add Manage Sharing operation to the File block Jun 23, 2026
@TheodoreSpeaks

TheodoreSpeaks commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

Renamed the operation to Manage Sharing (file_manage_sharing / route manage_sharing) in e175b6d — no behavior change.

@TheodoreSpeaks

TheodoreSpeaks commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

@greptile review

@TheodoreSpeaks
fix(file): complete Manage Sharing rename in tools barrel
e9e8839 
Prior commit's lint-staged dropped the barrel re-export update, leaving
index.ts importing the deleted set-sharing module and breaking the block
registry check. Point the barrel at manage-sharing.
@TheodoreSpeaks

TheodoreSpeaks commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

@greptile review

greptile-apps[bot]
greptile-apps Bot reviewed Jun 23, 2026
View reviewed changes
Comment thread apps/sim/tools/file/manage-sharing.ts Outdated
cursor[bot]
cursor Bot reviewed Jun 23, 2026
View reviewed changes
Comment thread apps/sim/blocks/blocks/file.ts
@TheodoreSpeaks
fix(file): require isActive in tool params type, reject multiple file…
80bb8ed 
…s in manage sharing

- FileManageSharingParams.isActive is now required, matching the tool param
  and contract (no compile-time gap that 400s at runtime)
- manage_sharing rejects multiple canonical file IDs instead of silently
  sharing only the first, matching decompress
@TheodoreSpeaks

TheodoreSpeaks commented Jun 23, 2026

Copy link
Copy Markdown
Collaborator Author

@greptile review

cursor[bot]
cursor Bot reviewed Jun 23, 2026
View reviewed changes

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 80bb8ed. Configure here.

Comment thread apps/sim/blocks/blocks/file.ts
fileId = (file?.id as string) ?? ''
}
if (!fileId) {
throw new Error('Could not determine the file to share')

@cursor cursor Bot Jun 23, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Picker files lack share ID

Medium Severity

Manage Sharing resolves the target file only from shareInput.id, but the basic file-upload control stores workspace picks as { name, path, key, size, type } without an id. Those runs fail with “Could not determine the file to share,” while Read/Compress accept the same shape via fileInput and the manage route only accepts fileId.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 80bb8ed. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheodoreSpeaks