fix(execution): always ban-check the workflow owner so schedules are covered

TheodoreSpeaks · TheodoreSpeaks · commit b41c0fecaa87 · 2026-06-10T13:39:18.000-07:00
diff --git a/apps/sim/lib/execution/preprocessing.test.ts b/apps/sim/lib/execution/preprocessing.test.ts
@@ -38,6 +38,7 @@ vi.mock('@/lib/workspaces/utils', () => ({
 vi.mock('@sim/workflow-authz', () => ({
   getActiveWorkflowRecord: vi.fn().mockResolvedValue({
     id: 'workflow-1',
+    userId: 'creator-1',
     workspaceId: 'workspace-1',
     isDeployed: true,
   }),
@@ -197,19 +198,23 @@ describe('preprocessExecution ban gate', () => {
     expect(checkServerSideUsageLimits).not.toHaveBeenCalled()
   })
 
-  it('checks the billing actor and the caller-provided userId in one call', async () => {
+  it('checks the billing actor, caller-provided userId, and workflow owner in one call', async () => {
     const result = await preprocessExecution(baseOptions)
 
     expect(result.success).toBe(true)
     expect(mockGetActivelyBannedUserIds).toHaveBeenCalledTimes(1)
-    expect(mockGetActivelyBannedUserIds).toHaveBeenCalledWith(['billed-account-1', 'owner-1'])
+    expect(mockGetActivelyBannedUserIds).toHaveBeenCalledWith([
+      'billed-account-1',
+      'owner-1',
+      'creator-1',
+    ])
   })
 
-  it('excludes the "unknown" sentinel userId from the ban check', async () => {
+  it('excludes the "unknown" sentinel userId but still checks the workflow owner', async () => {
     const result = await preprocessExecution({ ...baseOptions, userId: 'unknown' })
 
     expect(result.success).toBe(true)
-    expect(mockGetActivelyBannedUserIds).toHaveBeenCalledWith(['billed-account-1'])
+    expect(mockGetActivelyBannedUserIds).toHaveBeenCalledWith(['billed-account-1', 'creator-1'])
   })
 
   it('fails closed with 500 when the ban check errors', async () => {
diff --git a/apps/sim/lib/execution/preprocessing.ts b/apps/sim/lib/execution/preprocessing.ts
@@ -313,13 +313,17 @@ export async function preprocessExecution(
   }
 
   // ========== STEP 3.5: Reject Banned Accounts ==========
-  // Blocks executions when the billing actor — or, when different, the
-  // caller-provided userId (workflow creator, chat deployer, authenticated
-  // caller) — has an active ban or a blocked email domain.
+  // Blocks executions when the billing actor, the workflow owner, or the
+  // caller-provided userId (chat deployer, authenticated caller) has an
+  // active ban or a blocked email domain. The owner comes from the workflow
+  // record so schedules — which pass the 'unknown' sentinel — are covered.
   const banCandidateIds = [actorUserId]
   if (userId && userId !== 'unknown' && userId !== actorUserId) {
     banCandidateIds.push(userId)
   }
+  if (workflowRecord.userId && !banCandidateIds.includes(workflowRecord.userId)) {
+    banCandidateIds.push(workflowRecord.userId)
+  }
   try {
     const bannedUserIds = await getActivelyBannedUserIds(banCandidateIds)
     if (bannedUserIds.length > 0) {
