index migration safety

Author: icecrasher321

apps/sim/app/api/organizations/[id]/permission-groups/[groupId]/route.ts

@@ -128,20 +128,20 @@ export const PUT = withRouteHandler(
               ? false
               : group.appliesToAllWorkspaces
 
-      let resolvedWorkspaceIds: string[] = []
-      if (!resolvedAppliesToAll) {
-        const provided =
-          updates.workspaceIds !== undefined
-            ? updates.workspaceIds
-            : (await getGroupWorkspaces(id)).map((ws) => ws.id)
-        resolvedWorkspaceIds = Array.from(new Set(provided))
-        if (resolvedWorkspaceIds.length === 0) {
+      // Resolve and validate explicitly-provided workspaceIds before the
+      // transaction. When the request omits them for a specific-scope group
+      // ("keep current"), they're read under the lock instead (see below) so the
+      // conflict check and the write share one consistent snapshot.
+      let providedWorkspaceIds: string[] | null = null
+      if (!resolvedAppliesToAll && updates.workspaceIds !== undefined) {
+        providedWorkspaceIds = Array.from(new Set(updates.workspaceIds))
+        if (providedWorkspaceIds.length === 0) {
           return NextResponse.json(
             { error: 'Select at least one workspace when the group targets specific workspaces' },
             { status: 400 }
           )
         }
-        const invalid = await findWorkspacesNotInOrganization(resolvedWorkspaceIds, organizationId)
+        const invalid = await findWorkspacesNotInOrganization(providedWorkspaceIds, organizationId)
         if (invalid.length > 0) {
           return NextResponse.json(
             { error: 'One or more selected workspaces do not belong to this organization' },
@@ -153,12 +153,27 @@ export const PUT = withRouteHandler(
       const now = new Date()
 
       await db.transaction(async (tx) => {
+        // For a specific-scope group the target workspaces are the request's
+        // explicit ids, or — when omitted ("keep current") — the group's current
+        // workspaces read under the lock so the conflict check and write share
+        // one snapshot.
+        let resolvedWorkspaceIds: string[] = []
+
         // When the scope changes, serialize against other permission-group writes
         // for this org and re-check membership conflicts atomically with the
         // write, so a concurrent member add (or scope change) can't slip a user
         // into two groups that overlap on a workspace.
         if (scopeProvided) {
           await acquirePermissionGroupOrgLock(tx, organizationId)
+
+          if (!resolvedAppliesToAll) {
+            resolvedWorkspaceIds =
+              providedWorkspaceIds ?? (await getGroupWorkspaces(id, tx)).map((ws) => ws.id)
+            if (resolvedWorkspaceIds.length === 0) {
+              throw new Error('NO_WORKSPACES')
+            }
+          }
+
           const members = await tx
             .select({ userId: permissionGroupMember.userId })
             .from(permissionGroupMember)
@@ -263,6 +278,12 @@ export const PUT = withRouteHandler(
           { status: 409 }
         )
       }
+      if (error instanceof Error && error.message === 'NO_WORKSPACES') {
+        return NextResponse.json(
+          { error: 'Select at least one workspace when the group targets specific workspaces' },
+          { status: 400 }
+        )
+      }
       if (getPostgresErrorCode(error) === '23505') {
         const constraint = getPostgresConstraintName(error)
         if (constraint === PERMISSION_GROUP_CONSTRAINTS.organizationName) {

apps/sim/lib/api/contracts/permission-groups.test.ts

@@ -57,6 +57,24 @@ describe('createPermissionGroupBodySchema', () => {
     })
     expect(result.success).toBe(true)
   })
+
+  it('rejects a default group with workspaceIds (appliesToAllWorkspaces omitted)', () => {
+    const result = createPermissionGroupBodySchema.safeParse({
+      name: 'Baseline',
+      isDefault: true,
+      workspaceIds: ['ws-1'],
+    })
+    expect(result.success).toBe(false)
+  })
+
+  it('rejects an all-workspaces group that also names specific workspaces', () => {
+    const result = createPermissionGroupBodySchema.safeParse({
+      name: 'Engineering',
+      appliesToAllWorkspaces: true,
+      workspaceIds: ['ws-1'],
+    })
+    expect(result.success).toBe(false)
+  })
 })
 
 describe('updatePermissionGroupBodySchema', () => {
@@ -88,4 +106,20 @@ describe('updatePermissionGroupBodySchema', () => {
     })
     expect(result.success).toBe(false)
   })
+
+  it('rejects workspaceIds when making the group the default', () => {
+    const result = updatePermissionGroupBodySchema.safeParse({
+      isDefault: true,
+      workspaceIds: ['ws-1'],
+    })
+    expect(result.success).toBe(false)
+  })
+
+  it('rejects workspaceIds on an all-workspaces update', () => {
+    const result = updatePermissionGroupBodySchema.safeParse({
+      appliesToAllWorkspaces: true,
+      workspaceIds: ['ws-1'],
+    })
+    expect(result.success).toBe(false)
+  })
 })

apps/sim/lib/api/contracts/permission-groups.ts

@@ -119,13 +119,26 @@ const workspaceIdsSchema = z.array(z.string().min(1)).max(MAX_PERMISSION_GROUP_W
 /**
  * Enforce the workspace-scope invariants shared by create and update:
  *  - a specific-scope group (`appliesToAllWorkspaces === false`) must name at
- *    least one workspace, and
- *  - the organization default group must apply to all workspaces.
+ *    least one workspace,
+ *  - the organization default group must apply to all workspaces, and
+ *  - an all-workspaces or default group must not name specific workspaces
+ *    (otherwise `workspaceIds` would be silently dropped server-side).
  */
 function refineWorkspaceScope(
   body: { appliesToAllWorkspaces?: boolean; workspaceIds?: string[]; isDefault?: boolean },
   ctx: z.RefinementCtx
 ) {
+  // A default group is always org-wide, and an explicit all-workspaces group has
+  // no specific workspaces. Reject workspaceIds in either case rather than
+  // silently dropping them when the scope resolves to all-workspaces.
+  const allWorkspaces = body.isDefault === true || body.appliesToAllWorkspaces === true
+  if (allWorkspaces && body.workspaceIds && body.workspaceIds.length > 0) {
+    ctx.addIssue({
+      code: 'custom',
+      path: ['workspaceIds'],
+      message: 'workspaceIds can only be set when the group targets specific workspaces',
+    })
+  }
   if (body.appliesToAllWorkspaces === false) {
     if (!body.workspaceIds || body.workspaceIds.length === 0) {
       ctx.addIssue({

packages/db/migrations/0238_workspace_scoped_permission_groups.sql

@@ -1,17 +1,34 @@
-CREATE TABLE "permission_group_workspace" (
+-- Replay-safety: this file ends in CONCURRENTLY index ops below an embedded COMMIT,
+-- so a failure there replays the whole file from the top — every statement here is idempotent.
+CREATE TABLE IF NOT EXISTS "permission_group_workspace" (
 	"id" text PRIMARY KEY NOT NULL,
 	"permission_group_id" text NOT NULL,
 	"workspace_id" text NOT NULL,
 	"organization_id" text NOT NULL,
 	"created_at" timestamp DEFAULT now() NOT NULL
 );
 --> statement-breakpoint
-DROP INDEX "permission_group_member_organization_user_unique";--> statement-breakpoint
-ALTER TABLE "permission_group" ADD COLUMN "applies_to_all_workspaces" boolean DEFAULT true NOT NULL;--> statement-breakpoint
-ALTER TABLE "permission_group_workspace" ADD CONSTRAINT "permission_group_workspace_permission_group_id_permission_group_id_fk" FOREIGN KEY ("permission_group_id") REFERENCES "public"."permission_group"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "permission_group_workspace" ADD CONSTRAINT "permission_group_workspace_workspace_id_workspace_id_fk" FOREIGN KEY ("workspace_id") REFERENCES "public"."workspace"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-ALTER TABLE "permission_group_workspace" ADD CONSTRAINT "permission_group_workspace_organization_id_organization_id_fk" FOREIGN KEY ("organization_id") REFERENCES "public"."organization"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
-CREATE INDEX "permission_group_workspace_group_id_idx" ON "permission_group_workspace" USING btree ("permission_group_id");--> statement-breakpoint
-CREATE INDEX "permission_group_workspace_workspace_id_idx" ON "permission_group_workspace" USING btree ("workspace_id");--> statement-breakpoint
-CREATE UNIQUE INDEX "permission_group_workspace_group_workspace_unique" ON "permission_group_workspace" USING btree ("permission_group_id","workspace_id");--> statement-breakpoint
-CREATE INDEX "permission_group_member_organization_user_idx" ON "permission_group_member" USING btree ("organization_id","user_id");
+ALTER TABLE "permission_group" ADD COLUMN IF NOT EXISTS "applies_to_all_workspaces" boolean DEFAULT true NOT NULL;--> statement-breakpoint
+DO $$ BEGIN
+	ALTER TABLE "permission_group_workspace" ADD CONSTRAINT "permission_group_workspace_permission_group_id_permission_group_id_fk" FOREIGN KEY ("permission_group_id") REFERENCES "public"."permission_group"("id") ON DELETE cascade ON UPDATE no action;
+EXCEPTION WHEN duplicate_object THEN null;
+END $$;--> statement-breakpoint
+DO $$ BEGIN
+	ALTER TABLE "permission_group_workspace" ADD CONSTRAINT "permission_group_workspace_workspace_id_workspace_id_fk" FOREIGN KEY ("workspace_id") REFERENCES "public"."workspace"("id") ON DELETE cascade ON UPDATE no action;
+EXCEPTION WHEN duplicate_object THEN null;
+END $$;--> statement-breakpoint
+DO $$ BEGIN
+	ALTER TABLE "permission_group_workspace" ADD CONSTRAINT "permission_group_workspace_organization_id_organization_id_fk" FOREIGN KEY ("organization_id") REFERENCES "public"."organization"("id") ON DELETE cascade ON UPDATE no action;
+EXCEPTION WHEN duplicate_object THEN null;
+END $$;--> statement-breakpoint
+CREATE INDEX IF NOT EXISTS "permission_group_workspace_group_id_idx" ON "permission_group_workspace" USING btree ("permission_group_id");--> statement-breakpoint
+CREATE INDEX IF NOT EXISTS "permission_group_workspace_workspace_id_idx" ON "permission_group_workspace" USING btree ("workspace_id");--> statement-breakpoint
+CREATE UNIQUE INDEX IF NOT EXISTS "permission_group_workspace_group_workspace_unique" ON "permission_group_workspace" USING btree ("permission_group_id","workspace_id");--> statement-breakpoint
+-- permission_group_member is an existing table: swap its (organization_id, user_id)
+-- index CONCURRENTLY so the build/drop never write-locks the relation (runner
+-- convention — plain CREATE/DROP INDEX takes ACCESS EXCLUSIVE for the whole op).
+COMMIT;--> statement-breakpoint
+SET lock_timeout = 0;--> statement-breakpoint
+CREATE INDEX CONCURRENTLY IF NOT EXISTS "permission_group_member_organization_user_idx" ON "permission_group_member" USING btree ("organization_id","user_id");--> statement-breakpoint
+DROP INDEX CONCURRENTLY IF EXISTS "permission_group_member_organization_user_unique";--> statement-breakpoint
+SET lock_timeout = '5s';