feat: RBAC (#8922)

Signed-off-by: Oleg Ivaniv <me@olegivaniv.com> Co-authored-by: Val <68596159+valya@users.noreply.github.com> Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in> Co-authored-by: Valya Bullions <valya@n8n.io> Co-authored-by: Danny Martini <danny@n8n.io> Co-authored-by: Danny Martini <despair.blue@gmail.com> Co-authored-by: Iván Ovejero <ivov.src@gmail.com> Co-authored-by: Omar Ajoue <krynble@gmail.com> Co-authored-by: oleg <me@olegivaniv.com> Co-authored-by: Michael Kret <michael.k@radency.com> Co-authored-by: Michael Kret <88898367+michael-radency@users.noreply.github.com> Co-authored-by: Elias Meire <elias@meire.dev> Co-authored-by: Giulio Andreini <andreini@netseven.it> Co-authored-by: Giulio Andreini <g.andreini@gmail.com> Co-authored-by: Ayato Hayashi <go12limchangyong@gmail.com>
2025-12-18 10:31:15 +00:00 · 2024-05-17 10:53:15 +02:00
parent b1f977ebd0
commit 596c472ecc
292 changed files with 14129 additions and 3989 deletions
--- a/packages/cli/src/executions/executions.controller.ts
+++ b/packages/cli/src/executions/executions.controller.ts
@@ -7,6 +7,7 @@ import { WorkflowSharingService } from '@/workflows/workflowSharing.service';
 import { NotFoundError } from '@/errors/response-errors/not-found.error';
 import { parseRangeQuery } from './parse-range-query.middleware';
 import type { User } from '@/databases/entities/User';
+import type { Scope } from '@n8n/permissions';

@RestController('/executions')
 export class ExecutionsController {
@@ -17,15 +18,20 @@ export class ExecutionsController {
 		private readonly license: License,
 	) {}

-	private async getAccessibleWorkflowIds(user: User) {
-		return this.license.isSharingEnabled()
-			? await this.workflowSharingService.getSharedWorkflowIds(user)
-			: await this.workflowSharingService.getSharedWorkflowIds(user, ['workflow:owner']);
+	private async getAccessibleWorkflowIds(user: User, scope: Scope) {
+		if (this.license.isSharingEnabled()) {
+			return await this.workflowSharingService.getSharedWorkflowIds(user, { scopes: [scope] });
+		} else {
+			return await this.workflowSharingService.getSharedWorkflowIds(user, {
+				workflowRoles: ['workflow:owner'],
+				projectRoles: ['project:personalOwner'],
+			});
+		}
 	}

 	@Get('/', { middlewares: [parseRangeQuery] })
 	async getMany(req: ExecutionRequest.GetMany) {
-		const accessibleWorkflowIds = await this.getAccessibleWorkflowIds(req.user);
+		const accessibleWorkflowIds = await this.getAccessibleWorkflowIds(req.user, 'workflow:read');

 		if (accessibleWorkflowIds.length === 0) {
 			return { count: 0, estimated: false, results: [] };
@@ -53,7 +59,7 @@ export class ExecutionsController {

 	@Get('/:id')
 	async getOne(req: ExecutionRequest.GetOne) {
-		const workflowIds = await this.getAccessibleWorkflowIds(req.user);
+		const workflowIds = await this.getAccessibleWorkflowIds(req.user, 'workflow:read');

 		if (workflowIds.length === 0) throw new NotFoundError('Execution not found');

@@ -64,7 +70,7 @@ export class ExecutionsController {

 	@Post('/:id/stop')
 	async stop(req: ExecutionRequest.Stop) {
-		const workflowIds = await this.getAccessibleWorkflowIds(req.user);
+		const workflowIds = await this.getAccessibleWorkflowIds(req.user, 'workflow:execute');

 		if (workflowIds.length === 0) throw new NotFoundError('Execution not found');

@@ -73,7 +79,7 @@ export class ExecutionsController {

 	@Post('/:id/retry')
 	async retry(req: ExecutionRequest.Retry) {
-		const workflowIds = await this.getAccessibleWorkflowIds(req.user);
+		const workflowIds = await this.getAccessibleWorkflowIds(req.user, 'workflow:execute');

 		if (workflowIds.length === 0) throw new NotFoundError('Execution not found');

@@ -82,7 +88,7 @@ export class ExecutionsController {

 	@Post('/delete')
 	async delete(req: ExecutionRequest.Delete) {
-		const workflowIds = await this.getAccessibleWorkflowIds(req.user);
+		const workflowIds = await this.getAccessibleWorkflowIds(req.user, 'workflow:execute');

 		if (workflowIds.length === 0) throw new NotFoundError('Execution not found');