feat(core): Only show credentials shared with you in the overview section (no-changelog) (#14855)

Co-authored-by: Danny Martini <danny@n8n.io>

packages/cli/src/credentials/credentials.service.ts

@@ -21,6 +21,7 @@ import { CREDENTIAL_BLANKING_VALUE } from '@/constants';
 import { CredentialTypes } from '@/credential-types';
 import { createCredentialsFromCredentialsEntity } from '@/credentials-helper';
 import { CredentialsEntity } from '@/databases/entities/credentials-entity';
+import type { Project } from '@/databases/entities/project';
 import { SharedCredentials } from '@/databases/entities/shared-credentials';
 import type { User } from '@/databases/entities/user';
 import { CredentialsRepository } from '@/databases/repositories/credentials.repository';
@@ -82,6 +83,10 @@ export class CredentialsService {
 	) {
 		const returnAll = user.hasGlobalScope('credential:list');
 		const isDefaultSelect = !listQueryOptions.select;
+		const projectId =
+			typeof listQueryOptions.filter?.projectId === 'string'
+				? listQueryOptions.filter.projectId
+				: undefined;
 
 		if (includeData) {
 			// We need the scopes to check if we're allowed to include the decrypted
@@ -93,6 +98,21 @@ export class CredentialsService {
 		}
 
 		if (returnAll) {
+			let project: Project | undefined;
+
+			if (projectId) {
+				try {
+					project = await this.projectService.getProject(projectId);
+				} catch {}
+			}
+
+			if (project?.type === 'personal') {
+				listQueryOptions.filter = {
+					...listQueryOptions.filter,
+					withRole: 'credential:owner',
+				};
+			}
+
 			let credentials = await this.credentialsRepository.findMany(listQueryOptions);
 
 			if (isDefaultSelect) {
@@ -136,17 +156,6 @@ export class CredentialsService {
 			return credentials;
 		}
 
-		// If the workflow is part of a personal project we want to show the
-		// credentials the user making the request has access to, not the
-		// credentials the user owning the workflow has access to.
-		if (typeof listQueryOptions.filter?.projectId === 'string') {
-			const project = await this.projectService.getProject(listQueryOptions.filter.projectId);
-			if (project?.type === 'personal') {
-				const currentUsersPersonalProject = await this.projectService.getPersonalProject(user);
-				listQueryOptions.filter.projectId = currentUsersPersonalProject?.id;
-			}
-		}
-
 		const ids = await this.credentialsFinderService.getCredentialIdsByUserAndRole([user.id], {
 			scopes: ['credential:read'],
 		});

packages/cli/src/databases/repositories/credentials.repository.ts

@@ -52,10 +52,7 @@ export class CredentialsRepository extends Repository<CredentialsEntity> {
 			filter.type = Like(`%${filter.type}%`);
 		}
 
-		if (typeof filter?.projectId === 'string' && filter.projectId !== '') {
-			filter.shared = { projectId: filter.projectId };
-			delete filter.projectId;
-		}
+		this.handleSharedFilters(listQueryOptions);
 
 		if (filter) findManyOptions.where = filter;
 		if (select) findManyOptions.select = select;
@@ -82,6 +79,29 @@ export class CredentialsRepository extends Repository<CredentialsEntity> {
 		return findManyOptions;
 	}
 
+	private handleSharedFilters(
+		listQueryOptions?: ListQuery.Options & { includeData?: boolean },
+	): void {
+		if (!listQueryOptions?.filter) return;
+
+		const { filter } = listQueryOptions;
+
+		if (typeof filter.projectId === 'string' && filter.projectId !== '') {
+			filter.shared = {
+				projectId: filter.projectId,
+			};
+			delete filter.projectId;
+		}
+
+		if (typeof filter.withRole === 'string' && filter.withRole !== '') {
+			filter.shared = {
+				...(filter?.shared ? filter.shared : {}),
+				role: filter.withRole,
+			};
+			delete filter.withRole;
+		}
+	}
+
 	async getManyByIds(ids: string[], { withSharings } = { withSharings: false }) {
 		const findManyOptions: FindManyOptions<CredentialsEntity> = { where: { id: In(ids) } };
 

packages/cli/test/integration/credentials/credentials.api.test.ts

@@ -618,28 +618,54 @@ describe('GET /credentials', () => {
 			expect(response.body.data).toHaveLength(0);
 		});
 
-		test('should return only owned and explicitly shared credentials when filtering by any personal project id', async () => {
+		test('should return only owned credentials when filtering by owner personal project id', async () => {
 			// Create credential owned by `owner` and share it to `member`
 			const ownerCredential = await saveCredential(payload(), {
 				user: owner,
 				role: 'credential:owner',
 			});
-			await shareCredentialWithUsers(ownerCredential, [member]);
 			// Create credential owned by `member`
 			const memberCredential = await saveCredential(payload(), {
 				user: member,
 				role: 'credential:owner',
 			});
 
+			await shareCredentialWithUsers(memberCredential, [owner]);
+
 			// Simulate editing a workflow owned by `owner` so request credentials to their personal project
 			const response: GetAllResponse = await testServer
-				.authAgentFor(member)
+				.authAgentFor(owner)
 				.get('/credentials')
 				.query(`filter={ "projectId": "${ownerPersonalProject.id}" }`)
 				.expect(200);
 
-			expect(response.body.data).toHaveLength(2);
+			expect(response.body.data).toHaveLength(1);
 			expect(response.body.data.map((credential) => credential.id)).toContain(ownerCredential.id);
+		});
+
+		test('should return only owned credentials when filtering by member personal project id', async () => {
+			// Create credential owned by `member`
+			const memberCredential = await saveCredential(payload(), {
+				user: member,
+				role: 'credential:owner',
+			});
+
+			// Create credential owned by `owner` and share it to `member`
+			const ownerCredential = await saveCredential(payload(), {
+				user: owner,
+				role: 'credential:owner',
+			});
+
+			await shareCredentialWithUsers(ownerCredential, [member]);
+
+			// Simulate editing a workflow owned by `owner` so request credentials to their personal project
+			const response: GetAllResponse = await testServer
+				.authAgentFor(owner)
+				.get('/credentials')
+				.query(`filter={ "projectId": "${memberPersonalProject.id}" }`)
+				.expect(200);
+
+			expect(response.body.data).toHaveLength(1);
 			expect(response.body.data.map((credential) => credential.id)).toContain(memberCredential.id);
 		});