Merge branch 'feature/admin-views' into feature/beta-v1

packages/server/src/controllers/predictions/index.ts

@@ -21,7 +21,7 @@ const createPrediction = async (req: Request, res: Response, next: NextFunction)
                 `Error: predictionsController.createPrediction - body not provided!`
             )
         }
-        const chatflow = await chatflowsService.getChatflowById(req.params.id)
+        const chatflow = await chatflowsService.getChatflowById(req.params.id, req.user)
         if (!chatflow) {
             throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Chatflow ${req.params.id} not found`)
         }

packages/server/src/routes/credentials/index.ts

@@ -1,18 +1,20 @@
 import express from 'express'
 import credentialsController from '../../controllers/credentials'
+import enforceAbility from '../../middlewares/authentication/enforceAbility'
+
 const router = express.Router()
 
 // CREATE
-router.post('/', credentialsController.createCredential)
+router.post('/', enforceAbility('Credential'), credentialsController.createCredential)
 
 // READ
-router.get('/', credentialsController.getAllCredentials)
-router.get(['/', '/:id'], credentialsController.getCredentialById)
+router.get('/', enforceAbility('Credential'), credentialsController.getAllCredentials)
+router.get(['/', '/:id'], enforceAbility('Credential'), credentialsController.getCredentialById)
 
 // UPDATE
-router.put(['/', '/:id'], credentialsController.updateCredential)
+router.put(['/', '/:id'], enforceAbility('Credential'), credentialsController.updateCredential)
 
 // DELETE
-router.delete(['/', '/:id'], credentialsController.deleteCredentials)
+router.delete(['/', '/:id'], enforceAbility('Credential'), credentialsController.deleteCredentials)
 
 export default router

packages/server/src/services/chatflows/index.ts

@@ -218,15 +218,21 @@ const getChatflowById = async (chatflowId: string, user?: IUser): Promise<any> =
         const appServer = getRunningExpressApp()
         const dbResponse = await appServer.AppDataSource.getRepository(ChatFlow)
             .createQueryBuilder('chatFlow')
-            .where(user?.permissions?.includes('org:manage') ? 'chatFlow.id = :id' : 'chatFlow.id = :id AND chatFlow.userId = :userId', {
-                id: chatflowId,
-                userId: user?.id
-            })
+            .where('chatFlow.id = :id', { id: chatflowId })
             .getOne()
+
         if (!dbResponse) {
             throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Chatflow ${chatflowId} not found in the database!`)
         }
 
+        // Check if the chatflow is not public and the user is not an org manager
+        if (!dbResponse.isPublic && !user?.permissions?.includes('org:manage')) {
+            // Perform the check against userId
+            if (dbResponse.userId !== user?.id) {
+                throw new InternalFlowiseError(StatusCodes.UNAUTHORIZED, `Unauthorized to access this chatflow`)
+            }
+        }
+
         return dbResponse
     } catch (error) {
         throw new InternalFlowiseError(

packages/server/src/services/credentials/index.ts

@@ -57,9 +57,10 @@ const getAllCredentials = async (paramCredentialName: any, user: IUser) => {
         const fetchCredentials = async (name?: string) => {
             let baseConditions = []
 
-            if (isAdmin) {
+            // If name is provided, only fetch owned credentials
+            if (!name && isAdmin) {
                 // Admin can see all organization credentials
-                baseConditions = [{ organizationId: user.organizationId }]
+                baseConditions = [{ organizationId: user.organizationId }, { userId: IsNull() }]
             } else {
                 baseConditions = [
                     { userId: user.id },
@@ -148,8 +149,7 @@ const updateCredential = async (credentialId: string, requestBody: any, userId?:
     try {
         const appServer = getRunningExpressApp()
         const credential = await appServer.AppDataSource.getRepository(Credential).findOneBy({
-            id: credentialId,
-            userId
+            id: credentialId
         })
         if (!credential) {
             throw new InternalFlowiseError(StatusCodes.NOT_FOUND, `Credential ${credentialId} not found`)

packages/ui/src/views/chatflows/index.jsx

@@ -130,7 +130,6 @@ const Chatflows = () => {
 
             const myChatflowsData = getAllChatflowsApi.data
             const { processedImages: myImages, processedNodeTypes: myNodeTypes } = processFlowData(myChatflowsData)
-            console.log('User', { myChatflowsData, user, flags })
             setMyChatflows(myChatflowsData?.filter((flow) => flow.isOwner))
             setOrganizationChatflows(myChatflowsData?.filter((flow) => !flow.isOwner))
             const marketplaceChatflows = getMarketplaceChatflowsApi.data
@@ -185,6 +184,11 @@ const Chatflows = () => {
         [communityChatflows, search, categoryFilter]
     )
 
+    const filteredOrganizationChatflows = useMemo(
+        () => filterChatflows(organizationChatflows, search, categoryFilter),
+        [organizationChatflows, search, categoryFilter]
+    )
+
     return (
         <MainCard>
             <Box sx={{ display: 'flex', flexDirection: 'column', gap: 3 }}>
@@ -255,7 +259,7 @@ const Chatflows = () => {
                 </TabPanel>
                 <TabPanel value={tabValue} index={3}>
                     <FlowListView
-                        data={organizationChatflows}
+                        data={filteredOrganizationChatflows}
                         images={images}
                         nodeTypes={nodeTypes}
                         isLoading={isLoading}