add ws id, user constraint

Author: icecrasher321

apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/members/bulk/route.ts

@@ -1,6 +1,7 @@
 import { db } from '@sim/db'
 import { permissionGroup, permissionGroupMember, permissions } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
+import { getPostgresConstraintName, getPostgresErrorCode } from '@sim/utils/errors'
 import { generateId } from '@sim/utils/id'
 import { and, eq, inArray } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
@@ -9,6 +10,7 @@ import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { isWorkspaceOnEnterprisePlan } from '@/lib/billing'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { PERMISSION_GROUP_MEMBER_CONSTRAINTS } from '@/lib/permission-groups/types'
 import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspacePermissionGroupBulkMembers')
@@ -141,6 +143,7 @@ export const POST = withRouteHandler(
         const newMembers = usersToAdd.map((userId) => ({
           id: generateId(),
           permissionGroupId: id,
+          workspaceId,
           userId,
           assignedBy: session.user.id,
           assignedAt: new Date(),
@@ -186,6 +189,21 @@ export const POST = withRouteHandler(
       if (error instanceof z.ZodError) {
         return NextResponse.json({ error: error.errors[0].message }, { status: 400 })
       }
+      if (getPostgresErrorCode(error) === '23505') {
+        const constraint = getPostgresConstraintName(error)
+        if (
+          constraint === PERMISSION_GROUP_MEMBER_CONSTRAINTS.workspaceUser ||
+          constraint === PERMISSION_GROUP_MEMBER_CONSTRAINTS.groupUser
+        ) {
+          return NextResponse.json(
+            {
+              error:
+                'One or more users were concurrently added to a group in this workspace. Please refresh and try again.',
+            },
+            { status: 409 }
+          )
+        }
+      }
       logger.error('Error bulk adding members to permission group', error)
       return NextResponse.json({ error: 'Failed to add members' }, { status: 500 })
     }

apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/members/route.ts

@@ -1,6 +1,7 @@
 import { db } from '@sim/db'
 import { permissionGroup, permissionGroupMember, permissions, user } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
+import { getPostgresConstraintName, getPostgresErrorCode } from '@sim/utils/errors'
 import { generateId } from '@sim/utils/id'
 import { and, eq, inArray } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
@@ -9,6 +10,7 @@ import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
 import { isWorkspaceOnEnterprisePlan } from '@/lib/billing'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
+import { PERMISSION_GROUP_MEMBER_CONSTRAINTS } from '@/lib/permission-groups/types'
 import { checkWorkspaceAccess, hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspacePermissionGroupMembers')
@@ -169,6 +171,7 @@ export const POST = withRouteHandler(
         const memberData = {
           id: generateId(),
           permissionGroupId: id,
+          workspaceId,
           userId,
           assignedBy: session.user.id,
           assignedAt: new Date(),
@@ -214,6 +217,24 @@ export const POST = withRouteHandler(
           { status: 409 }
         )
       }
+      if (getPostgresErrorCode(error) === '23505') {
+        const constraint = getPostgresConstraintName(error)
+        if (constraint === PERMISSION_GROUP_MEMBER_CONSTRAINTS.workspaceUser) {
+          return NextResponse.json(
+            {
+              error:
+                'User was concurrently added to another group in this workspace. Please refresh and try again.',
+            },
+            { status: 409 }
+          )
+        }
+        if (constraint === PERMISSION_GROUP_MEMBER_CONSTRAINTS.groupUser) {
+          return NextResponse.json(
+            { error: 'User is already in this permission group' },
+            { status: 409 }
+          )
+        }
+      }
       logger.error('Error adding member to permission group', error)
       return NextResponse.json({ error: 'Failed to add member' }, { status: 500 })
     }

apps/sim/lib/permission-groups/auto-add.ts

@@ -54,6 +54,7 @@ export async function applyWorkspaceAutoAddGroup(
     await client.insert(permissionGroupMember).values({
       id: generateId(),
       permissionGroupId: autoAddGroup.id,
+      workspaceId,
       userId,
       assignedBy: null,
       assignedAt: new Date(),

apps/sim/lib/permission-groups/types.ts

@@ -1,5 +1,10 @@
 import { z } from 'zod'
 
+export const PERMISSION_GROUP_MEMBER_CONSTRAINTS = {
+  groupUser: 'permission_group_member_group_user_unique',
+  workspaceUser: 'permission_group_member_workspace_user_unique',
+} as const
+
 export const permissionGroupConfigSchema = z.object({
   allowedIntegrations: z.array(z.string()).nullable().optional(),
   allowedModelProviders: z.array(z.string()).nullable().optional(),

…/db/migrations/0194_organic_talisman.sql …migrations/0194_careless_pete_wisdom.sqlpackages/db/migrations/0194_organic_talisman.sql renamed to packages/db/migrations/0194_careless_pete_wisdom.sql packages/db/migrations/0194_organic_talisman.sql renamed to packages/db/migrations/0194_careless_pete_wisdom.sql

@@ -1,7 +1,10 @@
 -- Rebase permission groups from organization-scoped to workspace-scoped.
 -- Each existing org-scoped permission_group is cloned onto every workspace
 -- owned by that org; members are copied to each clone only if the user has
--- workspace-level permissions on the target workspace.
+-- workspace-level permissions on the target workspace. The
+-- permission_group_member table also gains a denormalized workspace_id column
+-- so the database can enforce the "one group per user per workspace"
+-- invariant with a composite unique index.
 
 -- 0. Backfill workspace -> organization links for grandfathered workspaces whose
 --    billed account user is the sole owner of exactly one organization. This is a
@@ -25,9 +28,11 @@ WHERE w."organization_id" IS NULL
   AND w."workspace_mode" = 'grandfathered_shared'
   AND w."billed_account_user_id" = owner_orgs."user_id";--> statement-breakpoint
 
--- 1. Add workspace_id as nullable so existing rows can coexist during the data migration.
+-- 1. Add workspace_id columns as nullable so existing rows can coexist during the data migration.
 ALTER TABLE "permission_group" ADD COLUMN "workspace_id" text;--> statement-breakpoint
 ALTER TABLE "permission_group" ADD CONSTRAINT "permission_group_workspace_id_workspace_id_fk" FOREIGN KEY ("workspace_id") REFERENCES "public"."workspace"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
+ALTER TABLE "permission_group_member" ADD COLUMN "workspace_id" text;--> statement-breakpoint
+ALTER TABLE "permission_group_member" ADD CONSTRAINT "permission_group_member_workspace_id_workspace_id_fk" FOREIGN KEY ("workspace_id") REFERENCES "public"."workspace"("id") ON DELETE cascade ON UPDATE no action;--> statement-breakpoint
 
 -- 2. Materialize a plan of (source permission group, target workspace, new clone id)
 --    so we can insert the clone rows AND the member rows with stable references.
@@ -70,12 +75,15 @@ SELECT
 FROM "__permission_group_clone_plan" plan
 JOIN "permission_group" pg ON pg."id" = plan."source_id";--> statement-breakpoint
 
--- 4. Copy member rows to each workspace clone, but only if the user has
---    workspace-level permissions on that target workspace.
-INSERT INTO "permission_group_member" ("id", "permission_group_id", "user_id", "assigned_by", "assigned_at")
+-- 4. Copy member rows to each workspace clone, populating the denormalized
+--    workspace_id. Only include users who have workspace-level permissions on
+--    that target workspace, OR who are the workspace owner (legacy workspaces
+--    may have an owner without an explicit permissions row).
+INSERT INTO "permission_group_member" ("id", "permission_group_id", "workspace_id", "user_id", "assigned_by", "assigned_at")
 SELECT
   gen_random_uuid()::text,
   plan."cloned_id",
+  plan."workspace_id",
   m."user_id",
   m."assigned_by",
   m."assigned_at"
@@ -100,8 +108,9 @@ WHERE "permission_group_id" IN (
 
 DELETE FROM "permission_group" WHERE "organization_id" IS NOT NULL;--> statement-breakpoint
 
--- 6. Enforce NOT NULL on workspace_id now that every surviving row has one.
+-- 6. Enforce NOT NULL on both workspace_id columns now that every surviving row has one.
 ALTER TABLE "permission_group" ALTER COLUMN "workspace_id" SET NOT NULL;--> statement-breakpoint
+ALTER TABLE "permission_group_member" ALTER COLUMN "workspace_id" SET NOT NULL;--> statement-breakpoint
 
 -- 7. Drop legacy structures and swap indexes.
 ALTER TABLE "permission_group" DROP CONSTRAINT "permission_group_organization_id_organization_id_fk";--> statement-breakpoint
@@ -112,6 +121,8 @@ ALTER TABLE "permission_group" DROP COLUMN "organization_id";--> statement-break
 CREATE UNIQUE INDEX "permission_group_workspace_name_unique" ON "permission_group" USING btree ("workspace_id","name");--> statement-breakpoint
 CREATE UNIQUE INDEX "permission_group_workspace_auto_add_unique" ON "permission_group" USING btree ("workspace_id") WHERE auto_add_new_members = true;--> statement-breakpoint
 CREATE UNIQUE INDEX "permission_group_member_group_user_unique" ON "permission_group_member" USING btree ("permission_group_id","user_id");--> statement-breakpoint
+CREATE UNIQUE INDEX "permission_group_member_workspace_user_unique" ON "permission_group_member" USING btree ("workspace_id","user_id");--> statement-breakpoint
 
 -- 8. Sweep any residual dead config keys from pre-existing workspace-scoped rows (if any).
 UPDATE "permission_group" SET "config" = ("config" - 'hideEnvironmentTab' - 'hideTemplates') WHERE "config" ? 'hideEnvironmentTab' OR "config" ? 'hideTemplates';
+

packages/db/migrations/meta/0194_snapshot.json

@@ -1,5 +1,5 @@
 {
-  "id": "2b83a8e3-99b2-4ac1-ac93-fa25a416a2ef",
+  "id": "dce19071-748a-432a-86f3-6dd4021df35f",
   "prevId": "8caf2eaf-a548-4c7f-83ae-546b416c5d88",
   "version": "7",
   "dialect": "postgresql",
@@ -8584,6 +8584,12 @@
           "primaryKey": false,
           "notNull": true
         },
+        "workspace_id": {
+          "name": "workspace_id",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true
+        },
         "user_id": {
           "name": "user_id",
           "type": "text",
@@ -8640,6 +8646,27 @@
           "concurrently": false,
           "method": "btree",
           "with": {}
+        },
+        "permission_group_member_workspace_user_unique": {
+          "name": "permission_group_member_workspace_user_unique",
+          "columns": [
+            {
+              "expression": "workspace_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            },
+            {
+              "expression": "user_id",
+              "isExpression": false,
+              "asc": true,
+              "nulls": "last"
+            }
+          ],
+          "isUnique": true,
+          "concurrently": false,
+          "method": "btree",
+          "with": {}
         }
       },
       "foreignKeys": {
@@ -8652,6 +8679,15 @@
           "onDelete": "cascade",
           "onUpdate": "no action"
         },
+        "permission_group_member_workspace_id_workspace_id_fk": {
+          "name": "permission_group_member_workspace_id_workspace_id_fk",
+          "tableFrom": "permission_group_member",
+          "tableTo": "workspace",
+          "columnsFrom": ["workspace_id"],
+          "columnsTo": ["id"],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
         "permission_group_member_user_id_user_id_fk": {
           "name": "permission_group_member_user_id_user_id_fk",
           "tableFrom": "permission_group_member",

packages/db/migrations/meta/_journal.json

@@ -1356,8 +1356,8 @@
     {
       "idx": 194,
       "version": "7",
-      "when": 1776798198298,
-      "tag": "0194_organic_talisman",
+      "when": 1776800382630,
+      "tag": "0194_careless_pete_wisdom",
       "breakpoints": true
     }
   ]

packages/db/schema.ts

@@ -2678,6 +2678,9 @@ export const permissionGroupMember = pgTable(
     permissionGroupId: text('permission_group_id')
       .notNull()
       .references(() => permissionGroup.id, { onDelete: 'cascade' }),
+    workspaceId: text('workspace_id')
+      .notNull()
+      .references(() => workspace.id, { onDelete: 'cascade' }),
     userId: text('user_id')
       .notNull()
       .references(() => user.id, { onDelete: 'cascade' }),
@@ -2690,6 +2693,10 @@ export const permissionGroupMember = pgTable(
       table.permissionGroupId,
       table.userId
     ),
+    workspaceUserUnique: uniqueIndex('permission_group_member_workspace_user_unique').on(
+      table.workspaceId,
+      table.userId
+    ),
   })
 )
 

packages/utils/src/errors.ts

@@ -13,6 +13,19 @@ export function toError(value: unknown): Error {
  * Normalizes common Drizzle / `postgres` driver shapes and walks `cause` chains.
  */
 export function getPostgresErrorCode(error: unknown): string | undefined {
+  return readPgErrorField(error, 'code')
+}
+
+/**
+ * Returns the name of the PostgreSQL constraint that triggered the error (e.g. the unique index
+ * name on a `23505`), when present on a thrown value. Mirrors the field populated by the
+ * `postgres` / `pg` drivers, walking `cause` chains the same way as `getPostgresErrorCode`.
+ */
+export function getPostgresConstraintName(error: unknown): string | undefined {
+  return readPgErrorField(error, 'constraint_name') ?? readPgErrorField(error, 'constraint')
+}
+
+function readPgErrorField(error: unknown, field: string): string | undefined {
   const seen = new Set<unknown>()
   let current: unknown = error
 
@@ -23,9 +36,9 @@ export function getPostgresErrorCode(error: unknown): string | undefined {
     seen.add(current)
 
     if (typeof current === 'object') {
-      const code = (current as { code?: unknown }).code
-      if (typeof code === 'string') {
-        return code
+      const value = (current as Record<string, unknown>)[field]
+      if (typeof value === 'string') {
+        return value
       }
     }