fix(uploads): tighten permission checks and fix multipart customKey for mothership/execution

Author: waleedlatif1

apps/sim/app/api/files/multipart/route.ts

@@ -158,6 +158,30 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
               { status: 413 }
             )
           }
+        } else if (context === 'mothership') {
+          const { generateWorkspaceFileKey } = await import(
+            '@/lib/uploads/contexts/workspace/workspace-file-manager'
+          )
+          customKey = generateWorkspaceFileKey(workspaceId, fileName)
+        } else if (context === 'execution') {
+          const workflowId = (data as { workflowId?: unknown }).workflowId
+          const executionId = (data as { executionId?: unknown }).executionId
+          if (typeof workflowId !== 'string' || !workflowId.trim()) {
+            return NextResponse.json(
+              { error: 'workflowId is required for execution uploads' },
+              { status: 400 }
+            )
+          }
+          if (typeof executionId !== 'string' || !executionId.trim()) {
+            return NextResponse.json(
+              { error: 'executionId is required for execution uploads' },
+              { status: 400 }
+            )
+          }
+          const { generateExecutionFileKey } = await import(
+            '@/lib/uploads/contexts/execution/utils'
+          )
+          customKey = generateExecutionFileKey({ workspaceId, workflowId, executionId }, fileName)
         }
 
         let uploadId: string

apps/sim/app/api/files/presigned/route.ts

@@ -134,9 +134,9 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       }
 
       const permission = await getUserEntityPermissions(sessionUserId, 'workspace', workspaceId)
-      if (permission === null) {
+      if (permission !== 'write' && permission !== 'admin') {
         return NextResponse.json(
-          { error: 'Insufficient permissions for workspace' },
+          { error: 'Write or Admin access required for mothership uploads' },
           { status: 403 }
         )
       }
@@ -192,9 +192,9 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       }
 
       const permission = await getUserEntityPermissions(sessionUserId, 'workspace', workspaceId)
-      if (permission === null) {
+      if (permission !== 'write' && permission !== 'admin') {
         return NextResponse.json(
-          { error: 'Insufficient permissions for workspace' },
+          { error: 'Write or Admin access required for workspace logo uploads' },
           { status: 403 }
         )
       }

apps/sim/app/workspace/[workspaceId]/w/[workflowId]/hooks/use-workflow-execution.ts

@@ -513,6 +513,8 @@ export function useWorkflowExecution() {
                       file: fileData.file,
                       workspaceId,
                       context: 'execution',
+                      workflowId: activeWorkflowId,
+                      executionId,
                       presignedEndpoint,
                     })
                     uploadedFiles.push({

apps/sim/lib/uploads/client/direct-upload.ts

@@ -310,6 +310,8 @@ interface MultipartUploadOptions {
     | 'profile-pictures'
     | 'workspace-logos'
     | 'execution'
+  workflowId?: string
+  executionId?: string
   signal?: AbortSignal
   onProgress?: (event: UploadProgressEvent) => void
 }
@@ -327,7 +329,7 @@ interface PartUrl {
 const uploadViaMultipart = async (
   opts: MultipartUploadOptions
 ): Promise<{ key: string; path: string }> => {
-  const { file, workspaceId, context, signal, onProgress } = opts
+  const { file, workspaceId, context, workflowId, executionId, signal, onProgress } = opts
 
   // boundary-raw-fetch: multipart upload control plane uses action query strings; client lifecycle (initiate/get-part-urls/complete/abort) is sequenced manually and not modeled by a single contract
   const initiateResponse = await fetch('/api/files/multipart?action=initiate', {
@@ -339,6 +341,8 @@ const uploadViaMultipart = async (
       fileSize: file.size,
       workspaceId,
       context,
+      ...(workflowId ? { workflowId } : {}),
+      ...(executionId ? { executionId } : {}),
     }),
     signal,
   })
@@ -534,6 +538,10 @@ export interface RunUploadStrategyOptions {
   presignedEndpoint?: string
   /** Pre-fetched presigned data (e.g. from a batch endpoint). Skips per-file fetch. */
   presignedOverride?: PresignedUploadInfo
+  /** Required when context is `execution`; forwarded to the multipart route to scope the storage key. */
+  workflowId?: string
+  /** Required when context is `execution`; forwarded to the multipart route to scope the storage key. */
+  executionId?: string
   signal?: AbortSignal
   onProgress?: (event: UploadProgressEvent) => void
 }
@@ -549,8 +557,17 @@ export interface RunUploadStrategyOptions {
 export const runUploadStrategy = async (
   opts: RunUploadStrategyOptions
 ): Promise<UploadStrategyResult> => {
-  const { file, presignedEndpoint, presignedOverride, workspaceId, context, signal, onProgress } =
-    opts
+  const {
+    file,
+    presignedEndpoint,
+    presignedOverride,
+    workspaceId,
+    context,
+    workflowId,
+    executionId,
+    signal,
+    onProgress,
+  } = opts
   const contentType = getFileContentType(file)
 
   if (presignedOverride && !presignedOverride.directUploadSupported) {
@@ -562,6 +579,8 @@ export const runUploadStrategy = async (
       file,
       workspaceId,
       context,
+      workflowId,
+      executionId,
       signal,
       onProgress,
     })