fix(data-drains): apply feature-flag and enterprise gates to read routes

waleedlatif1 · claude · waleedlatif1 · commit feb68274c255 · 2026-05-04T20:29:57.000-07:00
Only role enforcement should relax for read-only callers — feature-flag
and enterprise-plan checks must apply to reads too. Otherwise on
self-hosted with DATA_DRAINS_ENABLED unset any org member can enumerate
drain configs (bucket names, webhook URLs), and on Cloud an org that
downgraded off Enterprise still exposes its old drain configs to every
member.

Co-Authored-By: Claude Opus 4.7 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/lib/data-drains/access.ts b/apps/sim/lib/data-drains/access.ts
@@ -59,16 +59,32 @@ export async function authorizeDrainAccess(
     }
   }
 
-  if (options.requireMutating) {
-    if (!isBillingEnabled && !isDataDrainsEnabled) {
+  // Feature-flag and enterprise-plan gates apply to reads as well as writes —
+  // drain configs (bucket names, webhook URLs) are sensitive enough that an
+  // org member shouldn't be able to enumerate them on a deployment that
+  // hasn't opted in or after a downgrade off Enterprise.
+  if (!isBillingEnabled && !isDataDrainsEnabled) {
+    return {
+      ok: false,
+      response: NextResponse.json(
+        { error: 'Data Drains are not enabled on this deployment' },
+        { status: 404 }
+      ),
+    }
+  }
+  if (isBillingEnabled) {
+    const hasEnterprise = await isOrganizationOnEnterprisePlan(organizationId)
+    if (!hasEnterprise) {
       return {
         ok: false,
         response: NextResponse.json(
-          { error: 'Data Drains are not enabled on this deployment' },
-          { status: 404 }
+          { error: 'Data Drains are available on Enterprise plans only' },
+          { status: 403 }
         ),
       }
     }
+  }
+  if (options.requireMutating) {
     if (memberEntry.role !== 'owner' && memberEntry.role !== 'admin') {
       return {
         ok: false,
@@ -78,18 +94,6 @@ export async function authorizeDrainAccess(
         ),
       }
     }
-    if (isBillingEnabled) {
-      const hasEnterprise = await isOrganizationOnEnterprisePlan(organizationId)
-      if (!hasEnterprise) {
-        return {
-          ok: false,
-          response: NextResponse.json(
-            { error: 'Data Drains are available on Enterprise plans only' },
-            { status: 403 }
-          ),
-        }
-      }
-    }
   }
 
   return {
