fix(uploads): gate execution-context uploads behind write/admin permission#5404
Conversation
…ssion Fallback multipart upload route (/api/files/upload) had no workspace permission check for execution-context uploads, unlike the primary presigned-upload route which requires write/admin. Mirror that gate so both paths enforce the same access control.
PR SummaryMedium Risk Overview The execution branch now requires Tests add mocks for Reviewed by Cursor Bugbot for commit db30831. Configure here. |

Summary
/api/files/upload) had no workspace-permission check forexecution-context uploads, while the primary presigned-upload route (/api/files/presigned) already requires write/admin for the same upload type.write/admingate to the fallback route's execution branch, and now requireworkspaceId(in addition toworkflowId/executionId) before proceeding, matching the presigned route's validation.Note: self-hosted deployments without cloud storage configured will now require write/admin workspace permission for execution-context uploads via this fallback path, matching the existing requirement on the primary presigned-upload path.
Type of Change
Testing
bun run vitest run app/api/files/upload/route.test.ts— 19/19 passing.bun run check:api-validationpasses.Checklist
Supersedes #5403, whose source branch (
worktree-deepsec-fresh) had a polluted commit history (~100 unrelated commits from a bad rebase/merge). Same code, clean single-commit branch off current staging.