fix(credentials): reflect workspace permission in credential member role

Workspace admin users were incorrectly assigned 'member' role on
credential_member when workspace-scoped secrets were created or synced.
Only the workspace owner got 'admin'. Now workspace permissions table
is consulted: owner/admin → credential admin, write/read → member.

- environment.ts: query workspace permissions in ensureWorkspaceCredentialMemberships
- route.ts POST: apply same mapping during credential creation

Author: minijeong-log

apps/sim/app/api/credentials/route.ts

@@ -1,6 +1,6 @@
 import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
 import { db } from '@sim/db'
-import { account, credential, credentialMember, workspace } from '@sim/db/schema'
+import { account, credential, credentialMember, permissions, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
 import { getPostgresErrorCode } from '@sim/utils/errors'
 import { generateId } from '@sim/utils/id'
@@ -535,17 +535,30 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
       })
 
       if ((type === 'env_workspace' || type === 'service_account') && workspaceRow?.ownerId) {
-        const workspaceUserIds = await getWorkspaceMemberUserIds(workspaceId)
+        const [workspaceUserIds, wsPermissionRows] = await Promise.all([
+          getWorkspaceMemberUserIds(workspaceId),
+          db
+            .select({ userId: permissions.userId, permissionType: permissions.permissionType })
+            .from(permissions)
+            .where(
+              and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId))
+            ),
+        ])
+        const wsPermissionByUser = new Map(
+          wsPermissionRows.map((row) => [row.userId, row.permissionType])
+        )
         if (workspaceUserIds.length > 0) {
           for (const memberUserId of workspaceUserIds) {
+            const wsPermission = wsPermissionByUser.get(memberUserId)
+            const isAdmin =
+              memberUserId === workspaceRow.ownerId ||
+              memberUserId === session.user.id ||
+              wsPermission === 'admin'
             await tx.insert(credentialMember).values({
               id: generateId(),
               credentialId,
               userId: memberUserId,
-              role:
-                memberUserId === workspaceRow.ownerId || memberUserId === session.user.id
-                  ? 'admin'
-                  : 'member',
+              role: isAdmin ? 'admin' : 'member',
               status: 'active',
               joinedAt: now,
               invitedBy: session.user.id,

apps/sim/lib/credentials/environment.ts

@@ -64,10 +64,20 @@ export async function getUserWorkspaceIds(userId: string): Promise<string[]> {
 async function ensureWorkspaceCredentialMemberships(
   credentialId: string,
   memberUserIds: string[],
-  ownerUserId: string
+  ownerUserId: string,
+  workspaceId: string
 ) {
   if (!memberUserIds.length) return
 
+  const workspacePermissionRows = await db
+    .select({ userId: permissions.userId, permissionType: permissions.permissionType })
+    .from(permissions)
+    .where(and(eq(permissions.entityType, 'workspace'), eq(permissions.entityId, workspaceId)))
+
+  const wsPermissionByUser = new Map(
+    workspacePermissionRows.map((row) => [row.userId, row.permissionType])
+  )
+
   const existingMemberships = await db
     .select({
       id: credentialMember.id,
@@ -87,7 +97,8 @@ async function ensureWorkspaceCredentialMemberships(
   const now = new Date()
 
   for (const memberUserId of memberUserIds) {
-    const targetRole = memberUserId === ownerUserId ? 'admin' : 'member'
+    const wsPermission = wsPermissionByUser.get(memberUserId)
+    const targetRole = memberUserId === ownerUserId || wsPermission === 'admin' ? 'admin' : 'member'
     const existing = byUserId.get(memberUserId)
     if (existing) {
       if (existing.status === 'revoked') {
@@ -182,7 +193,12 @@ export async function syncWorkspaceEnvCredentials(params: {
   }
 
   for (const credentialId of credentialIdsToEnsureMembership) {
-    await ensureWorkspaceCredentialMemberships(credentialId, memberUserIds, workspaceRow.ownerId)
+    await ensureWorkspaceCredentialMemberships(
+      credentialId,
+      memberUserIds,
+      workspaceRow.ownerId,
+      workspaceId
+    )
   }
 
   if (normalizedKeys.length > 0) {