feat: Implement runtine check for enterprise features

packages/cli/src/UserManagement/PermissionChecker.ts

@@ -1,6 +1,9 @@
 import { INode, NodeOperationError, Workflow } from 'n8n-workflow';
-import { In } from 'typeorm';
+import { FindManyOptions, In, ObjectLiteral } from 'typeorm';
 import * as Db from '@/Db';
+import config from '@/config';
+import type { SharedCredentials } from '@db/entities/SharedCredentials';
+import { getRole } from './UserManagementHelper';
 
 export class PermissionChecker {
 	/**
@@ -26,23 +29,30 @@ export class PermissionChecker {
 		// allow if all creds used in this workflow are a subset of
 		// all creds accessible to users who have access to this workflow
 
-		let workflowUserIds: string[] = [];
+		let workflowUserIds = [userId];
 
-		if (workflow.id) {
+		if (workflow.id && config.getEnv('enterprise.workflowSharingEnabled')) {
 			const workflowSharings = await Db.collections.SharedWorkflow.find({
 				relations: ['workflow'],
 				where: { workflow: { id: Number(workflow.id) } },
 			});
-
 			workflowUserIds = workflowSharings.map((s) => s.userId);
-		} else {
-			// unsaved workflows have no id, so only get credentials for current user
-			workflowUserIds = [userId];
 		}
 
-		const credentialSharings = await Db.collections.SharedCredentials.find({
-			where: { user: In(workflowUserIds) },
-		});
+		const credentialsWhereCondition: FindManyOptions<SharedCredentials> & { where: ObjectLiteral } =
+			{
+				where: { user: In(workflowUserIds) },
+			};
+
+		if (!config.getEnv('enterprise.features.sharing')) {
+			// If credential sharing is not enabled, get only credentials owned by this user
+			const credentialOwnerRole = await getRole('credential', 'owner');
+			credentialsWhereCondition.where.role = credentialOwnerRole;
+		}
+
+		const credentialSharings = await Db.collections.SharedCredentials.find(
+			credentialsWhereCondition,
+		);
 
 		const accessibleCredIds = credentialSharings.map((s) => s.credentialId.toString());
 

packages/cli/src/UserManagement/UserManagementHelper.ts

@@ -9,7 +9,7 @@ import * as Db from '@/Db';
 import * as ResponseHelper from '@/ResponseHelper';
 import { PublicUser } from './Interfaces';
 import { MAX_PASSWORD_LENGTH, MIN_PASSWORD_LENGTH, User } from '@db/entities/User';
-import { Role } from '@db/entities/Role';
+import { Role, RoleNames, RoleScopes } from '@db/entities/Role';
 import { AuthenticatedRequest } from '@/requests';
 import config from '@/config';
 import { getWebhookBaseUrl } from '../WebhookHelpers';
@@ -78,6 +78,16 @@ export async function getInstanceOwner(): Promise<User> {
 	return owner;
 }
 
+export async function getRole(scope: RoleScopes, name: RoleNames): Promise<Role> {
+	const role = await Db.collections.Role.findOneOrFail({
+		where: {
+			name,
+			scope,
+		},
+	});
+	return role;
+}
+
 /**
  * Return the n8n instance base URL without trailing slash.
  */

packages/cli/src/databases/entities/Role.ts

@@ -6,8 +6,8 @@ import { SharedWorkflow } from './SharedWorkflow';
 import { SharedCredentials } from './SharedCredentials';
 import { AbstractEntity } from './AbstractEntity';
 
-type RoleNames = 'owner' | 'member' | 'user' | 'editor';
-type RoleScopes = 'global' | 'workflow' | 'credential';
+export type RoleNames = 'owner' | 'member' | 'user' | 'editor';
+export type RoleScopes = 'global' | 'workflow' | 'credential';
 
 @Entity()
 @Unique(['scope', 'name'])