@@ -46,35 +46,13 @@ export class ForkError extends HttpError {
4646async function requireWorkspace (
4747 workspaceId : string ,
4848 userId : string
49- ) : Promise < {
50- workspace : WorkspaceWithOwner
51- hasAccess : boolean
52- canWrite : boolean
53- canAdmin : boolean
54- } > {
49+ ) : Promise < { workspace : WorkspaceWithOwner ; canAdmin : boolean } > {
5550 const access = await checkWorkspaceAccess ( workspaceId , userId )
5651 if ( ! access . exists || ! access . workspace ) {
5752 throw new ForkError ( 'Workspace not found' , 404 )
5853 }
5954 await assertForkingEnabled ( access . workspace . organizationId )
60- return {
61- workspace : access . workspace ,
62- hasAccess : access . hasAccess ,
63- canWrite : access . canWrite ,
64- canAdmin : access . canAdmin ,
65- }
66- }
67-
68- /** Require at least read access; returns the (active) workspace. */
69- export async function assertWorkspaceReadAccess (
70- workspaceId : string ,
71- userId : string
72- ) : Promise < WorkspaceWithOwner > {
73- const { workspace, hasAccess } = await requireWorkspace ( workspaceId , userId )
74- if ( ! hasAccess ) {
75- throw new ForkError ( 'You do not have access to this workspace' , 403 )
76- }
77- return workspace
55+ return { workspace : access . workspace , canAdmin : access . canAdmin }
7856}
7957
8058/** Require admin access; returns the (active) workspace. */
@@ -128,9 +106,10 @@ export interface PromoteAuthorization {
128106
129107/**
130108 * Authorize a promote along the strict edge between `currentWorkspaceId` and
131- * `otherWorkspaceId`. Requires read on the source and admin on the target (a
132- * force replace is destructive). `push` sends current -> other; `pull` brings
133- * other -> current.
109+ * `otherWorkspaceId`. Requires admin on BOTH the source and the target: a sync
110+ * reads the source's deployed workflows/resources and force-replaces the target's,
111+ * and the sync surface is only ever offered to workspace admins. `push` sends
112+ * current -> other; `pull` brings other -> current.
134113 */
135114export async function assertCanPromote (
136115 currentWorkspaceId : string ,
@@ -144,7 +123,7 @@ export async function assertCanPromote(
144123 }
145124 const sourceWorkspaceId = direction === 'push' ? currentWorkspaceId : otherWorkspaceId
146125 const targetWorkspaceId = direction === 'push' ? otherWorkspaceId : currentWorkspaceId
147- const source = await assertWorkspaceReadAccess ( sourceWorkspaceId , userId )
126+ const source = await assertWorkspaceAdminAccess ( sourceWorkspaceId , userId )
148127 const target = await assertWorkspaceAdminAccess ( targetWorkspaceId , userId )
149128 return { edge, source, target, sourceWorkspaceId, targetWorkspaceId }
150129}
0 commit comments