added tests, normalize to lower case

Author: waleedlatif1

apps/sim/app/api/settings/allowed-integrations/route.ts

@@ -1,7 +1,13 @@
 import { NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
 import { getAllowedIntegrationsFromEnv } from '@/lib/core/config/feature-flags'
 
 export async function GET() {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
   return NextResponse.json({
     allowedIntegrations: getAllowedIntegrationsFromEnv(),
   })

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/integrations/integrations.tsx

@@ -223,12 +223,8 @@ export function Integrations({ onOpenChange, registerCloseHandler }: Integration
     }
   }
 
-  // Group services by provider, filtering by permission config
   const groupedServices = services.reduce(
     (acc, service) => {
-      // Filter based on allowedIntegrations
-      // Normalize hyphens to underscores since service IDs use hyphens (e.g., "google-drive")
-      // but block types in the allowlist use underscores (e.g., "google_drive")
       if (
         permissionConfig.allowedIntegrations !== null &&
         !permissionConfig.allowedIntegrations.includes(service.id.replace(/-/g, '_'))

apps/sim/ee/access-control/utils/permission-check.test.ts

@@ -52,7 +52,57 @@ vi.doMock('@/providers/utils', () => ({
   getProviderFromModel: mockGetProviderFromModel,
 }))
 
-const { IntegrationNotAllowedError, validateBlockType } = await import('./permission-check')
+const { IntegrationNotAllowedError, getUserPermissionConfig, validateBlockType } = await import(
+  './permission-check'
+)
+
+describe('IntegrationNotAllowedError', () => {
+  it.concurrent('creates error with correct name and message', () => {
+    const error = new IntegrationNotAllowedError('discord')
+
+    expect(error).toBeInstanceOf(Error)
+    expect(error.name).toBe('IntegrationNotAllowedError')
+    expect(error.message).toContain('discord')
+  })
+
+  it.concurrent('includes custom reason when provided', () => {
+    const error = new IntegrationNotAllowedError('discord', 'blocked by server policy')
+
+    expect(error.message).toContain('blocked by server policy')
+  })
+})
+
+describe('getUserPermissionConfig', () => {
+  beforeEach(() => {
+    vi.clearAllMocks()
+  })
+
+  it('returns null when no env allowlist is configured', async () => {
+    mockGetAllowedIntegrationsFromEnv.mockReturnValue(null)
+
+    const config = await getUserPermissionConfig('user-123')
+
+    expect(config).toBeNull()
+  })
+
+  it('returns config with env allowlist when configured', async () => {
+    mockGetAllowedIntegrationsFromEnv.mockReturnValue(['slack', 'gmail'])
+
+    const config = await getUserPermissionConfig('user-123')
+
+    expect(config).not.toBeNull()
+    expect(config!.allowedIntegrations).toEqual(['slack', 'gmail'])
+  })
+
+  it('preserves default values for non-allowlist fields', async () => {
+    mockGetAllowedIntegrationsFromEnv.mockReturnValue(['slack'])
+
+    const config = await getUserPermissionConfig('user-123')
+
+    expect(config!.disableMcpTools).toBe(false)
+    expect(config!.allowedModelProviders).toBeNull()
+  })
+})
 
 describe('validateBlockType', () => {
   beforeEach(() => {
@@ -110,27 +160,46 @@ describe('validateBlockType', () => {
     it('includes reason in error for env-only enforcement', async () => {
       await expect(validateBlockType(undefined, 'discord')).rejects.toThrow(/ALLOWED_INTEGRATIONS/)
     })
+
+    it('does not include env reason when userId is provided', async () => {
+      await expect(validateBlockType('user-123', 'discord')).rejects.toThrow(
+        /permission group settings/
+      )
+    })
   })
 })
 
 describe('service ID to block type normalization', () => {
-  it('hyphenated service IDs match underscore block types after normalization', () => {
+  it.concurrent('hyphenated service IDs match underscore block types after normalization', () => {
     const allowedBlockTypes = [
       'google_drive',
       'microsoft_excel',
       'microsoft_teams',
       'google_sheets',
+      'google_docs',
+      'google_calendar',
+      'google_forms',
+      'microsoft_planner',
+    ]
+    const serviceIds = [
+      'google-drive',
+      'microsoft-excel',
+      'microsoft-teams',
+      'google-sheets',
+      'google-docs',
+      'google-calendar',
+      'google-forms',
+      'microsoft-planner',
     ]
-    const serviceIds = ['google-drive', 'microsoft-excel', 'microsoft-teams', 'google-sheets']
 
     for (const serviceId of serviceIds) {
       const normalized = serviceId.replace(/-/g, '_')
       expect(allowedBlockTypes).toContain(normalized)
     }
   })
 
-  it('single-word service IDs are unaffected by normalization', () => {
-    const serviceIds = ['slack', 'gmail', 'notion', 'discord']
+  it.concurrent('single-word service IDs are unaffected by normalization', () => {
+    const serviceIds = ['slack', 'gmail', 'notion', 'discord', 'jira', 'trello']
 
     for (const serviceId of serviceIds) {
       const normalized = serviceId.replace(/-/g, '_')

apps/sim/lib/copilot/process-contents.ts

@@ -352,7 +352,7 @@ async function processBlockMetadata(
     if (userId) {
       const permissionConfig = await getUserPermissionConfig(userId)
       const allowedIntegrations = permissionConfig?.allowedIntegrations
-      if (allowedIntegrations != null && !allowedIntegrations.includes(blockId)) {
+      if (allowedIntegrations != null && !allowedIntegrations.includes(blockId.toLowerCase())) {
         logger.debug('Block not allowed by permission group', { blockId, userId })
         return null
       }

apps/sim/lib/copilot/tools/server/blocks/get-block-config.ts

@@ -441,7 +441,7 @@ export const getBlockConfigServerTool: BaseServerTool<
     const permissionConfig = context?.userId ? await getUserPermissionConfig(context.userId) : null
     const allowedIntegrations = permissionConfig?.allowedIntegrations
 
-    if (allowedIntegrations != null && !allowedIntegrations.includes(blockType)) {
+    if (allowedIntegrations != null && !allowedIntegrations.includes(blockType.toLowerCase())) {
       throw new Error(`Block "${blockType}" is not available`)
     }
 

apps/sim/lib/copilot/tools/server/blocks/get-block-options.ts

@@ -61,7 +61,7 @@ export const getBlockOptionsServerTool: BaseServerTool<
     const permissionConfig = context?.userId ? await getUserPermissionConfig(context.userId) : null
     const allowedIntegrations = permissionConfig?.allowedIntegrations
 
-    if (allowedIntegrations != null && !allowedIntegrations.includes(blockId)) {
+    if (allowedIntegrations != null && !allowedIntegrations.includes(blockId.toLowerCase())) {
       throw new Error(`Block "${blockId}" is not available`)
     }
 

apps/sim/lib/copilot/tools/server/blocks/get-blocks-and-tools.ts

@@ -30,7 +30,8 @@ export const getBlocksAndToolsServerTool: BaseServerTool<
     Object.entries(blockRegistry)
       .filter(([blockType, blockConfig]: [string, BlockConfig]) => {
         if (blockConfig.hideFromToolbar) return false
-        if (allowedIntegrations != null && !allowedIntegrations.includes(blockType)) return false
+        if (allowedIntegrations != null && !allowedIntegrations.includes(blockType.toLowerCase()))
+          return false
         return true
       })
       .forEach(([blockType, blockConfig]: [string, BlockConfig]) => {

apps/sim/lib/copilot/tools/server/blocks/get-blocks-metadata-tool.ts

@@ -116,7 +116,7 @@ export const getBlocksMetadataServerTool: BaseServerTool<
 
     const result: Record<string, CopilotBlockMetadata> = {}
     for (const blockId of blockIds || []) {
-      if (allowedIntegrations != null && !allowedIntegrations.includes(blockId)) {
+      if (allowedIntegrations != null && !allowedIntegrations.includes(blockId.toLowerCase())) {
         logger.debug('Block not allowed by permission group', { blockId })
         continue
       }

apps/sim/lib/copilot/tools/server/blocks/get-trigger-blocks.ts

@@ -28,7 +28,8 @@ export const getTriggerBlocksServerTool: BaseServerTool<
 
     Object.entries(blockRegistry).forEach(([blockType, blockConfig]: [string, BlockConfig]) => {
       if (blockConfig.hideFromToolbar) return
-      if (allowedIntegrations != null && !allowedIntegrations.includes(blockType)) return
+      if (allowedIntegrations != null && !allowedIntegrations.includes(blockType.toLowerCase()))
+        return
 
       if (blockConfig.category === 'triggers') {
         triggerBlockIds.push(blockType)

apps/sim/lib/copilot/tools/server/workflow/edit-workflow/validation.ts

@@ -657,7 +657,7 @@ export function isBlockTypeAllowed(
   if (!permissionConfig || permissionConfig.allowedIntegrations === null) {
     return true
   }
-  return permissionConfig.allowedIntegrations.includes(blockType)
+  return permissionConfig.allowedIntegrations.includes(blockType.toLowerCase())
 }
 
 /**