fix(security): align workspace env admin gate with hasWorkspaceAdminAccess

Use the same admin check the secrets UI uses (owner, admin permission, or
org-admin) so owners and org-admins are not wrongly denied their own decrypted
workspace secrets, while read-only members remain restricted to names only.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

Author: waleedlatif1

apps/sim/app/api/workspaces/[id]/environment/route.test.ts

@@ -47,11 +47,13 @@ describe('GET /api/workspaces/[id]/environment', () => {
     vi.clearAllMocks()
     authMockFns.mockGetSession.mockResolvedValue({ user: { id: 'user-1' } })
     permissionsMockFns.mockGetWorkspaceById.mockResolvedValue({ id: WORKSPACE_ID })
+    permissionsMockFns.mockHasWorkspaceAdminAccess.mockResolvedValue(false)
     mockGetPersonalAndWorkspaceEnv.mockResolvedValue(ENV_RESULT)
   })
 
   it('returns decrypted workspace values to workspace admins', async () => {
     permissionsMockFns.mockGetUserEntityPermissions.mockResolvedValue('admin')
+    permissionsMockFns.mockHasWorkspaceAdminAccess.mockResolvedValue(true)
 
     const res = await GET(createRequest(), createContext())
     expect(res.status).toBe(200)
@@ -62,9 +64,10 @@ describe('GET /api/workspaces/[id]/environment', () => {
   })
 
   it.each(['write', 'read'] as const)(
-    'returns only variable names (empty values) to %s members',
+    'returns only variable names (empty values) to non-admin %s members',
     async (permission) => {
       permissionsMockFns.mockGetUserEntityPermissions.mockResolvedValue(permission)
+      permissionsMockFns.mockHasWorkspaceAdminAccess.mockResolvedValue(false)
 
       const res = await GET(createRequest(), createContext())
       expect(res.status).toBe(200)
@@ -77,6 +80,17 @@ describe('GET /api/workspaces/[id]/environment', () => {
     }
   )
 
+  it('returns decrypted values to an admin-access user whose permission row is not "admin" (owner/org-admin)', async () => {
+    permissionsMockFns.mockGetUserEntityPermissions.mockResolvedValue('write')
+    permissionsMockFns.mockHasWorkspaceAdminAccess.mockResolvedValue(true)
+
+    const res = await GET(createRequest(), createContext())
+    expect(res.status).toBe(200)
+
+    const body = await res.json()
+    expect(body.data.workspace).toEqual(ENV_RESULT.workspaceDecrypted)
+  })
+
   it('rejects users without any workspace permission', async () => {
     permissionsMockFns.mockGetUserEntityPermissions.mockResolvedValue(null)
 

apps/sim/app/api/workspaces/[id]/environment/route.ts

@@ -23,7 +23,11 @@ import {
   getPersonalAndWorkspaceEnv,
   invalidateEffectiveDecryptedEnvCache,
 } from '@/lib/environment/utils'
-import { getUserEntityPermissions, getWorkspaceById } from '@/lib/workspaces/permissions/utils'
+import {
+  getUserEntityPermissions,
+  getWorkspaceById,
+  hasWorkspaceAdminAccess,
+} from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('WorkspaceEnvironmentAPI')
 
@@ -53,14 +57,16 @@ export const GET = withRouteHandler(
         return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
       }
 
-      const { workspaceEncrypted, workspaceDecrypted, personalDecrypted, conflicts } =
-        await getPersonalAndWorkspaceEnv(userId, workspaceId)
+      const [isAdmin, { workspaceEncrypted, workspaceDecrypted, personalDecrypted, conflicts }] =
+        await Promise.all([
+          hasWorkspaceAdminAccess(userId, workspaceId),
+          getPersonalAndWorkspaceEnv(userId, workspaceId),
+        ])
 
       // Only workspace admins may read plaintext secrets; others get variable names with empty values.
-      const workspace =
-        permission === 'admin'
-          ? workspaceDecrypted
-          : Object.fromEntries(Object.keys(workspaceEncrypted).map((key) => [key, '']))
+      const workspace = isAdmin
+        ? workspaceDecrypted
+        : Object.fromEntries(Object.keys(workspaceEncrypted).map((key) => [key, '']))
 
       return NextResponse.json(
         {