feat(file): add Manage Sharing operation to the File block (#5177)

* feat(file): add Set File Sharing operation to the File block

Adds a new file_set_sharing operation to the File block (file_v5) that
idempotently enables/disables a file's public share link and sets its
access mode (public, password, email, SSO). The set_sharing route case
reuses upsertFileShare, requires write/admin, gates enabling through the
EE public-sharing policy, and records a share audit. Returns an empty url
when set to private so a disabled link isn't handed back as a dead link.

* fix(file): harden set_sharing — explicit isActive, agent-controllable params, policy gate + perm-check ordering

Addresses review findings:
- Make isActive explicit/required so a bare call no longer silently enables a public link
- Expose isActive/authType/allowedEmails as user-or-llm so agents can disable/configure shares (password stays user-only)
- Resolve authType from the existing share before the EE policy gate to close a re-enable bypass
- Run the write/admin permission check before the file lookup to remove a file-existence side channel

* refactor(file): rename file operation to Manage Sharing

Renames the file_set_sharing operation to file_manage_sharing (route literal
manage_sharing, tool Manage Sharing) across the contract, route, tool, block,
registry, and tests.

* fix(file): complete Manage Sharing rename in tools barrel

Prior commit's lint-staged dropped the barrel re-export update, leaving
index.ts importing the deleted set-sharing module and breaking the block
registry check. Point the barrel at manage-sharing.

* fix(file): require isActive in tool params type, reject multiple files in manage sharing

- FileManageSharingParams.isActive is now required, matching the tool param
  and contract (no compile-time gap that 400s at runtime)
- manage_sharing rejects multiple canonical file IDs instead of silently
  sharing only the first, matching decompress

* fix(file): resolve basic-picker files for manage sharing

The basic file-upload picker stores a workspace file as { name, path, key,
size, type } with no canonical id, so manage_sharing failed those picks with
'Could not determine the file to share'. The block now passes the picked
object as fileInput when it lacks an id, and the route resolves the canonical
id from the storage key via getFileMetadataByKey. Contract accepts fileId OR
fileInput (mirroring read/get content).

Author: TheodoreSpeaks

apps/sim/app/api/tools/file/manage/route.ts

@@ -1,5 +1,6 @@
 import { Buffer, isUtf8 } from 'buffer'
 import type { Readable } from 'stream'
+import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
 import { createLogger } from '@sim/logger'
 import { getErrorMessage } from '@sim/utils/errors'
 import { generateShortId } from '@sim/utils/id'
@@ -14,6 +15,11 @@ import { generateRequestId } from '@/lib/core/utils/request'
 import { ensureAbsoluteUrl } from '@/lib/core/utils/urls'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
 import { isSupportedFileType, parseBuffer } from '@/lib/file-parsers'
+import {
+  getShareForResource,
+  ShareValidationError,
+  upsertFileShare,
+} from '@/lib/public-shares/share-manager'
 import { ensureWorkspaceFileFolderPath } from '@/lib/uploads/contexts/workspace/workspace-file-folder-manager'
 import {
   fetchWorkspaceFileBuffer,
@@ -22,14 +28,20 @@ import {
   updateWorkspaceFileContent,
   uploadWorkspaceFile,
 } from '@/lib/uploads/contexts/workspace/workspace-file-manager'
+import { getFileMetadataByKey } from '@/lib/uploads/server/metadata'
 import { getFileExtension, getMimeTypeFromExtension } from '@/lib/uploads/utils/file-utils'
 import { downloadFileFromStorage } from '@/lib/uploads/utils/file-utils.server'
 import { performMoveWorkspaceFileItems } from '@/lib/workspace-files/orchestration'
 import {
   assertActiveWorkspaceAccess,
+  getUserEntityPermissions,
   isWorkspaceAccessDeniedError,
 } from '@/lib/workspaces/permissions/utils'
 import { assertToolFileAccess } from '@/app/api/files/authorization'
+import {
+  PublicFileSharingNotAllowedError,
+  validatePublicFileSharing,
+} from '@/ee/access-control/utils/permission-check'
 import type { UserFile } from '@/executor/types'
 
 export const dynamic = 'force-dynamic'
@@ -565,6 +577,102 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
         })
       }
 
+      case 'manage_sharing': {
+        const { fileId, fileInput, isActive, authType, password, allowedEmails } = body
+
+        // Check permission before probing file existence so a read-only caller
+        // can't distinguish 404 from 403 as a file-existence side channel.
+        // Publishing is more sensitive than the other mutating ops, so it
+        // requires write/admin (not just workspace access) like the share route.
+        const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId)
+        if (permission !== 'admin' && permission !== 'write') {
+          return NextResponse.json(
+            { success: false, error: 'Insufficient permissions' },
+            { status: 403 }
+          )
+        }
+
+        // Resolve the canonical file id. The basic file picker provides an object
+        // with a storage `key` but no id, so map the key to the workspace file row.
+        let resolvedFileId = typeof fileId === 'string' ? fileId : undefined
+        if (!resolvedFileId && fileInput) {
+          const single = Array.isArray(fileInput) ? fileInput[0] : fileInput
+          if (single && typeof single === 'object') {
+            const record = single as Record<string, unknown>
+            if (typeof record.id === 'string' && record.id) resolvedFileId = record.id
+            else if (typeof record.fileId === 'string' && record.fileId)
+              resolvedFileId = record.fileId
+            else if (typeof record.key === 'string' && record.key) {
+              const meta = await getFileMetadataByKey(record.key, 'workspace')
+              resolvedFileId = meta?.id
+            }
+          }
+        }
+        if (!resolvedFileId) {
+          return NextResponse.json(
+            { success: false, error: 'A valid file is required to manage sharing' },
+            { status: 400 }
+          )
+        }
+
+        const file = await getWorkspaceFile(workspaceId, resolvedFileId)
+        if (!file) {
+          return NextResponse.json(
+            { success: false, error: `File not found: "${resolvedFileId}"` },
+            { status: 404 }
+          )
+        }
+
+        // Enabling a share is gated by the org's access-control policy; disabling
+        // is always allowed so users can un-share after the policy is turned on.
+        if (isActive) {
+          // Resolve the auth type the same way upsertFileShare will (falling back
+          // to the existing share's type) so the policy gate can't be bypassed by
+          // re-enabling a pre-existing restricted share without an explicit authType.
+          const existingShare = await getShareForResource('file', resolvedFileId)
+          const resolvedAuthType = authType ?? existingShare?.authType ?? 'public'
+          try {
+            await validatePublicFileSharing(userId, workspaceId, resolvedAuthType)
+          } catch (error) {
+            if (error instanceof PublicFileSharingNotAllowedError) {
+              return NextResponse.json({ success: false, error: error.message }, { status: 403 })
+            }
+            throw error
+          }
+        }
+
+        const share = await upsertFileShare({
+          workspaceId,
+          fileId: resolvedFileId,
+          userId,
+          isActive,
+          authType,
+          password,
+          allowedEmails,
+        })
+
+        recordAudit({
+          workspaceId,
+          actorId: userId,
+          action: isActive ? AuditAction.FILE_SHARED : AuditAction.FILE_SHARE_DISABLED,
+          resourceType: AuditResourceType.FILE,
+          resourceId: resolvedFileId,
+          resourceName: file.name,
+          description: `${isActive ? 'Enabled' : 'Disabled'} public share for "${file.name}"`,
+          request,
+        })
+
+        logger.info('File sharing updated', {
+          fileId: resolvedFileId,
+          isActive,
+          authType: share.authType,
+        })
+
+        // A disabled link doesn't resolve, so don't hand back a dead URL.
+        const responseShare = share.isActive ? share : { ...share, url: '' }
+        return NextResponse.json({ success: true, data: { share: responseShare } })
+      }
+
       case 'append': {
         const { fileName, content } = body
 
@@ -911,6 +1019,9 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
         { status: 403 }
       )
     }
+    if (error instanceof ShareValidationError) {
+      return NextResponse.json({ success: false, error: error.message }, { status: 400 })
+    }
     const message = getErrorMessage(error, 'Unknown error')
     logger.error('File operation failed', { operation: body.operation, error: message })
     return NextResponse.json({ success: false, error: message }, { status: 500 })

apps/sim/blocks/blocks.test.ts

@@ -174,6 +174,7 @@ describe.concurrent('Blocks Module', () => {
         'file_append',
         'file_compress',
         'file_decompress',
+        'file_manage_sharing',
       ])
       expect(block?.tools.config?.tool({ operation: 'file_compress' })).toBe('file_compress')
       expect(block?.tools.config?.tool({ operation: 'file_decompress' })).toBe('file_decompress')

apps/sim/blocks/blocks/file.test.ts

@@ -117,4 +117,125 @@ describe('FileV5Block', () => {
       'File is required for get content'
     )
   })
+
+  it('maps manage sharing to public access for a canonical file ID', () => {
+    expect(
+      buildParams({
+        operation: 'file_manage_sharing',
+        shareInput: 'file-1',
+        shareVisibility: 'public',
+        _context: { workspaceId: 'workspace-1' },
+      })
+    ).toEqual({
+      fileId: 'file-1',
+      isActive: true,
+      authType: 'public',
+      password: undefined,
+      allowedEmails: undefined,
+      workspaceId: 'workspace-1',
+    })
+  })
+
+  it('maps private visibility to a disabled share with no authType', () => {
+    expect(
+      buildParams({
+        operation: 'file_manage_sharing',
+        shareInput: 'file-1',
+        shareVisibility: 'private',
+        _context: { workspaceId: 'workspace-1' },
+      })
+    ).toMatchObject({
+      fileId: 'file-1',
+      isActive: false,
+      authType: undefined,
+    })
+  })
+
+  it('passes the password through for password visibility', () => {
+    expect(
+      buildParams({
+        operation: 'file_manage_sharing',
+        shareInput: 'file-1',
+        shareVisibility: 'password',
+        sharePassword: 'hunter2',
+        _context: { workspaceId: 'workspace-1' },
+      })
+    ).toMatchObject({
+      fileId: 'file-1',
+      isActive: true,
+      authType: 'password',
+      password: 'hunter2',
+    })
+  })
+
+  it('splits allowed emails for email visibility', () => {
+    expect(
+      buildParams({
+        operation: 'file_manage_sharing',
+        shareInput: 'file-1',
+        shareVisibility: 'email',
+        shareAllowedEmails: 'a@example.com, b@example.com\n@acme.com',
+        _context: { workspaceId: 'workspace-1' },
+      })
+    ).toMatchObject({
+      fileId: 'file-1',
+      isActive: true,
+      authType: 'email',
+      allowedEmails: ['a@example.com', 'b@example.com', '@acme.com'],
+    })
+  })
+
+  it('resolves the file ID from a selected workspace file object for manage sharing', () => {
+    expect(
+      buildParams({
+        operation: 'file_manage_sharing',
+        shareInput: [{ id: 'file-9', name: 'report.pdf' }],
+        shareVisibility: 'public',
+        _context: { workspaceId: 'workspace-1' },
+      })
+    ).toMatchObject({
+      fileId: 'file-9',
+      isActive: true,
+      authType: 'public',
+    })
+  })
+
+  it('passes a picker file object without an id through as fileInput for manage sharing', () => {
+    const picked = {
+      name: 'report.pdf',
+      key: 'workspace/workspace-1/123-abc-report.pdf',
+      path: '/api/files/serve/workspace%2Fworkspace-1%2F123-abc-report.pdf?context=workspace',
+      size: 10,
+      type: 'application/pdf',
+    }
+    expect(
+      buildParams({
+        operation: 'file_manage_sharing',
+        shareInput: [picked],
+        shareVisibility: 'public',
+        _context: { workspaceId: 'workspace-1' },
+      })
+    ).toMatchObject({
+      fileInput: picked,
+      isActive: true,
+      authType: 'public',
+    })
+  })
+
+  it('throws when no file is provided for manage sharing', () => {
+    expect(() => buildParams({ operation: 'file_manage_sharing' })).toThrow(
+      'File is required to manage sharing'
+    )
+  })
+
+  it('rejects multiple file IDs for manage sharing', () => {
+    expect(() =>
+      buildParams({
+        operation: 'file_manage_sharing',
+        shareInput: '["file-1","file-2"]',
+        shareVisibility: 'public',
+        _context: { workspaceId: 'workspace-1' },
+      })
+    ).toThrow('Manage Sharing accepts a single file at a time')
+  })
 })