Fix Flowise 788 Improve Tenant Validation#6620
Conversation
There was a problem hiding this comment.
Code Review
This pull request introduces organization and workspace scoping to several enterprise controllers, ensuring operations are bound to the active organization of the authenticated user, and blacklists these endpoints from API key access. The code review highlights critical security improvements, including adding missing authorization checks for managing organization users, addressing potential IDOR vulnerabilities by sourcing workspace IDs from the user session rather than request payloads, and validating workspace accessibility before deletion. Additionally, it is recommended to consistently use the strongly-typed getLoggedInUser(req) helper instead of accessing req.user directly.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
FLOWISE-788