fix(workspaces): add admin authorization, audit log, and posthog event for workspace logo uploads

Author: waleedlatif1

apps/sim/app/api/files/upload/route.ts

@@ -2,7 +2,9 @@ import { createLogger } from '@sim/logger'
 import { type NextRequest, NextResponse } from 'next/server'
 import { sanitizeFileName } from '@/executor/constants'
 import '@/lib/uploads/core/setup.server'
+import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
+import { captureServerEvent } from '@/lib/posthog/server'
 import type { StorageContext } from '@/lib/uploads/config'
 import { generateWorkspaceFileKey } from '@/lib/uploads/contexts/workspace/workspace-file-manager'
 import { isImageFileType } from '@/lib/uploads/utils/file-utils'
@@ -294,6 +296,25 @@ export async function POST(request: NextRequest) {
           )
         }
 
+        if (context === 'workspace-logos') {
+          if (!workspaceId) {
+            throw new InvalidRequestError(
+              'workspace-logos context requires workspaceId parameter'
+            )
+          }
+          const permission = await getUserEntityPermissions(
+            session.user.id,
+            'workspace',
+            workspaceId
+          )
+          if (permission !== 'admin') {
+            return NextResponse.json(
+              { error: 'Admin access required for workspace logo uploads' },
+              { status: 403 }
+            )
+          }
+        }
+
         if (context === 'chat' && workspaceId) {
           const permission = await getUserEntityPermissions(
             session.user.id,
@@ -351,6 +372,33 @@ export async function POST(request: NextRequest) {
         }
 
         logger.info(`Successfully uploaded ${context} file: ${fileInfo.key}`)
+
+        if (context === 'workspace-logos' && workspaceId) {
+          recordAudit({
+            workspaceId,
+            actorId: session.user.id,
+            actorName: session.user.name,
+            actorEmail: session.user.email,
+            action: AuditAction.FILE_UPLOADED,
+            resourceType: AuditResourceType.WORKSPACE,
+            resourceId: workspaceId,
+            description: `Uploaded workspace logo "${originalName}"`,
+            metadata: {
+              fileName: originalName,
+              fileKey: fileInfo.key,
+              fileSize: buffer.length,
+              fileType: file.type,
+            },
+            request,
+          })
+
+          captureServerEvent(session.user.id, 'workspace_logo_uploaded', {
+            workspace_id: workspaceId,
+            file_name: originalName,
+            file_size: buffer.length,
+          })
+        }
+
         uploadResults.push(uploadResult)
         continue
       }

apps/sim/app/workspace/[workspaceId]/settings/hooks/use-profile-picture-upload.ts

@@ -11,6 +11,7 @@ interface UseProfilePictureUploadProps {
   onError?: (error: string) => void
   currentImage?: string | null
   context?: StorageContext
+  workspaceId?: string
 }
 
 /**
@@ -22,6 +23,7 @@ export function useProfilePictureUpload({
   onError,
   currentImage,
   context = 'profile-pictures',
+  workspaceId,
 }: UseProfilePictureUploadProps = {}) {
   const previewRef = useRef<string | null>(null)
   const fileInputRef = useRef<HTMLInputElement>(null)
@@ -57,6 +59,9 @@ export function useProfilePictureUpload({
         const formData = new FormData()
         formData.append('file', file)
         formData.append('context', context)
+        if (workspaceId) {
+          formData.append('workspaceId', workspaceId)
+        }
 
         const response = await fetch('/api/files/upload', {
           method: 'POST',
@@ -76,7 +81,7 @@ export function useProfilePictureUpload({
         throw new Error(error instanceof Error ? error.message : 'Failed to upload profile picture')
       }
     },
-    [context]
+    [context, workspaceId]
   )
 
   const processFile = useCallback(

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/hooks/use-workspace-logo-upload.ts

@@ -6,6 +6,7 @@ const MAX_FILE_SIZE = 5 * 1024 * 1024 // 5MB
 const ACCEPTED_IMAGE_TYPES = ['image/png', 'image/jpeg', 'image/jpg', 'image/svg+xml', 'image/webp']
 
 interface UseWorkspaceLogoUploadProps {
+  workspaceId?: string
   currentLogoUrl?: string | null
   onUpload?: (url: string | null) => void
   onError?: (error: string) => void
@@ -16,6 +17,7 @@ interface UseWorkspaceLogoUploadProps {
  * Manages file validation, preview generation, and server upload.
  */
 export function useWorkspaceLogoUpload({
+  workspaceId,
   currentLogoUrl,
   onUpload,
   onError,
@@ -25,14 +27,16 @@ export function useWorkspaceLogoUpload({
   const onUploadRef = useRef(onUpload)
   const onErrorRef = useRef(onError)
   const currentLogoUrlRef = useRef(currentLogoUrl)
+  const workspaceIdRef = useRef(workspaceId)
   const [previewUrl, setPreviewUrl] = useState<string | null>(currentLogoUrl || null)
   const [isUploading, setIsUploading] = useState(false)
 
   useEffect(() => {
     onUploadRef.current = onUpload
     onErrorRef.current = onError
     currentLogoUrlRef.current = currentLogoUrl
-  }, [onUpload, onError, currentLogoUrl])
+    workspaceIdRef.current = workspaceId
+  }, [onUpload, onError, currentLogoUrl, workspaceId])
 
   useEffect(() => {
     if (previewRef.current && previewRef.current !== currentLogoUrl) {
@@ -56,6 +60,9 @@ export function useWorkspaceLogoUpload({
     const formData = new FormData()
     formData.append('file', file)
     formData.append('context', 'workspace-logos')
+    if (workspaceIdRef.current) {
+      formData.append('workspaceId', workspaceIdRef.current)
+    }
 
     const response = await fetch('/api/files/upload', {
       method: 'POST',
@@ -116,6 +123,10 @@ export function useWorkspaceLogoUpload({
     [processFile]
   )
 
+  const setTargetWorkspaceId = useCallback((id: string) => {
+    workspaceIdRef.current = id
+  }, [])
+
   const handleRemove = useCallback(() => {
     if (previewRef.current) {
       URL.revokeObjectURL(previewRef.current)
@@ -141,6 +152,7 @@ export function useWorkspaceLogoUpload({
     fileInputRef,
     handleFileChange,
     handleRemove,
+    setTargetWorkspaceId,
     isUploading,
   }
 }

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/sidebar.tsx

@@ -96,8 +96,8 @@ import {
   useRenameTask,
   useTasks,
 } from '@/hooks/queries/tasks'
-import type { Workspace } from '@/hooks/queries/workspace'
 import { useUpdateWorkflow } from '@/hooks/queries/workflows'
+import type { Workspace } from '@/hooks/queries/workspace'
 import { useWorkspaceFiles } from '@/hooks/queries/workspace-files'
 import { usePermissionConfig } from '@/hooks/use-permission-config'
 import { useSettingsNavigation } from '@/hooks/use-settings-navigation'
@@ -465,16 +465,20 @@ export const Sidebar = memo(function Sidebar() {
   const activeWorkspaceFull = workspaces.find((w) => w.id === workspaceId)
   const logoTargetWorkspaceIdRef = useRef<string>(workspaceId)
 
-  const { fileInputRef: logoFileInputRef, handleFileChange: handleLogoFileChange } =
-    useWorkspaceLogoUpload({
-      currentLogoUrl: activeWorkspaceFull?.logoUrl,
-      onUpload: (url) => {
-        updateWorkspace(logoTargetWorkspaceIdRef.current, { logoUrl: url })
-      },
-      onError: (error) => {
-        logger.error('Workspace logo upload error:', error)
-      },
-    })
+  const {
+    fileInputRef: logoFileInputRef,
+    handleFileChange: handleLogoFileChange,
+    setTargetWorkspaceId: setLogoTargetWorkspaceId,
+  } = useWorkspaceLogoUpload({
+    workspaceId,
+    currentLogoUrl: activeWorkspaceFull?.logoUrl,
+    onUpload: (url) => {
+      updateWorkspace(logoTargetWorkspaceIdRef.current, { logoUrl: url })
+    },
+    onError: (error) => {
+      logger.error('Workspace logo upload error:', error)
+    },
+  })
 
   const { handleMouseDown, isResizing } = useSidebarResize()
 
@@ -1036,9 +1040,10 @@ export const Sidebar = memo(function Sidebar() {
   const handleUploadLogo = useCallback(
     (workspaceIdToUpdate: string) => {
       logoTargetWorkspaceIdRef.current = workspaceIdToUpdate
+      setLogoTargetWorkspaceId(workspaceIdToUpdate)
       logoFileInputRef.current?.click()
     },
-    [logoFileInputRef]
+    [logoFileInputRef, setLogoTargetWorkspaceId]
   )
 
   const handleRemoveLogo = useCallback(

apps/sim/ee/whitelabeling/components/whitelabeling-settings.tsx

@@ -4,6 +4,7 @@ import { useCallback, useState } from 'react'
 import { createLogger } from '@sim/logger'
 import { Loader2, X } from 'lucide-react'
 import Image from 'next/image'
+import { useParams } from 'next/navigation'
 import { Button, Input, Label } from '@/components/emcn'
 import { useSession } from '@/lib/auth/auth-client'
 import { getSubscriptionAccessState } from '@/lib/billing/client/utils'
@@ -146,6 +147,7 @@ function SectionTitle({ children }: { children: React.ReactNode }) {
 }
 
 export function WhitelabelingSettings() {
+  const params = useParams<{ workspaceId: string }>()
   const { data: session } = useSession()
   const { data: orgsData } = useOrganizations()
   const { data: subscriptionData } = useSubscriptionData()
@@ -198,13 +200,15 @@ export function WhitelabelingSettings() {
     onUpload: (url) => setLogoUrl(url),
     onError: (error) => setSaveError(error),
     context: 'workspace-logos',
+    workspaceId: params.workspaceId,
   })
 
   const wordmarkUpload = useProfilePictureUpload({
     currentImage: wordmarkUrl,
     onUpload: (url) => setWordmarkUrl(url),
     onError: (error) => setSaveError(error),
     context: 'workspace-logos',
+    workspaceId: params.workspaceId,
   })
 
   const handleSave = useCallback(async () => {