fix(credentials): grant admin role to credential creator

Revert admin-only restriction — write users can create secrets.
Ensure the acting user (creator) always gets admin role on the
credential via actingUserId parameter in ensureWorkspaceCredentialMemberships
and session.user.id check in route.ts POST.

Role mapping:
- workspace owner → admin
- credential creator (actingUserId/session.user.id) → admin
- workspace admin permission → admin
- write/read → member

Author: minijeong-log

apps/sim/app/api/credentials/route.ts

@@ -29,7 +29,7 @@ import {
   ATLASSIAN_SERVICE_ACCOUNT_SECRET_TYPE,
 } from '@/lib/oauth/types'
 import { captureServerEvent } from '@/lib/posthog/server'
-import { checkWorkspaceAccess, hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
+import { checkWorkspaceAccess } from '@/lib/workspaces/permissions/utils'
 
 const logger = createLogger('CredentialsAPI')
 
@@ -296,16 +296,8 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
     } = parsed.data.body
 
     const workspaceAccess = await checkWorkspaceAccess(workspaceId, session.user.id)
-    if (!workspaceAccess.hasAccess) {
-      return NextResponse.json({ error: 'Workspace access required' }, { status: 403 })
-    }
-
-    const isAdmin = await hasWorkspaceAdminAccess(session.user.id, workspaceId)
-    if (!isAdmin) {
-      return NextResponse.json(
-        { error: 'Admin permission required to manage credentials' },
-        { status: 403 }
-      )
+    if (!workspaceAccess.canWrite) {
+      return NextResponse.json({ error: 'Write permission required' }, { status: 403 })
     }
 
     let resolvedDisplayName = displayName?.trim() ?? ''
@@ -557,7 +549,10 @@ export const POST = withRouteHandler(async (request: NextRequest) => {
         if (workspaceUserIds.length > 0) {
           for (const memberUserId of workspaceUserIds) {
             const wsPermission = wsPermissionByUser.get(memberUserId)
-            const isAdmin = memberUserId === workspaceRow.ownerId || wsPermission === 'admin'
+            const isAdmin =
+              memberUserId === workspaceRow.ownerId ||
+              memberUserId === session.user.id ||
+              wsPermission === 'admin'
             await tx.insert(credentialMember).values({
               id: generateId(),
               credentialId,

apps/sim/lib/credentials/environment.ts

@@ -38,7 +38,8 @@ async function ensureWorkspaceCredentialMemberships(
   credentialId: string,
   memberUserIds: string[],
   ownerUserId: string,
-  wsPermissionByUser: Map<string, string>
+  wsPermissionByUser: Map<string, string>,
+  actingUserId?: string
 ) {
   if (!memberUserIds.length) return
 
@@ -65,7 +66,8 @@ async function ensureWorkspaceCredentialMemberships(
   const now = new Date()
   const values = targetUserIds.map((memberUserId) => {
     const wsPermission = wsPermissionByUser.get(memberUserId)
-    const isAdmin = memberUserId === ownerUserId || wsPermission === 'admin'
+    const isAdmin =
+      memberUserId === ownerUserId || memberUserId === actingUserId || wsPermission === 'admin'
     return {
       id: generateId(),
       credentialId,
@@ -173,7 +175,8 @@ export async function syncWorkspaceEnvCredentials(params: {
       credentialId,
       memberUserIds,
       workspaceRow.ownerId,
-      wsPermissionByUser
+      wsPermissionByUser,
+      actingUserId
     )
   }
 
@@ -255,7 +258,8 @@ export async function createWorkspaceEnvCredentials(params: {
   const membershipValues = createdIds.flatMap((credentialId) =>
     memberUserIds.map((memberUserId) => {
       const wsPermission = wsPermissionByUser.get(memberUserId)
-      const isAdmin = memberUserId === ownerUserId || wsPermission === 'admin'
+      const isAdmin =
+        memberUserId === ownerUserId || memberUserId === actingUserId || wsPermission === 'admin'
       return {
         id: generateId(),
         credentialId,