fix(access-control): add auth to allowlist endpoint, fix loading state race, use accurate error message

waleedlatif1 · waleedlatif1 · commit b304eca58aeb · 2026-02-17T17:41:05.000-08:00
diff --git a/apps/sim/app/api/settings/allowed-integrations/route.ts b/apps/sim/app/api/settings/allowed-integrations/route.ts
@@ -1,7 +1,13 @@
 import { NextResponse } from 'next/server'
+import { getSession } from '@/lib/auth'
 import { getAllowedIntegrationsFromEnv } from '@/lib/core/config/feature-flags'
 
 export async function GET() {
+  const session = await getSession()
+  if (!session?.user?.id) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
+  }
+
   return NextResponse.json({
     allowedIntegrations: getAllowedIntegrationsFromEnv(),
   })
diff --git a/apps/sim/ee/access-control/utils/permission-check.ts b/apps/sim/ee/access-control/utils/permission-check.ts
@@ -27,8 +27,12 @@ export class ProviderNotAllowedError extends Error {
 }
 
 export class IntegrationNotAllowedError extends Error {
-  constructor(blockType: string) {
-    super(`Integration "${blockType}" is not allowed based on your permission group settings`)
+  constructor(blockType: string, reason?: string) {
+    super(
+      reason
+        ? `Integration "${blockType}" is not allowed: ${reason}`
+        : `Integration "${blockType}" is not allowed based on your permission group settings`
+    )
     this.name = 'IntegrationNotAllowedError'
   }
 }
@@ -159,7 +163,7 @@ export async function validateBlockType(
   const envAllowlist = getAllowedIntegrationsFromEnv()
   if (envAllowlist !== null && !envAllowlist.includes(blockType)) {
     logger.warn('Integration blocked by env allowlist', { blockType })
-    throw new IntegrationNotAllowedError(blockType)
+    throw new IntegrationNotAllowedError(blockType, 'blocked by server ALLOWED_INTEGRATIONS policy')
   }
 
   if (!userId) {
diff --git a/apps/sim/hooks/use-permission-config.ts b/apps/sim/hooks/use-permission-config.ts
@@ -53,8 +53,13 @@ export function usePermissionConfig(): PermissionConfigResult {
   const { data: organizationsData } = useOrganizations()
   const activeOrganization = organizationsData?.activeOrganization
 
-  const { data: permissionData, isLoading } = useUserPermissionConfig(activeOrganization?.id)
-  const { data: envAllowlistData } = useAllowedIntegrationsFromEnv()
+  const { data: permissionData, isLoading: isPermissionLoading } = useUserPermissionConfig(
+    activeOrganization?.id
+  )
+  const { data: envAllowlistData, isLoading: isEnvAllowlistLoading } =
+    useAllowedIntegrationsFromEnv()
+
+  const isLoading = isPermissionLoading || isEnvAllowlistLoading
 
   const config = useMemo(() => {
     if (accessControlDisabled) {

Original file line number	Diff line number	Diff line change
`@@ -27,8 +27,12 @@ export class ProviderNotAllowedError extends Error {`
`27`	`27`	`}`
`28`	`28`
`29`	`29`	`export class IntegrationNotAllowedError extends Error {`
`30`		`- constructor(blockType: string) {`
`31`		- super(`Integration "${blockType}" is not allowed based on your permission group settings`)
	`30`	`+ constructor(blockType: string, reason?: string) {`
	`31`	`+ super(`
	`32`	`+ reason`
	`33`	+ ? `Integration "${blockType}" is not allowed: ${reason}`
	`34`	+ : `Integration "${blockType}" is not allowed based on your permission group settings`
	`35`	`+ )`
`32`	`36`	`this.name = 'IntegrationNotAllowedError'`
`33`	`37`	`}`
`34`	`38`	`}`
`@@ -159,7 +163,7 @@ export async function validateBlockType(`
`159`	`163`	`const envAllowlist = getAllowedIntegrationsFromEnv()`
`160`	`164`	`if (envAllowlist !== null && !envAllowlist.includes(blockType)) {`
`161`	`165`	`logger.warn('Integration blocked by env allowlist', { blockType })`
`162`		`- throw new IntegrationNotAllowedError(blockType)`
	`166`	`+ throw new IntegrationNotAllowedError(blockType, 'blocked by server ALLOWED_INTEGRATIONS policy')`
`163`	`167`	`}`
`164`	`168`
`165`	`169`	`if (!userId) {`