refactor(auth): simplify flow retrieval by removing settings_service dependency (#8956)

* refactor: Simplify flow reading logic by removing unnecessary settings service dependency * 🛠️ (flows.py): Remove settings_service parameter from _read_flow and related functions to streamline flow retrieval logic. * 🔧 (flows.py): Adjust query to directly filter by user_id, enhancing clarity and reducing complexity. * test: Enhance flow retrieval tests with user isolation checks * 🧪 (test_flows.py): Remove hardcoded user_id from flow creation tests to ensure user-specific data handling. * ✨ (test_flows.py): Add a new test to verify that users can only access their own flows, ensuring proper user isolation in flow retrieval. * 🔧 (test_flows.py): Implement user creation and cleanup logic to maintain test integrity and avoid side effects.
2025-07-09 14:53:34 -03:00 · 2025-07-09 14:53:34 -03:00 · d437d018ce
commit d437d018ce
parent 73c1f203b0
2 changed files with 137 additions and 17 deletions
--- a/src/backend/base/langflow/api/v1/flows.py
+++ b/src/backend/base/langflow/api/v1/flows.py
@ -36,7 +36,6 @@ from langflow.services.database.models.flow.utils import get_webhook_component_i
 from langflow.services.database.models.folder.constants import DEFAULT_FOLDER_NAME
 from langflow.services.database.models.folder.model import Folder
 from langflow.services.deps import get_settings_service
-from langflow.services.settings.service import SettingsService
 from langflow.utils.compression import compress_response

 # build router
@ -270,17 +269,10 @@ async def _read_flow(
    session: AsyncSession,
    flow_id: UUID,
    user_id: UUID,
-    settings_service: SettingsService,
 ):
    """Read a flow."""
-    auth_settings = settings_service.auth_settings
-    stmt = select(Flow).where(Flow.id == flow_id)
-    if auth_settings.AUTO_LOGIN:
-        # If auto login is enable user_id can be current_user.id or None
-        # so write an OR
-        stmt = stmt.where(
-            (Flow.user_id == user_id) | (Flow.user_id == None)  # noqa: E711
-        )
+    stmt = select(Flow).where(Flow.id == flow_id).where(Flow.user_id == user_id)
+
    return (await session.exec(stmt)).first()


@ -292,7 +284,7 @@ async def read_flow(
    current_user: CurrentActiveUser,
 ):
    """Read a flow."""
-    if user_flow := await _read_flow(session, flow_id, current_user.id, get_settings_service()):
+    if user_flow := await _read_flow(session, flow_id, current_user.id):
        return user_flow
    raise HTTPException(status_code=404, detail="Flow not found")

@ -327,7 +319,6 @@ async def update_flow(
            session=session,
            flow_id=flow_id,
            user_id=current_user.id,
-            settings_service=settings_service,
        )

        if not db_flow:
@ -393,7 +384,6 @@ async def delete_flow(
        session=session,
        flow_id=flow_id,
        user_id=current_user.id,
-        settings_service=get_settings_service(),
    )
    if not flow:
        raise HTTPException(status_code=404, detail="Flow not found")