fix(knowledge): enforce connector chunk readonly on server side

simstudioai · waleedlatif1 · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026 · Mar 6, 2026
commit 70e286fdacf86775eabe297bc30e41cac220c24a
diff --git a/apps/sim/app/api/knowledge/[id]/documents/[documentId]/chunks/[chunkId]/route.ts b/apps/sim/app/api/knowledge/[id]/documents/[documentId]/chunks/[chunkId]/route.ts
@@ -95,6 +95,16 @@ export async function PUT(
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
+    if (accessCheck.document?.connectorId) {
+      logger.warn(
+        `[${requestId}] User ${session.user.id} attempted to update chunk on connector-synced document: Doc=${documentId}`
+      )
+      return NextResponse.json(
+        { error: 'Chunks from connector-synced documents are read-only' },
+        { status: 403 }
+      )
+    }
+
     const body = await req.json()
 
     try {
@@ -167,6 +177,16 @@ export async function DELETE(
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
+    if (accessCheck.document?.connectorId) {
+      logger.warn(
+        `[${requestId}] User ${session.user.id} attempted to delete chunk on connector-synced document: Doc=${documentId}`
+      )
+      return NextResponse.json(
+        { error: 'Chunks from connector-synced documents are read-only' },
+        { status: 403 }
+      )
+    }
+
     await deleteChunk(chunkId, documentId, requestId)
 
     logger.info(

diff --git a/apps/sim/app/api/knowledge/[id]/documents/[documentId]/chunks/route.ts b/apps/sim/app/api/knowledge/[id]/documents/[documentId]/chunks/route.ts
@@ -158,6 +158,16 @@ export async function POST(
       return NextResponse.json({ error: 'Document not found' }, { status: 404 })
     }
 
+    if (doc.connectorId) {
+      logger.warn(
+        `[${requestId}] User ${userId} attempted to create chunk on connector-synced document: Doc=${documentId}`
+      )
+      return NextResponse.json(
+        { error: 'Chunks from connector-synced documents are read-only' },
+        { status: 403 }
+      )
+    }
+
     // Allow manual chunk creation even if document is not fully processed
     // but it should exist and not be in failed state
     if (doc.processingStatus === 'failed') {
@@ -283,6 +293,16 @@ export async function PATCH(
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
+    if (accessCheck.document?.connectorId) {
+      logger.warn(
+        `[${requestId}] User ${userId} attempted batch chunk operation on connector-synced document: Doc=${documentId}`
+      )
+      return NextResponse.json(
+        { error: 'Chunks from connector-synced documents are read-only' },
+        { status: 403 }
+      )
+    }
+
     const body = await req.json()
 
     try {

diff --git a/apps/sim/app/api/knowledge/utils.ts b/apps/sim/app/api/knowledge/utils.ts
@@ -56,6 +56,8 @@ export interface DocumentData {
   boolean1?: boolean | null
   boolean2?: boolean | null
   boolean3?: boolean | null
+  // Connector fields
+  connectorId?: string | null
 }
 
 export interface EmbeddingData {
@@ -283,6 +285,8 @@ export async function checkDocumentWriteAccess(
       boolean1: document.boolean1,
       boolean2: document.boolean2,
       boolean3: document.boolean3,
+      // Connector fields
+      connectorId: document.connectorId,
     })
     .from(document)
     .where(and(eq(document.id, documentId), isNull(document.deletedAt)))