feat: RBAC (#8922)

Signed-off-by: Oleg Ivaniv <me@olegivaniv.com> Co-authored-by: Val <68596159+valya@users.noreply.github.com> Co-authored-by: कारतोफ्फेलस्क्रिप्ट™ <aditya@netroy.in> Co-authored-by: Valya Bullions <valya@n8n.io> Co-authored-by: Danny Martini <danny@n8n.io> Co-authored-by: Danny Martini <despair.blue@gmail.com> Co-authored-by: Iván Ovejero <ivov.src@gmail.com> Co-authored-by: Omar Ajoue <krynble@gmail.com> Co-authored-by: oleg <me@olegivaniv.com> Co-authored-by: Michael Kret <michael.k@radency.com> Co-authored-by: Michael Kret <88898367+michael-radency@users.noreply.github.com> Co-authored-by: Elias Meire <elias@meire.dev> Co-authored-by: Giulio Andreini <andreini@netseven.it> Co-authored-by: Giulio Andreini <g.andreini@gmail.com> Co-authored-by: Ayato Hayashi <go12limchangyong@gmail.com>
2024-05-17 10:53:15 +02:00
parent b1f977ebd0
commit 596c472ecc
292 changed files with 14129 additions and 3989 deletions
--- a/packages/cli/test/integration/workflows/workflow.service.ee.test.ts
+++ b/packages/cli/test/integration/workflows/workflow.service.ee.test.ts
@@ -29,6 +29,7 @@ describe('EnterpriseWorkflowService', () => {
 			Container.get(WorkflowRepository),
 			Container.get(CredentialsRepository),
 			mock(),
+			mock(),
 		);
 	});

--- a/packages/cli/test/integration/workflows/workflow.service.test.ts
+++ b/packages/cli/test/integration/workflows/workflow.service.test.ts
@@ -23,7 +23,6 @@ beforeAll(async () => {
 	await testDb.init();

 	workflowService = new WorkflowService(
-		mock(),
 		mock(),
 		Container.get(SharedWorkflowRepository),
 		Container.get(WorkflowRepository),
@@ -35,6 +34,10 @@ beforeAll(async () => {
 		orchestrationService,
 		mock(),
 		activeWorkflowManager,
+		mock(),
+		mock(),
+		mock(),
+		mock(),
 	);
 });

@@ -43,10 +46,6 @@ afterEach(async () => {
 	jest.restoreAllMocks();
 });

-afterAll(async () => {
-	await testDb.terminate();
-});
-
 describe('update()', () => {
 	test('should remove and re-add to active workflows on `active: true` payload', async () => {
 		const owner = await createOwner();
--- a/packages/cli/test/integration/workflows/workflowSharing.service.test.ts
+++ b/packages/cli/test/integration/workflows/workflowSharing.service.test.ts
@@ -0,0 +1,117 @@
+import Container from 'typedi';
+
+import type { User } from '@db/entities/User';
+import { WorkflowSharingService } from '@/workflows/workflowSharing.service';
+
+import * as testDb from '../shared/testDb';
+import { createUser } from '../shared/db/users';
+import { createWorkflow, shareWorkflowWithUsers } from '../shared/db/workflows';
+import { ProjectService } from '@/services/project.service';
+import { LicenseMocker } from '../shared/license';
+import { License } from '@/License';
+
+let owner: User;
+let member: User;
+let anotherMember: User;
+let workflowSharingService: WorkflowSharingService;
+let projectService: ProjectService;
+
+beforeAll(async () => {
+	await testDb.init();
+	owner = await createUser({ role: 'global:owner' });
+	member = await createUser({ role: 'global:member' });
+	anotherMember = await createUser({ role: 'global:member' });
+	let license: LicenseMocker;
+	license = new LicenseMocker();
+	license.mock(Container.get(License));
+	license.enable('feat:sharing');
+	license.setQuota('quota:maxTeamProjects', -1);
+	workflowSharingService = Container.get(WorkflowSharingService);
+	projectService = Container.get(ProjectService);
+});
+
+beforeEach(async () => {
+	await testDb.truncate(['Workflow', 'SharedWorkflow', 'WorkflowHistory']);
+});
+
+afterAll(async () => {
+	await testDb.terminate();
+});
+
+describe('WorkflowSharingService', () => {
+	describe('getSharedWorkflowIds', () => {
+		it('should show all workflows to owners', async () => {
+			owner.role = 'global:owner';
+			const workflow1 = await createWorkflow({}, member);
+			const workflow2 = await createWorkflow({}, anotherMember);
+			const sharedWorkflowIds = await workflowSharingService.getSharedWorkflowIds(owner, {
+				scopes: ['workflow:read'],
+			});
+			expect(sharedWorkflowIds).toHaveLength(2);
+			expect(sharedWorkflowIds).toContain(workflow1.id);
+			expect(sharedWorkflowIds).toContain(workflow2.id);
+		});
+
+		it('should show shared workflows to users', async () => {
+			member.role = 'global:member';
+			const workflow1 = await createWorkflow({}, anotherMember);
+			const workflow2 = await createWorkflow({}, anotherMember);
+			const workflow3 = await createWorkflow({}, anotherMember);
+			await shareWorkflowWithUsers(workflow1, [member]);
+			await shareWorkflowWithUsers(workflow3, [member]);
+			const sharedWorkflowIds = await workflowSharingService.getSharedWorkflowIds(member, {
+				scopes: ['workflow:read'],
+			});
+			expect(sharedWorkflowIds).toHaveLength(2);
+			expect(sharedWorkflowIds).toContain(workflow1.id);
+			expect(sharedWorkflowIds).toContain(workflow3.id);
+			expect(sharedWorkflowIds).not.toContain(workflow2.id);
+		});
+
+		it('should show workflows that the user has access to through a team project they are part of', async () => {
+			//
+			// ARRANGE
+			//
+			const project = await projectService.createTeamProject('Team Project', member);
+			await projectService.addUser(project.id, anotherMember.id, 'project:admin');
+			const workflow = await createWorkflow(undefined, project);
+
+			//
+			// ACT
+			//
+			const sharedWorkflowIds = await workflowSharingService.getSharedWorkflowIds(anotherMember, {
+				scopes: ['workflow:read'],
+			});
+
+			//
+			// ASSERT
+			//
+			expect(sharedWorkflowIds).toContain(workflow.id);
+		});
+
+		it('should show workflows that the user has update access to', async () => {
+			//
+			// ARRANGE
+			//
+			const project1 = await projectService.createTeamProject('Team Project 1', member);
+			const workflow1 = await createWorkflow(undefined, project1);
+			const project2 = await projectService.createTeamProject('Team Project 2', member);
+			const workflow2 = await createWorkflow(undefined, project2);
+			await projectService.addUser(project1.id, anotherMember.id, 'project:admin');
+			await projectService.addUser(project2.id, anotherMember.id, 'project:viewer');
+
+			//
+			// ACT
+			//
+			const sharedWorkflowIds = await workflowSharingService.getSharedWorkflowIds(anotherMember, {
+				scopes: ['workflow:update'],
+			});
+
+			//
+			// ASSERT
+			//
+			expect(sharedWorkflowIds).toContain(workflow1.id);
+			expect(sharedWorkflowIds).not.toContain(workflow2.id);
+		});
+	});
+});
--- a/packages/cli/test/integration/workflows/workflows.controller.ee.test.ts
+++ b/packages/cli/test/integration/workflows/workflows.controller.ee.test.ts
@@ -6,7 +6,6 @@ import type { INode } from 'n8n-workflow';
 import type { User } from '@db/entities/User';
 import { WorkflowHistoryRepository } from '@db/repositories/workflowHistory.repository';
 import { ActiveWorkflowManager } from '@/ActiveWorkflowManager';
-import { WorkflowSharingService } from '@/workflows/workflowSharing.service';

 import { mockInstance } from '../../shared/mocking';
 import * as utils from '../shared/utils/';
@@ -15,20 +14,29 @@ import type { SaveCredentialFunction } from '../shared/types';
 import { makeWorkflow } from '../shared/utils/';
 import { randomCredentialPayload } from '../shared/random';
 import { affixRoleToSaveCredential, shareCredentialWithUsers } from '../shared/db/credentials';
-import { createUser } from '../shared/db/users';
+import { createUser, createUserShell } from '../shared/db/users';
 import { createWorkflow, getWorkflowSharing, shareWorkflowWithUsers } from '../shared/db/workflows';
 import { License } from '@/License';
 import { UserManagementMailer } from '@/UserManagement/email';
 import config from '@/config';
+import type { WorkflowWithSharingsMetaDataAndCredentials } from '@/workflows/workflows.types';
+import type { Project } from '@/databases/entities/Project';
+import { ProjectRepository } from '@/databases/repositories/project.repository';
+import { createTag } from '../shared/db/tags';

 let owner: User;
+let ownerPersonalProject: Project;
 let member: User;
+let memberPersonalProject: Project;
 let anotherMember: User;
+let anotherMemberPersonalProject: Project;
 let authOwnerAgent: SuperAgentTest;
 let authMemberAgent: SuperAgentTest;
 let authAnotherMemberAgent: SuperAgentTest;
 let saveCredential: SaveCredentialFunction;

+let projectRepository: ProjectRepository;
+
 const activeWorkflowManager = mockInstance(ActiveWorkflowManager);

 const sharingSpy = jest.spyOn(License.prototype, 'isSharingEnabled').mockReturnValue(true);
@@ -40,9 +48,16 @@ const license = testServer.license;
 const mailer = mockInstance(UserManagementMailer);

 beforeAll(async () => {
+	projectRepository = Container.get(ProjectRepository);
+
 	owner = await createUser({ role: 'global:owner' });
+	ownerPersonalProject = await projectRepository.getPersonalProjectForUserOrFail(owner.id);
 	member = await createUser({ role: 'global:member' });
+	memberPersonalProject = await projectRepository.getPersonalProjectForUserOrFail(member.id);
 	anotherMember = await createUser({ role: 'global:member' });
+	anotherMemberPersonalProject = await projectRepository.getPersonalProjectForUserOrFail(
+		anotherMember.id,
+	);

 	authOwnerAgent = testServer.authAgentFor(owner);
 	authMemberAgent = testServer.authAgentFor(member);
@@ -57,7 +72,7 @@ beforeEach(async () => {
 	activeWorkflowManager.add.mockReset();
 	activeWorkflowManager.remove.mockReset();

-	await testDb.truncate(['Workflow', 'SharedWorkflow', 'WorkflowHistory']);
+	await testDb.truncate(['Workflow', 'SharedWorkflow', 'WorkflowHistory', 'Tag']);
 });

 afterEach(() => {
@@ -77,14 +92,14 @@ describe('router should switch based on flag', () => {

 		await authOwnerAgent
 			.put(`/workflows/${savedWorkflowId}/share`)
-			.send({ shareWithIds: [member.id] })
+			.send({ shareWithIds: [memberPersonalProject.id] })
 			.expect(404);
 	});

 	test('when sharing is enabled', async () => {
 		await authOwnerAgent
 			.put(`/workflows/${savedWorkflowId}/share`)
-			.send({ shareWithIds: [member.id] })
+			.send({ shareWithIds: [memberPersonalProject.id] })
 			.expect(200);
 	});
 });
@@ -95,13 +110,20 @@ describe('PUT /workflows/:id', () => {

 		const response = await authOwnerAgent
 			.put(`/workflows/${workflow.id}/share`)
-			.send({ shareWithIds: [member.id] });
+			.send({ shareWithIds: [memberPersonalProject.id] });

 		expect(response.statusCode).toBe(200);

 		const sharedWorkflows = await getWorkflowSharing(workflow);
 		expect(sharedWorkflows).toHaveLength(2);
 		expect(mailer.notifyWorkflowShared).toHaveBeenCalledTimes(1);
+		expect(mailer.notifyWorkflowShared).toHaveBeenCalledWith(
+			expect.objectContaining({
+				newShareeIds: [member.id],
+				sharer: expect.objectContaining({ id: owner.id }),
+				workflow: expect.objectContaining({ id: workflow.id }),
+			}),
+		);
 	});

 	test('PUT /workflows/:id/share should succeed when sharing with invalid user-id', async () => {
@@ -117,12 +139,30 @@ describe('PUT /workflows/:id', () => {
 		expect(sharedWorkflows).toHaveLength(1);
 	});

+	test('PUT /workflows/:id/share should allow sharing with pending users', async () => {
+		const workflow = await createWorkflow({}, owner);
+		const memberShell = await createUserShell('global:member');
+		const memberShellPersonalProject = await projectRepository.getPersonalProjectForUserOrFail(
+			memberShell.id,
+		);
+
+		const response = await authOwnerAgent
+			.put(`/workflows/${workflow.id}/share`)
+			.send({ shareWithIds: [memberShellPersonalProject.id] });
+
+		expect(response.statusCode).toBe(200);
+
+		const sharedWorkflows = await getWorkflowSharing(workflow);
+		expect(sharedWorkflows).toHaveLength(2);
+		expect(mailer.notifyWorkflowShared).toHaveBeenCalledTimes(1);
+	});
+
 	test('PUT /workflows/:id/share should allow sharing with multiple users', async () => {
 		const workflow = await createWorkflow({}, owner);

 		const response = await authOwnerAgent
 			.put(`/workflows/${workflow.id}/share`)
-			.send({ shareWithIds: [member.id, anotherMember.id] });
+			.send({ shareWithIds: [memberPersonalProject.id, anotherMemberPersonalProject.id] });

 		expect(response.statusCode).toBe(200);

@@ -136,7 +176,7 @@ describe('PUT /workflows/:id', () => {

 		const response = await authOwnerAgent
 			.put(`/workflows/${workflow.id}/share`)
-			.send({ shareWithIds: [member.id, anotherMember.id] });
+			.send({ shareWithIds: [memberPersonalProject.id, anotherMemberPersonalProject.id] });

 		expect(response.statusCode).toBe(200);

@@ -145,7 +185,7 @@ describe('PUT /workflows/:id', () => {

 		const secondResponse = await authOwnerAgent
 			.put(`/workflows/${workflow.id}/share`)
-			.send({ shareWithIds: [member.id] });
+			.send({ shareWithIds: [memberPersonalProject.id] });
 		expect(secondResponse.statusCode).toBe(200);

 		const secondSharedWorkflows = await getWorkflowSharing(workflow);
@@ -158,7 +198,7 @@ describe('PUT /workflows/:id', () => {

 		const response = await authMemberAgent
 			.put(`/workflows/${workflow.id}/share`)
-			.send({ shareWithIds: [anotherMember.id] });
+			.send({ shareWithIds: [anotherMemberPersonalProject.id] });

 		expect(response.statusCode).toBe(200);

@@ -172,7 +212,7 @@ describe('PUT /workflows/:id', () => {

 		const response = await authOwnerAgent
 			.put(`/workflows/${workflow.id}/share`)
-			.send({ shareWithIds: [anotherMember.id] });
+			.send({ shareWithIds: [anotherMemberPersonalProject.id] });

 		expect(response.statusCode).toBe(200);

@@ -188,7 +228,7 @@ describe('PUT /workflows/:id', () => {

 		const response = await authAnotherMemberAgent
 			.put(`/workflows/${workflow.id}/share`)
-			.send({ shareWithIds: [anotherMember.id, owner.id] });
+			.send({ shareWithIds: [anotherMemberPersonalProject.id, ownerPersonalProject.id] });

 		expect(response.statusCode).toBe(403);

@@ -202,7 +242,7 @@ describe('PUT /workflows/:id', () => {

 		const response = await authAnotherMemberAgent
 			.put(`/workflows/${workflow.id}/share`)
-			.send({ shareWithIds: [anotherMember.id] });
+			.send({ shareWithIds: [anotherMemberPersonalProject.id] });

 		expect(response.statusCode).toBe(403);

@@ -215,10 +255,13 @@ describe('PUT /workflows/:id', () => {
 		const workflow = await createWorkflow({}, member);

 		const tempUser = await createUser({ role: 'global:member' });
+		const tempUserPersonalProject = await projectRepository.getPersonalProjectForUserOrFail(
+			tempUser.id,
+		);

 		const response = await authAnotherMemberAgent
 			.put(`/workflows/${workflow.id}/share`)
-			.send({ shareWithIds: [tempUser.id] });
+			.send({ shareWithIds: [tempUserPersonalProject.id] });

 		expect(response.statusCode).toBe(403);

@@ -234,7 +277,7 @@ describe('PUT /workflows/:id', () => {

 		const response = await authOwnerAgent
 			.put(`/workflows/${workflow.id}/share`)
-			.send({ shareWithIds: [member.id] });
+			.send({ shareWithIds: [memberPersonalProject.id] });

 		expect(response.statusCode).toBe(200);

@@ -275,39 +318,49 @@ describe('GET /workflows/:id', () => {
 	test('GET should return a workflow with owner', async () => {
 		const workflow = await createWorkflow({}, owner);

-		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`);
+		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`).expect(200);
+		const responseWorkflow: WorkflowWithSharingsMetaDataAndCredentials = response.body.data;

-		expect(response.statusCode).toBe(200);
-		expect(response.body.data.ownedBy).toMatchObject({
-			id: owner.id,
-			email: owner.email,
-			firstName: owner.firstName,
-			lastName: owner.lastName,
+		expect(responseWorkflow.homeProject).toMatchObject({
+			id: ownerPersonalProject.id,
+			name: owner.createPersonalProjectName(),
+			type: 'personal',
 		});

-		expect(response.body.data.sharedWith).toHaveLength(0);
+		expect(responseWorkflow.sharedWithProjects).toHaveLength(0);
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		expect((responseWorkflow as any).shared).toBeUndefined();
+	});
+
+	test('should return tags', async () => {
+		const tag = await createTag({ name: 'A' });
+		const workflow = await createWorkflow({ tags: [tag] }, owner);
+
+		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`).expect(200);
+
+		expect(response.body.data).toMatchObject({
+			tags: [expect.objectContaining({ id: tag.id, name: tag.name })],
+		});
 	});

 	test('GET should return shared workflow with user data', async () => {
 		const workflow = await createWorkflow({}, owner);
 		await shareWorkflowWithUsers(workflow, [member]);

-		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`);
+		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`).expect(200);
+		const responseWorkflow: WorkflowWithSharingsMetaDataAndCredentials = response.body.data;

-		expect(response.statusCode).toBe(200);
-		expect(response.body.data.ownedBy).toMatchObject({
-			id: owner.id,
-			email: owner.email,
-			firstName: owner.firstName,
-			lastName: owner.lastName,
+		expect(responseWorkflow.homeProject).toMatchObject({
+			id: ownerPersonalProject.id,
+			name: owner.createPersonalProjectName(),
+			type: 'personal',
 		});

-		expect(response.body.data.sharedWith).toHaveLength(1);
-		expect(response.body.data.sharedWith[0]).toMatchObject({
-			id: member.id,
-			email: member.email,
-			firstName: member.firstName,
-			lastName: member.lastName,
+		expect(responseWorkflow.sharedWithProjects).toHaveLength(1);
+		expect(responseWorkflow.sharedWithProjects[0]).toMatchObject({
+			id: memberPersonalProject.id,
+			name: member.createPersonalProjectName(),
+			type: 'personal',
 		});
 	});

@@ -315,17 +368,16 @@ describe('GET /workflows/:id', () => {
 		const workflow = await createWorkflow({}, owner);
 		await shareWorkflowWithUsers(workflow, [member, anotherMember]);

-		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`);
+		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`).expect(200);
+		const responseWorkflow: WorkflowWithSharingsMetaDataAndCredentials = response.body.data;

-		expect(response.statusCode).toBe(200);
-		expect(response.body.data.ownedBy).toMatchObject({
-			id: owner.id,
-			email: owner.email,
-			firstName: owner.firstName,
-			lastName: owner.lastName,
+		expect(responseWorkflow.homeProject).toMatchObject({
+			id: ownerPersonalProject.id,
+			name: owner.createPersonalProjectName(),
+			type: 'personal',
 		});

-		expect(response.body.data.sharedWith).toHaveLength(2);
+		expect(responseWorkflow.sharedWithProjects).toHaveLength(2);
 	});

 	test('GET should return workflow with credentials owned by user', async () => {
@@ -337,10 +389,11 @@ describe('GET /workflows/:id', () => {
 		});
 		const workflow = await createWorkflow(workflowPayload, owner);

-		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`);
+		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`).expect(200);
+		const responseWorkflow: WorkflowWithSharingsMetaDataAndCredentials = response.body.data;

 		expect(response.statusCode).toBe(200);
-		expect(response.body.data.usedCredentials).toMatchObject([
+		expect(responseWorkflow.usedCredentials).toMatchObject([
 			{
 				id: savedCredential.id,
 				name: savedCredential.name,
@@ -348,7 +401,7 @@ describe('GET /workflows/:id', () => {
 			},
 		]);

-		expect(response.body.data.sharedWith).toHaveLength(0);
+		expect(responseWorkflow.sharedWithProjects).toHaveLength(0);
 	});

 	test('GET should return workflow with credentials saying owner does not have access when not shared', async () => {
@@ -360,10 +413,10 @@ describe('GET /workflows/:id', () => {
 		});
 		const workflow = await createWorkflow(workflowPayload, owner);

-		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`);
+		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`).expect(200);
+		const responseWorkflow: WorkflowWithSharingsMetaDataAndCredentials = response.body.data;

-		expect(response.statusCode).toBe(200);
-		expect(response.body.data.usedCredentials).toMatchObject([
+		expect(responseWorkflow.usedCredentials).toMatchObject([
 			{
 				id: savedCredential.id,
 				name: savedCredential.name,
@@ -371,7 +424,7 @@ describe('GET /workflows/:id', () => {
 			},
 		]);

-		expect(response.body.data.sharedWith).toHaveLength(0);
+		expect(responseWorkflow.sharedWithProjects).toHaveLength(0);
 	});

 	test('GET should return workflow with credentials for all users with or without access', async () => {
@@ -384,27 +437,31 @@ describe('GET /workflows/:id', () => {
 		const workflow = await createWorkflow(workflowPayload, member);
 		await shareWorkflowWithUsers(workflow, [anotherMember]);

-		const responseMember1 = await authMemberAgent.get(`/workflows/${workflow.id}`);
-		expect(responseMember1.statusCode).toBe(200);
-		expect(responseMember1.body.data.usedCredentials).toMatchObject([
+		const responseMember1 = await authMemberAgent.get(`/workflows/${workflow.id}`).expect(200);
+		const member1Workflow: WorkflowWithSharingsMetaDataAndCredentials = responseMember1.body.data;
+
+		expect(member1Workflow.usedCredentials).toMatchObject([
 			{
 				id: savedCredential.id,
 				name: savedCredential.name,
 				currentUserHasAccess: true, // one user has access
 			},
 		]);
-		expect(responseMember1.body.data.sharedWith).toHaveLength(1);
+		expect(member1Workflow.sharedWithProjects).toHaveLength(1);

-		const responseMember2 = await authAnotherMemberAgent.get(`/workflows/${workflow.id}`);
-		expect(responseMember2.statusCode).toBe(200);
-		expect(responseMember2.body.data.usedCredentials).toMatchObject([
+		const responseMember2 = await authAnotherMemberAgent
+			.get(`/workflows/${workflow.id}`)
+			.expect(200);
+		const member2Workflow: WorkflowWithSharingsMetaDataAndCredentials = responseMember2.body.data;
+
+		expect(member2Workflow.usedCredentials).toMatchObject([
 			{
 				id: savedCredential.id,
 				name: savedCredential.name,
 				currentUserHasAccess: false, // the other one doesn't
 			},
 		]);
-		expect(responseMember2.body.data.sharedWith).toHaveLength(1);
+		expect(member2Workflow.sharedWithProjects).toHaveLength(1);
 	});

 	test('GET should return workflow with credentials for all users with access', async () => {
@@ -419,27 +476,32 @@ describe('GET /workflows/:id', () => {
 		const workflow = await createWorkflow(workflowPayload, member);
 		await shareWorkflowWithUsers(workflow, [anotherMember]);

-		const responseMember1 = await authMemberAgent.get(`/workflows/${workflow.id}`);
-		expect(responseMember1.statusCode).toBe(200);
-		expect(responseMember1.body.data.usedCredentials).toMatchObject([
-			{
-				id: savedCredential.id,
-				name: savedCredential.name,
-				currentUserHasAccess: true,
-			},
-		]);
-		expect(responseMember1.body.data.sharedWith).toHaveLength(1);
+		const responseMember1 = await authMemberAgent.get(`/workflows/${workflow.id}`).expect(200);
+		const member1Workflow: WorkflowWithSharingsMetaDataAndCredentials = responseMember1.body.data;

-		const responseMember2 = await authAnotherMemberAgent.get(`/workflows/${workflow.id}`);
-		expect(responseMember2.statusCode).toBe(200);
-		expect(responseMember2.body.data.usedCredentials).toMatchObject([
+		expect(member1Workflow.usedCredentials).toMatchObject([
 			{
 				id: savedCredential.id,
 				name: savedCredential.name,
 				currentUserHasAccess: true,
 			},
 		]);
-		expect(responseMember2.body.data.sharedWith).toHaveLength(1);
+		expect(member1Workflow.sharedWithProjects).toHaveLength(1);
+
+		const responseMember2 = await authAnotherMemberAgent
+			.get(`/workflows/${workflow.id}`)
+			.expect(200);
+		const member2Workflow: WorkflowWithSharingsMetaDataAndCredentials = responseMember2.body.data;
+
+		expect(responseMember2.statusCode).toBe(200);
+		expect(member2Workflow.usedCredentials).toMatchObject([
+			{
+				id: savedCredential.id,
+				name: savedCredential.name,
+				currentUserHasAccess: true,
+			},
+		]);
+		expect(member2Workflow.sharedWithProjects).toHaveLength(1);
 	});
 });

@@ -739,7 +801,7 @@ describe('PATCH /workflows/:id - validate credential permissions to user', () =>
 				},
 			],
 		});
-		expect(response.statusCode).toBe(400);
+		expect(response.statusCode).toBe(403);
 	});

 	it('Should succeed but prevent modifying node attributes other than position, name and disabled', async () => {
@@ -814,7 +876,10 @@ describe('PATCH /workflows/:id - validate credential permissions to user', () =>
 		const createResponse = await authMemberAgent.post('/workflows').send(workflow);
 		const { id, versionId } = createResponse.body.data;

-		await authMemberAgent.put(`/workflows/${id}/share`).send({ shareWithIds: [anotherMember.id] });
+		await authMemberAgent
+			.put(`/workflows/${id}/share`)
+			.send({ shareWithIds: [anotherMemberPersonalProject.id] })
+			.expect(200);

 		const response = await authAnotherMemberAgent.patch(`/workflows/${id}`).send({
 			versionId,
@@ -832,7 +897,9 @@ describe('PATCH /workflows/:id - validate interim updates', () => {

 		const createResponse = await authOwnerAgent.post('/workflows').send(makeWorkflow());
 		const { id, versionId: ownerVersionId } = createResponse.body.data;
-		await authOwnerAgent.put(`/workflows/${id}/share`).send({ shareWithIds: [member.id] });
+		await authOwnerAgent
+			.put(`/workflows/${id}/share`)
+			.send({ shareWithIds: [memberPersonalProject.id] });

 		// member accesses and updates workflow name

@@ -865,7 +932,9 @@ describe('PATCH /workflows/:id - validate interim updates', () => {

 		const { versionId: ownerSecondVersionId } = updateResponse.body.data;

-		await authOwnerAgent.put(`/workflows/${id}/share`).send({ shareWithIds: [member.id] });
+		await authOwnerAgent
+			.put(`/workflows/${id}/share`)
+			.send({ shareWithIds: [memberPersonalProject.id] });

 		// member accesses workflow

@@ -893,7 +962,9 @@ describe('PATCH /workflows/:id - validate interim updates', () => {

 		const createResponse = await authOwnerAgent.post('/workflows').send(makeWorkflow());
 		const { id, versionId: ownerVersionId } = createResponse.body.data;
-		await authOwnerAgent.put(`/workflows/${id}/share`).send({ shareWithIds: [member.id] });
+		await authOwnerAgent
+			.put(`/workflows/${id}/share`)
+			.send({ shareWithIds: [memberPersonalProject.id] });

 		// member accesses and activates workflow

@@ -923,7 +994,9 @@ describe('PATCH /workflows/:id - validate interim updates', () => {
 			.send({ name: 'Update by owner', versionId: ownerFirstVersionId });
 		const { versionId: ownerSecondVersionId } = updateResponse.body.data;

-		await authOwnerAgent.put(`/workflows/${id}/share`).send({ shareWithIds: [member.id] });
+		await authOwnerAgent
+			.put(`/workflows/${id}/share`)
+			.send({ shareWithIds: [memberPersonalProject.id] });

 		// member accesses workflow

@@ -951,7 +1024,9 @@ describe('PATCH /workflows/:id - validate interim updates', () => {

 		const createResponse = await authOwnerAgent.post('/workflows').send(makeWorkflow());
 		const { id, versionId: ownerVersionId } = createResponse.body.data;
-		await authOwnerAgent.put(`/workflows/${id}/share`).send({ shareWithIds: [member.id] });
+		await authOwnerAgent
+			.put(`/workflows/${id}/share`)
+			.send({ shareWithIds: [memberPersonalProject.id] });

 		// member accesses workflow

@@ -979,11 +1054,13 @@ describe('PATCH /workflows/:id - validate interim updates', () => {

 		const createResponse = await authOwnerAgent.post('/workflows').send(makeWorkflow());
 		const { id, versionId: ownerVersionId } = createResponse.body.data;
-		await authOwnerAgent.put(`/workflows/${id}/share`).send({ shareWithIds: [member.id] });
+		await authOwnerAgent
+			.put(`/workflows/${id}/share`)
+			.send({ shareWithIds: [memberPersonalProject.id] });

 		// member accesses workflow

-		const memberGetResponse = await authMemberAgent.get(`/workflows/${id}`);
+		const memberGetResponse = await authMemberAgent.get(`/workflows/${id}`).expect(200);
 		const { versionId: memberVersionId } = memberGetResponse.body.data;

 		// owner updates workflow settings
@@ -1003,33 +1080,6 @@ describe('PATCH /workflows/:id - validate interim updates', () => {
 	});
 });

-describe('getSharedWorkflowIds', () => {
-	it('should show all workflows to owners', async () => {
-		owner.role = 'global:owner';
-		const workflow1 = await createWorkflow({}, member);
-		const workflow2 = await createWorkflow({}, anotherMember);
-		const sharedWorkflowIds =
-			await Container.get(WorkflowSharingService).getSharedWorkflowIds(owner);
-		expect(sharedWorkflowIds).toHaveLength(2);
-		expect(sharedWorkflowIds).toContain(workflow1.id);
-		expect(sharedWorkflowIds).toContain(workflow2.id);
-	});
-
-	it('should show shared workflows to users', async () => {
-		member.role = 'global:member';
-		const workflow1 = await createWorkflow({}, anotherMember);
-		const workflow2 = await createWorkflow({}, anotherMember);
-		const workflow3 = await createWorkflow({}, anotherMember);
-		await shareWorkflowWithUsers(workflow1, [member]);
-		await shareWorkflowWithUsers(workflow3, [member]);
-		const sharedWorkflowIds =
-			await Container.get(WorkflowSharingService).getSharedWorkflowIds(member);
-		expect(sharedWorkflowIds).toHaveLength(2);
-		expect(sharedWorkflowIds).toContain(workflow1.id);
-		expect(sharedWorkflowIds).toContain(workflow3.id);
-	});
-});
-
 describe('PATCH /workflows/:id - workflow history', () => {
 	test('Should create workflow history version when licensed', async () => {
 		license.enable('feat:workflowHistory');
--- a/packages/cli/test/integration/workflows/workflows.controller.test.ts
+++ b/packages/cli/test/integration/workflows/workflows.controller.test.ts
@@ -17,13 +17,22 @@ import * as testDb from '../shared/testDb';
 import { makeWorkflow, MOCK_PINDATA } from '../shared/utils/';
 import { randomCredentialPayload } from '../shared/random';
 import { saveCredential } from '../shared/db/credentials';
-import { createOwner } from '../shared/db/users';
-import { createWorkflow } from '../shared/db/workflows';
+import { createManyUsers, createMember, createOwner } from '../shared/db/users';
+import { createWorkflow, shareWorkflowWithProjects } from '../shared/db/workflows';
 import { createTag } from '../shared/db/tags';
 import { License } from '@/License';
+import { SharedWorkflowRepository } from '@/databases/repositories/sharedWorkflow.repository';
+import { ProjectRepository } from '@/databases/repositories/project.repository';
+import { ProjectService } from '@/services/project.service';
+import { createTeamProject, linkUserToProject } from '../shared/db/projects';
+import type { Scope } from '@n8n/permissions';

 let owner: User;
+let member: User;
+let anotherMember: User;
+
 let authOwnerAgent: SuperAgentTest;
+let authMemberAgent: SuperAgentTest;

 jest.spyOn(License.prototype, 'isSharingEnabled').mockReturnValue(false);

@@ -34,9 +43,15 @@ const { objectContaining, arrayContaining, any } = expect;

 const activeWorkflowManagerLike = mockInstance(ActiveWorkflowManager);

+let projectRepository: ProjectRepository;
+
 beforeAll(async () => {
+	projectRepository = Container.get(ProjectRepository);
 	owner = await createOwner();
 	authOwnerAgent = testServer.authAgentFor(owner);
+	member = await createMember();
+	authMemberAgent = testServer.authAgentFor(member);
+	anotherMember = await createMember();
 });

 beforeEach(async () => {
@@ -62,6 +77,52 @@ describe('POST /workflows', () => {
 		expect(pinData).toBeNull();
 	});

+	test('should return scopes on created workflow', async () => {
+		const payload = {
+			name: 'testing',
+			nodes: [
+				{
+					id: 'uuid-1234',
+					parameters: {},
+					name: 'Start',
+					type: 'n8n-nodes-base.start',
+					typeVersion: 1,
+					position: [240, 300],
+				},
+			],
+			connections: {},
+			staticData: null,
+			settings: {
+				saveExecutionProgress: true,
+				saveManualExecutions: true,
+				saveDataErrorExecution: 'all',
+				saveDataSuccessExecution: 'all',
+				executionTimeout: 3600,
+				timezone: 'America/New_York',
+			},
+			active: false,
+		};
+
+		const response = await authMemberAgent.post('/workflows').send(payload);
+
+		expect(response.statusCode).toBe(200);
+
+		const {
+			data: { id, scopes },
+		} = response.body;
+
+		expect(id).toBeDefined();
+		expect(scopes).toEqual(
+			[
+				'workflow:delete',
+				'workflow:execute',
+				'workflow:read',
+				'workflow:share',
+				'workflow:update',
+			].sort(),
+		);
+	});
+
 	test('should create workflow history version when licensed', async () => {
 		license.enable('feat:workflowHistory');
 		const payload = {
@@ -151,6 +212,151 @@ describe('POST /workflows', () => {
 			await Container.get(WorkflowHistoryRepository).count({ where: { workflowId: id } }),
 		).toBe(0);
 	});
+
+	test('create workflow in personal project by default', async () => {
+		//
+		// ARRANGE
+		//
+		const tag = await createTag({ name: 'A' });
+		const workflow = makeWorkflow();
+		const personalProject = await projectRepository.getPersonalProjectForUserOrFail(owner.id);
+
+		//
+		// ACT
+		//
+		const response = await authOwnerAgent
+			.post('/workflows')
+			.send({ ...workflow, tags: [tag.id] })
+			.expect(200);
+
+		//
+		// ASSERT
+		//
+		await Container.get(SharedWorkflowRepository).findOneOrFail({
+			where: {
+				projectId: personalProject.id,
+				workflowId: response.body.data.id,
+			},
+		});
+		expect(response.body.data).toMatchObject({
+			active: false,
+			id: expect.any(String),
+			name: workflow.name,
+			sharedWithProjects: [],
+			usedCredentials: [],
+			homeProject: {
+				id: personalProject.id,
+				name: personalProject.name,
+				type: personalProject.type,
+			},
+			tags: [{ id: tag.id, name: tag.name }],
+		});
+		expect(response.body.data.shared).toBeUndefined();
+	});
+
+	test('creates workflow in a specific project if the projectId is passed', async () => {
+		//
+		// ARRANGE
+		//
+		const tag = await createTag({ name: 'A' });
+		const workflow = makeWorkflow();
+		const project = await projectRepository.save(
+			projectRepository.create({
+				name: 'Team Project',
+				type: 'team',
+			}),
+		);
+		await Container.get(ProjectService).addUser(project.id, owner.id, 'project:admin');
+
+		//
+		// ACT
+		//
+		const response = await authOwnerAgent
+			.post('/workflows')
+			.send({ ...workflow, projectId: project.id, tags: [tag.id] })
+			.expect(200);
+
+		//
+		// ASSERT
+		//
+		await Container.get(SharedWorkflowRepository).findOneOrFail({
+			where: {
+				projectId: project.id,
+				workflowId: response.body.data.id,
+			},
+		});
+		expect(response.body.data).toMatchObject({
+			active: false,
+			id: expect.any(String),
+			name: workflow.name,
+			sharedWithProjects: [],
+			usedCredentials: [],
+			homeProject: {
+				id: project.id,
+				name: project.name,
+				type: project.type,
+			},
+			tags: [{ id: tag.id, name: tag.name }],
+		});
+		expect(response.body.data.shared).toBeUndefined();
+	});
+
+	test('does not create the workflow in a specific project if the user is not part of the project', async () => {
+		//
+		// ARRANGE
+		//
+		const workflow = makeWorkflow();
+		const project = await projectRepository.save(
+			projectRepository.create({
+				name: 'Team Project',
+				type: 'team',
+			}),
+		);
+
+		//
+		// ACT
+		//
+		await testServer
+			.authAgentFor(member)
+			.post('/workflows')
+			.send({ ...workflow, projectId: project.id })
+			//
+			// ASSERT
+			//
+			.expect(400, {
+				code: 400,
+				message: "You don't have the permissions to save the workflow in this project.",
+			});
+	});
+
+	test('does not create the workflow in a specific project if the user does not have the right role to do so', async () => {
+		//
+		// ARRANGE
+		//
+		const workflow = makeWorkflow();
+		const project = await projectRepository.save(
+			projectRepository.create({
+				name: 'Team Project',
+				type: 'team',
+			}),
+		);
+		await Container.get(ProjectService).addUser(project.id, member.id, 'project:viewer');
+
+		//
+		// ACT
+		//
+		await testServer
+			.authAgentFor(member)
+			.post('/workflows')
+			.send({ ...workflow, projectId: project.id })
+			//
+			// ASSERT
+			//
+			.expect(400, {
+				code: 400,
+				message: "You don't have the permissions to save the workflow in this project.",
+			});
+	});
 });

 describe('GET /workflows/:id', () => {
@@ -165,6 +371,17 @@ describe('GET /workflows/:id', () => {
 		const { pinData } = workflowRetrievalResponse.body.data as { pinData: IPinData };
 		expect(pinData).toMatchObject(MOCK_PINDATA);
 	});
+
+	test('should return tags', async () => {
+		const tag = await createTag({ name: 'A' });
+		const workflow = await createWorkflow({ tags: [tag] }, owner);
+
+		const response = await authOwnerAgent.get(`/workflows/${workflow.id}`).expect(200);
+
+		expect(response.body.data).toMatchObject({
+			tags: [expect.objectContaining({ id: tag.id, name: tag.name })],
+		});
+	});
 });

 describe('GET /workflows', () => {
@@ -179,6 +396,7 @@ describe('GET /workflows', () => {
 			user: owner,
 			role: 'credential:owner',
 		});
+		const ownerPersonalProject = await projectRepository.getPersonalProjectForUserOrFail(owner.id);

 		const nodes: INode[] = [
 			{
@@ -215,13 +433,12 @@ describe('GET /workflows', () => {
 					updatedAt: any(String),
 					tags: [{ id: any(String), name: 'A' }],
 					versionId: any(String),
-					ownedBy: {
-						id: owner.id,
-						email: any(String),
-						firstName: any(String),
-						lastName: any(String),
+					homeProject: {
+						id: ownerPersonalProject.id,
+						name: owner.createPersonalProjectName(),
+						type: ownerPersonalProject.type,
 					},
-					sharedWith: [],
+					sharedWithProjects: [],
 				}),
 				objectContaining({
 					id: any(String),
@@ -231,13 +448,12 @@ describe('GET /workflows', () => {
 					updatedAt: any(String),
 					tags: [],
 					versionId: any(String),
-					ownedBy: {
-						id: owner.id,
-						email: any(String),
-						firstName: any(String),
-						lastName: any(String),
+					homeProject: {
+						id: ownerPersonalProject.id,
+						name: owner.createPersonalProjectName(),
+						type: ownerPersonalProject.type,
 					},
-					sharedWith: [],
+					sharedWithProjects: [],
 				}),
 			]),
 		});
@@ -247,10 +463,142 @@ describe('GET /workflows', () => {
 		);

 		expect(found.nodes).toBeUndefined();
-		expect(found.sharedWith).toHaveLength(0);
+		expect(found.sharedWithProjects).toHaveLength(0);
 		expect(found.usedCredentials).toBeUndefined();
 	});

+	test('should return workflows with scopes when ?includeScopes=true', async () => {
+		const [member1, member2] = await createManyUsers(2, {
+			role: 'global:member',
+		});
+
+		const teamProject = await createTeamProject(undefined, member1);
+		await linkUserToProject(member2, teamProject, 'project:editor');
+
+		const credential = await saveCredential(randomCredentialPayload(), {
+			user: owner,
+			role: 'credential:owner',
+		});
+
+		const nodes: INode[] = [
+			{
+				id: uuid(),
+				name: 'Action Network',
+				type: 'n8n-nodes-base.actionNetwork',
+				parameters: {},
+				typeVersion: 1,
+				position: [0, 0],
+				credentials: {
+					actionNetworkApi: {
+						id: credential.id,
+						name: credential.name,
+					},
+				},
+			},
+		];
+
+		const tag = await createTag({ name: 'A' });
+
+		const [savedWorkflow1, savedWorkflow2] = await Promise.all([
+			createWorkflow({ name: 'First', nodes, tags: [tag] }, teamProject),
+			createWorkflow({ name: 'Second' }, member2),
+		]);
+
+		await shareWorkflowWithProjects(savedWorkflow2, [{ project: teamProject }]);
+
+		{
+			const response = await testServer.authAgentFor(member1).get('/workflows?includeScopes=true');
+
+			expect(response.statusCode).toBe(200);
+			expect(response.body.data.length).toBe(2);
+
+			const workflows = response.body.data as Array<WorkflowEntity & { scopes: Scope[] }>;
+			const wf1 = workflows.find((w) => w.id === savedWorkflow1.id)!;
+			const wf2 = workflows.find((w) => w.id === savedWorkflow2.id)!;
+
+			// Team workflow
+			expect(wf1.id).toBe(savedWorkflow1.id);
+			expect(wf1.scopes).toEqual(
+				['workflow:read', 'workflow:update', 'workflow:delete', 'workflow:execute'].sort(),
+			);
+
+			// Shared workflow
+			expect(wf2.id).toBe(savedWorkflow2.id);
+			expect(wf2.scopes).toEqual(['workflow:read', 'workflow:update', 'workflow:execute'].sort());
+		}
+
+		{
+			const response = await testServer.authAgentFor(member2).get('/workflows?includeScopes=true');
+
+			expect(response.statusCode).toBe(200);
+			expect(response.body.data.length).toBe(2);
+
+			const workflows = response.body.data as Array<WorkflowEntity & { scopes: Scope[] }>;
+			const wf1 = workflows.find((w) => w.id === savedWorkflow1.id)!;
+			const wf2 = workflows.find((w) => w.id === savedWorkflow2.id)!;
+
+			// Team workflow
+			expect(wf1.id).toBe(savedWorkflow1.id);
+			expect(wf1.scopes).toEqual([
+				'workflow:delete',
+				'workflow:execute',
+				'workflow:read',
+				'workflow:update',
+			]);
+
+			// Shared workflow
+			expect(wf2.id).toBe(savedWorkflow2.id);
+			expect(wf2.scopes).toEqual(
+				[
+					'workflow:read',
+					'workflow:update',
+					'workflow:delete',
+					'workflow:execute',
+					'workflow:share',
+				].sort(),
+			);
+		}
+
+		{
+			const response = await testServer.authAgentFor(owner).get('/workflows?includeScopes=true');
+
+			expect(response.statusCode).toBe(200);
+			expect(response.body.data.length).toBe(2);
+
+			const workflows = response.body.data as Array<WorkflowEntity & { scopes: Scope[] }>;
+			const wf1 = workflows.find((w) => w.id === savedWorkflow1.id)!;
+			const wf2 = workflows.find((w) => w.id === savedWorkflow2.id)!;
+
+			// Team workflow
+			expect(wf1.id).toBe(savedWorkflow1.id);
+			expect(wf1.scopes).toEqual(
+				[
+					'workflow:create',
+					'workflow:read',
+					'workflow:update',
+					'workflow:delete',
+					'workflow:list',
+					'workflow:share',
+					'workflow:execute',
+				].sort(),
+			);
+
+			// Shared workflow
+			expect(wf2.id).toBe(savedWorkflow2.id);
+			expect(wf2.scopes).toEqual(
+				[
+					'workflow:create',
+					'workflow:read',
+					'workflow:update',
+					'workflow:delete',
+					'workflow:list',
+					'workflow:share',
+					'workflow:execute',
+				].sort(),
+			);
+		}
+	});
+
 	describe('filter', () => {
 		test('should filter workflows by field: name', async () => {
 			await createWorkflow({ name: 'First' }, owner);
@@ -298,6 +646,26 @@ describe('GET /workflows', () => {
 				data: [objectContaining({ name: 'First', tags: [{ id: any(String), name: 'A' }] })],
 			});
 		});
+
+		test('should filter workflows by projectId', async () => {
+			const workflow = await createWorkflow({ name: 'First' }, owner);
+			const pp = await Container.get(ProjectRepository).getPersonalProjectForUserOrFail(owner.id);
+
+			const response1 = await authOwnerAgent
+				.get('/workflows')
+				.query(`filter={ "projectId": "${pp.id}" }`)
+				.expect(200);
+
+			expect(response1.body.data).toHaveLength(1);
+			expect(response1.body.data[0].id).toBe(workflow.id);
+
+			const response2 = await authOwnerAgent
+				.get('/workflows')
+				.query('filter={ "projectId": "Non-Existing Project ID" }')
+				.expect(200);
+
+			expect(response2.body.data).toHaveLength(0);
+		});
 	});

 	describe('select', () => {
@@ -419,6 +787,9 @@ describe('GET /workflows', () => {
 		test('should select workflow field: ownedBy', async () => {
 			await createWorkflow({}, owner);
 			await createWorkflow({}, owner);
+			const ownerPersonalProject = await projectRepository.getPersonalProjectForUserOrFail(
+				owner.id,
+			);

 			const response = await authOwnerAgent
 				.get('/workflows')
@@ -430,23 +801,21 @@ describe('GET /workflows', () => {
 				data: arrayContaining([
 					{
 						id: any(String),
-						ownedBy: {
-							id: owner.id,
-							email: any(String),
-							firstName: any(String),
-							lastName: any(String),
+						homeProject: {
+							id: ownerPersonalProject.id,
+							name: owner.createPersonalProjectName(),
+							type: ownerPersonalProject.type,
 						},
-						sharedWith: [],
+						sharedWithProjects: [],
 					},
 					{
 						id: any(String),
-						ownedBy: {
-							id: owner.id,
-							email: any(String),
-							firstName: any(String),
-							lastName: any(String),
+						homeProject: {
+							id: ownerPersonalProject.id,
+							name: owner.createPersonalProjectName(),
+							type: ownerPersonalProject.type,
 						},
-						sharedWith: [],
+						sharedWithProjects: [],
 					},
 				]),
 			});
@@ -645,7 +1014,7 @@ describe('POST /workflows/run', () => {
 	test('should prevent tampering if sharing is enabled', async () => {
 		sharingSpy.mockReturnValue(true);

-		await authOwnerAgent.post('/workflows/run').send({ workflowData: workflow });
+		await authOwnerAgent.post(`/workflows/${workflow.id}/run`).send({ workflowData: workflow });

 		expect(tamperingSpy).toHaveBeenCalledTimes(1);
 	});
@@ -653,8 +1022,70 @@ describe('POST /workflows/run', () => {
 	test('should skip tampering prevention if sharing is disabled', async () => {
 		sharingSpy.mockReturnValue(false);

-		await authOwnerAgent.post('/workflows/run').send({ workflowData: workflow });
+		await authOwnerAgent.post(`/workflows/${workflow.id}/run`).send({ workflowData: workflow });

 		expect(tamperingSpy).not.toHaveBeenCalled();
 	});
 });
+
+describe('DELETE /workflows/:id', () => {
+	test('deletes a workflow owned by the user', async () => {
+		const workflow = await createWorkflow({}, owner);
+
+		await authOwnerAgent.delete(`/workflows/${workflow.id}`).send().expect(200);
+
+		const workflowInDb = await Container.get(WorkflowRepository).findById(workflow.id);
+		const sharedWorkflowsInDb = await Container.get(SharedWorkflowRepository).findBy({
+			workflowId: workflow.id,
+		});
+
+		expect(workflowInDb).toBeNull();
+		expect(sharedWorkflowsInDb).toHaveLength(0);
+	});
+
+	test('deletes a workflow owned by the user, even if the user is just a member', async () => {
+		const workflow = await createWorkflow({}, member);
+
+		await testServer.authAgentFor(member).delete(`/workflows/${workflow.id}`).send().expect(200);
+
+		const workflowInDb = await Container.get(WorkflowRepository).findById(workflow.id);
+		const sharedWorkflowsInDb = await Container.get(SharedWorkflowRepository).findBy({
+			workflowId: workflow.id,
+		});
+
+		expect(workflowInDb).toBeNull();
+		expect(sharedWorkflowsInDb).toHaveLength(0);
+	});
+
+	test('does not delete a workflow that is not owned by the user', async () => {
+		const workflow = await createWorkflow({}, member);
+
+		await testServer
+			.authAgentFor(anotherMember)
+			.delete(`/workflows/${workflow.id}`)
+			.send()
+			.expect(403);
+
+		const workflowsInDb = await Container.get(WorkflowRepository).findById(workflow.id);
+		const sharedWorkflowsInDb = await Container.get(SharedWorkflowRepository).findBy({
+			workflowId: workflow.id,
+		});
+
+		expect(workflowsInDb).not.toBeNull();
+		expect(sharedWorkflowsInDb).toHaveLength(1);
+	});
+
+	test("allows the owner to delete workflows they don't own", async () => {
+		const workflow = await createWorkflow({}, member);
+
+		await authOwnerAgent.delete(`/workflows/${workflow.id}`).send().expect(200);
+
+		const workflowsInDb = await Container.get(WorkflowRepository).findById(workflow.id);
+		const sharedWorkflowsInDb = await Container.get(SharedWorkflowRepository).findBy({
+			workflowId: workflow.id,
+		});
+
+		expect(workflowsInDb).toBeNull();
+		expect(sharedWorkflowsInDb).toHaveLength(0);
+	});
+});