diff --git a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala
index 2c92352a08..799e3d7c5d 100644
--- a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala
+++ b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala
@@ -33,6 +33,7 @@ import org.apache.texera.dao.jooq.generated.tables.pojos.WorkflowUserAccess
import org.apache.texera.web.model.common.AccessEntry
import org.apache.texera.web.resource.dashboard.user.workflow.WorkflowAccessResource.{
context,
+ getPrivilege,
hasWriteAccess
}
import org.jooq.DSLContext
@@ -174,10 +175,16 @@ class WorkflowAccessResource() {
@PathParam("privilege") privilege: String,
@Auth user: SessionUser
): Unit = {
- if (email.equals(user.getEmail)) {
+ val isModifyingOwnAccess = email.equals(user.getEmail)
+ val currentPrivilege = getPrivilege(wid, user.getUid)
+ val hasExistingAccess = !currentPrivilege.eq(PrivilegeEnum.NONE)
+
+ // Users can only modify their own access if they already have access
+ if (isModifyingOwnAccess && !hasExistingAccess) {
throw new BadRequestException("You cannot grant access to yourself!")
}
+ // Must have write access to modify access levels (including your own)
if (!hasWriteAccess(wid, user.getUid)) {
throw new ForbiddenException(s"You do not have permission to modify workflow $wid")
}
diff --git a/frontend/src/app/dashboard/component/user/share-access/share-access.component.html b/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
index 717c1cbc18..055456236d 100644
--- a/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
+++ b/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
@@ -151,9 +151,16 @@
id="current-share">