From 0873cfa9970949131fb39cfe82899d0dcdb1be37 Mon Sep 17 00:00:00 2001
From: Ali BARIN <ali.barin53@gmail.com>
Date: Tue, 7 Nov 2023 15:49:51 +0000
Subject: [PATCH] fix: let permitted users create step in not-owned flows

---
 packages/backend/src/graphql/mutations/create-step.ts | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/packages/backend/src/graphql/mutations/create-step.ts b/packages/backend/src/graphql/mutations/create-step.ts
index e37c0f95..e246c089 100644
--- a/packages/backend/src/graphql/mutations/create-step.ts
+++ b/packages/backend/src/graphql/mutations/create-step.ts
@@ -1,4 +1,5 @@
 import App from '../../models/app';
+import Flow from '../../models/flow';
 import Context from '../../types/express/context';
 
 type Params = {
@@ -22,7 +23,10 @@ const createStep = async (
   params: Params,
   context: Context
 ) => {
-  context.currentUser.can('update', 'Flow');
+  const conditions = context.currentUser.can('update', 'Flow');
+  const userFlows = context.currentUser.$relatedQuery('flows');
+  const allFlows = Flow.query();
+  const flowsQuery = conditions.isCreator ? userFlows : allFlows;
 
   const { input } = params;
 
@@ -34,8 +38,7 @@ const createStep = async (
     await App.findOneByKey(input.appKey);
   }
 
-  const flow = await context.currentUser
-    .$relatedQuery('flows')
+  const flow = await flowsQuery
     .findOne({
       id: input.flow.id,
     })