From 3124cf7b942a931b72f39573c0ee6752000f4e74 Mon Sep 17 00:00:00 2001
From: seongjinyoon <seongjin123.sy@gmail.com>
Date: Sun, 11 Jan 2026 15:11:13 -0800
Subject: [PATCH 1/2] fix revoke access to not clone workflow

---
 .../user/workflow/WorkflowResource.scala      |  8 +++--
 .../share-access/share-access.component.html  |  2 +-
 .../share-access/share-access.component.ts    | 32 +++++++++++++++++--
 .../component/menu/menu.component.ts          | 12 +++++--
 4 files changed, 47 insertions(+), 7 deletions(-)

diff --git a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala
index 45ed49a23dc..fc59f91ae2f 100644
--- a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala
+++ b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala
@@ -431,8 +431,12 @@ class WorkflowResource extends LazyLogging {
       workflowDao.update(workflow)
     } else {
       if (!WorkflowAccessResource.hasReadAccess(workflow.getWid, user.getUid)) {
-        // not owner and no access record --> new record
-        workflow.setWid(null)
+        // Check if this is an existing workflow (has a wid) or a new one (wid is null)
+        if (workflow.getWid != null) {
+          // User trying to persist an existing workflow without access - reject
+          throw new ForbiddenException("No sufficient access privilege.")
+        }
+        // This is a new workflow being created (wid is null)
         insertWorkflow(workflow, user)
         WorkflowVersionResource.insertVersion(workflow, insertingNewWorkflow = true)
       } else if (WorkflowAccessResource.hasWriteAccess(workflow.getWid, user.getUid)) {
diff --git a/frontend/src/app/dashboard/component/user/share-access/share-access.component.html b/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
index f181ef839d5..717c1cbc188 100644
--- a/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
+++ b/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
@@ -154,7 +154,7 @@
     <nz-tag nzColor="blue">{{ entry.privilege }}</nz-tag> {{ entry.email }} ({{ entry.name }})
     <button
       [disabled]="!writeAccess && entry.email !== currentEmail"
-      (click)="revokeAccess(entry.email)"
+      (click)="verifyRevokeAccess(entry.email)"
       nz-button
       nz-tooltip="revoke access"
       nzSize="small"
diff --git a/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts b/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
index 9b7e5be175b..de7d83531f0 100644
--- a/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
+++ b/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
@@ -190,7 +190,35 @@ export class ShareAccessComponent implements OnInit, OnDestroy {
     }
   }
 
-  public revokeAccess(userToRemove: string): void {
+  public verifyRevokeAccess(userToRemove: string): void {
+    const isRevokingOwnAccess = userToRemove === this.userService.getCurrentUser()?.email;
+    const modalTitle = isRevokingOwnAccess ? "Revoke Your Access" : "Revoke Access";
+    const modalContent = isRevokingOwnAccess
+      ? `Are you sure you want to revoke your own access to this ${this.type}? You will no longer be able to view or edit it.`
+      : `Are you sure you want to revoke ${userToRemove}'s access to this ${this.type}?`;
+
+    const modal: NzModalRef = this.modalService.create({
+      nzTitle: modalTitle,
+      nzContent: modalContent,
+      nzFooter: [
+        {
+          label: "Cancel",
+          onClick: () => modal.close(),
+        },
+        {
+          label: "Revoke",
+          type: "primary",
+          danger: true,
+          onClick: () => {
+            this.revokeAccess(userToRemove);
+            modal.close();
+          },
+        },
+      ],
+    });
+  }
+
+  private revokeAccess(userToRemove: string): void {
     this.accessService
       .revokeAccess(this.type, this.id, userToRemove)
       .pipe(untilDestroyed(this))
@@ -198,7 +226,7 @@ export class ShareAccessComponent implements OnInit, OnDestroy {
         next: () => {
           if (userToRemove == this.userService.getCurrentUser()?.email) {
             this.shouldRefresh = true;
-            this.modalRef.close();
+            this.modalRef.close({ userRevokedOwnAccess: true });
           }
           this.ngOnInit();
         },
diff --git a/frontend/src/app/workspace/component/menu/menu.component.ts b/frontend/src/app/workspace/component/menu/menu.component.ts
index e821bf3addd..69ccfd48c69 100644
--- a/frontend/src/app/workspace/component/menu/menu.component.ts
+++ b/frontend/src/app/workspace/component/menu/menu.component.ts
@@ -19,6 +19,7 @@
 
 import { DatePipe, Location } from "@angular/common";
 import { Component, ElementRef, Input, OnDestroy, OnInit, ViewChild } from "@angular/core";
+import { Router } from "@angular/router";
 import { UserService } from "../../../common/service/user/user.service";
 import {
   DEFAULT_WORKFLOW_NAME,
@@ -141,7 +142,8 @@ export class MenuComponent implements OnInit, OnDestroy {
     private reportGenerationService: ReportGenerationService,
     private panelService: PanelService,
     private computingUnitStatusService: ComputingUnitStatusService,
-    protected config: GuiConfigService
+    protected config: GuiConfigService,
+    private router: Router
   ) {
     workflowWebsocketService
       .subscribeToEvent("ExecutionDurationUpdateEvent")
@@ -262,7 +264,7 @@ export class MenuComponent implements OnInit, OnDestroy {
   }
 
   public async onClickOpenShareAccess(): Promise<void> {
-    this.modalService.create({
+    const modalRef = this.modalService.create({
       nzContent: ShareAccessComponent,
       nzData: {
         writeAccess: this.writeAccess,
@@ -276,6 +278,12 @@ export class MenuComponent implements OnInit, OnDestroy {
       nzCentered: true,
       nzWidth: "800px",
     });
+
+    modalRef.afterClose.pipe(untilDestroyed(this)).subscribe(result => {
+      if (result?.userRevokedOwnAccess) {
+        this.router.navigate([DASHBOARD_USER_WORKFLOW]);
+      }
+    });
   }
 
   // apply a behavior to the run button via bound variables

From 1b98a8c2aba44f873ac43e790d725f8683c0e686 Mon Sep 17 00:00:00 2001
From: seongjinyoon <seongjin123.sy@gmail.com>
Date: Mon, 12 Jan 2026 16:18:36 -0800
Subject: [PATCH 2/2] check for both getWid and existsById

---
 .../dashboard/user/workflow/WorkflowResource.scala       | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala
index fc59f91ae2f..5cbb5bbdd8f 100644
--- a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala
+++ b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowResource.scala
@@ -431,12 +431,15 @@ class WorkflowResource extends LazyLogging {
       workflowDao.update(workflow)
     } else {
       if (!WorkflowAccessResource.hasReadAccess(workflow.getWid, user.getUid)) {
-        // Check if this is an existing workflow (has a wid) or a new one (wid is null)
-        if (workflow.getWid != null) {
+        // Check if this workflow exists in the database
+        val workflowExistsInDb =
+          workflow.getWid != null && workflowDao.existsById(workflow.getWid)
+        if (workflowExistsInDb) {
           // User trying to persist an existing workflow without access - reject
           throw new ForbiddenException("No sufficient access privilege.")
         }
-        // This is a new workflow being created (wid is null)
+        // This is a new workflow being created (wid is null or doesn't exist in DB)
+        workflow.setWid(null)
         insertWorkflow(workflow, user)
         WorkflowVersionResource.insertVersion(workflow, insertingNewWorkflow = true)
       } else if (WorkflowAccessResource.hasWriteAccess(workflow.getWid, user.getUid)) {