From b7a22d05f9602108752c981018fefd0eddb7ae86 Mon Sep 17 00:00:00 2001
From: seongjinyoon <seongjin123.sy@gmail.com>
Date: Wed, 14 Jan 2026 15:00:41 -0800
Subject: [PATCH] allow workflow access level edit

---
 .../workflow/WorkflowAccessResource.scala     |  9 ++-
 .../share-access/share-access.component.html  | 11 +++-
 .../share-access/share-access.component.ts    | 64 ++++++++++++++++++-
 3 files changed, 80 insertions(+), 4 deletions(-)

diff --git a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala
index 2c92352a084..799e3d7c5dd 100644
--- a/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala
+++ b/amber/src/main/scala/org/apache/texera/web/resource/dashboard/user/workflow/WorkflowAccessResource.scala
@@ -33,6 +33,7 @@ import org.apache.texera.dao.jooq.generated.tables.pojos.WorkflowUserAccess
 import org.apache.texera.web.model.common.AccessEntry
 import org.apache.texera.web.resource.dashboard.user.workflow.WorkflowAccessResource.{
   context,
+  getPrivilege,
   hasWriteAccess
 }
 import org.jooq.DSLContext
@@ -174,10 +175,16 @@ class WorkflowAccessResource() {
       @PathParam("privilege") privilege: String,
       @Auth user: SessionUser
   ): Unit = {
-    if (email.equals(user.getEmail)) {
+    val isModifyingOwnAccess = email.equals(user.getEmail)
+    val currentPrivilege = getPrivilege(wid, user.getUid)
+    val hasExistingAccess = !currentPrivilege.eq(PrivilegeEnum.NONE)
+
+    // Users can only modify their own access if they already have access
+    if (isModifyingOwnAccess && !hasExistingAccess) {
       throw new BadRequestException("You cannot grant access to yourself!")
     }
 
+    // Must have write access to modify access levels (including your own)
     if (!hasWriteAccess(wid, user.getUid)) {
       throw new ForbiddenException(s"You do not have permission to modify workflow $wid")
     }
diff --git a/frontend/src/app/dashboard/component/user/share-access/share-access.component.html b/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
index 717c1cbc188..055456236d2 100644
--- a/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
+++ b/frontend/src/app/dashboard/component/user/share-access/share-access.component.html
@@ -151,9 +151,16 @@
   id="current-share">
   <li><nz-tag nzColor="green">OWNER</nz-tag> {{ owner }}</li>
   <li *ngFor="let entry of accessList">
-    <nz-tag nzColor="blue">{{ entry.privilege }}</nz-tag> {{ entry.email }} ({{ entry.name }})
+    <select
+      [value]="entry.privilege"
+      [disabled]="!hasWriteAccess"
+      (change)="changeAccessLevel(entry.email, $any($event.target).value)">
+      <option value="READ">READ</option>
+      <option value="WRITE">WRITE</option>
+    </select>
+    {{ entry.email }} ({{ entry.name }})
     <button
-      [disabled]="!writeAccess && entry.email !== currentEmail"
+      [disabled]="!hasWriteAccess && entry.email !== currentEmail"
       (click)="verifyRevokeAccess(entry.email)"
       nz-button
       nz-tooltip="revoke access"
diff --git a/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts b/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
index de7d83531f0..ba50f721d2b 100644
--- a/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
+++ b/frontend/src/app/dashboard/component/user/share-access/share-access.component.ts
@@ -20,7 +20,7 @@
 import { Component, EventEmitter, inject, OnDestroy, OnInit, Output } from "@angular/core";
 import { FormBuilder, FormControl, FormGroup, Validators } from "@angular/forms";
 import { ShareAccessService } from "../../../service/user/share-access/share-access.service";
-import { ShareAccess } from "../../../type/share-access.interface";
+import { Privilege, ShareAccess } from "../../../type/share-access.interface";
 import { UntilDestroy, untilDestroyed } from "@ngneat/until-destroy";
 import { UserService } from "../../../../common/service/user/user.service";
 import { GmailService } from "../../../../common/service/gmail/gmail.service";
@@ -76,6 +76,17 @@ export class ShareAccessComponent implements OnInit, OnDestroy {
     this.currentEmail = this.userService.getCurrentUser()?.email;
   }
 
+  get hasWriteAccess(): boolean {
+    if (!this.currentEmail) {
+      return false;
+    }
+    if (this.currentEmail === this.owner) {
+      return true;
+    }
+    const currentUserAccess = this.accessList.find(entry => entry.email === this.currentEmail);
+    return currentUserAccess?.privilege === Privilege.WRITE;
+  }
+
   ngOnInit(): void {
     this.accessService
       .getAccessList(this.type, this.id)
@@ -238,6 +249,57 @@ export class ShareAccessComponent implements OnInit, OnDestroy {
       });
   }
 
+  public changeAccessLevel(email: string, newPrivilege: string): void {
+    const isOwnAccess = email === this.currentEmail;
+    const currentUserAccess = this.accessList.find(entry => entry.email === email);
+    const isDowngrade = currentUserAccess?.privilege === Privilege.WRITE && newPrivilege === "READ";
+
+    if (isOwnAccess && isDowngrade) {
+      const modal: NzModalRef = this.modalService.create({
+        nzTitle: "Downgrade Your Access",
+        nzContent: `Are you sure you want to change your own access to READ? You will no longer be able to edit this ${this.type} or manage access.`,
+        nzFooter: [
+          {
+            label: "Cancel",
+            onClick: () => {
+              modal.close();
+              this.ngOnInit();
+            },
+          },
+          {
+            label: "Confirm",
+            type: "primary",
+            danger: true,
+            onClick: () => {
+              this.doChangeAccessLevel(email, newPrivilege);
+              modal.close();
+            },
+          },
+        ],
+      });
+    } else {
+      this.doChangeAccessLevel(email, newPrivilege);
+    }
+  }
+
+  private doChangeAccessLevel(email: string, newPrivilege: string): void {
+    this.accessService
+      .grantAccess(this.type, this.id, email, newPrivilege)
+      .pipe(untilDestroyed(this))
+      .subscribe({
+        next: () => {
+          this.notificationService.success(`Access level for ${email} changed to ${newPrivilege}.`);
+          this.ngOnInit();
+        },
+        error: (error: unknown) => {
+          if (error instanceof HttpErrorResponse) {
+            this.notificationService.error(error.error.message);
+          }
+          this.ngOnInit();
+        },
+      });
+  }
+
   public verifyPublish(): void {
     if (!this.isPublic) {
       const modal: NzModalRef = this.modalService.create({