canAccessQuery now uses global flag and env var too

Author: matt-aitken

apps/webapp/app/env.server.ts

@@ -1190,6 +1190,9 @@ const EnvironmentSchema = z
     CLICKHOUSE_LOGS_DETAIL_MAX_THREADS: z.coerce.number().int().default(2),
     CLICKHOUSE_LOGS_DETAIL_MAX_EXECUTION_TIME: z.coerce.number().int().default(60),
 
+    // Query feature flag
+    QUERY_FEATURE_ENABLED: z.string().default("1"),
+
     // Query page ClickHouse limits (for TSQL queries)
     QUERY_CLICKHOUSE_MAX_EXECUTION_TIME: z.coerce.number().int().default(10),
     QUERY_CLICKHOUSE_MAX_MEMORY_USAGE: z.coerce.number().int().default(1_073_741_824), // 1GB in bytes

apps/webapp/app/presenters/OrganizationsPresenter.server.ts

@@ -1,4 +1,4 @@
-import { RuntimeEnvironment, type PrismaClient } from "@trigger.dev/database";
+import type { RuntimeEnvironment, PrismaClient } from "@trigger.dev/database";
 import { redirect } from "remix-typedjson";
 import { prisma } from "~/db.server";
 import { logger } from "~/services/logger.server";
@@ -10,7 +10,7 @@ import {
 } from "./SelectBestEnvironmentPresenter.server";
 import { sortEnvironments } from "~/utils/environmentSort";
 import { defaultAvatar, parseAvatar } from "~/components/primitives/Avatar";
-import { validatePartialFeatureFlags } from "~/v3/featureFlags.server";
+import { flags, validatePartialFeatureFlags } from "~/v3/featureFlags.server";
 
 export class OrganizationsPresenter {
   #prismaClient: PrismaClient;
@@ -153,18 +153,24 @@ export class OrganizationsPresenter {
       },
     });
 
+    // Get global feature flags (no overrides or defaults)
+    const globalFlags = await flags();
+
     return orgs.map((org) => {
-      const flagsResult = org.featureFlags
+      const orgFlagsResult = org.featureFlags
         ? validatePartialFeatureFlags(org.featureFlags as Record<string, unknown>)
         : ({ success: false } as const);
-      const flags = flagsResult.success ? flagsResult.data : {};
+      const orgFlags = orgFlagsResult.success ? orgFlagsResult.data : {};
+
+      // Combine global flags with org flags (org flags win)
+      const combinedFlags = { ...globalFlags, ...orgFlags };
 
       return {
         id: org.id,
         slug: org.slug,
         title: org.title,
         avatar: parseAvatar(org.avatar, defaultAvatar),
-        featureFlags: flags,
+        featureFlags: combinedFlags,
         projects: org.projects.map((project) => ({
           id: project.id,
           slug: project.slug,

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.query/route.tsx

@@ -75,7 +75,7 @@ import { executeQuery, type QueryScope } from "~/services/queryService.server";
 import { requireUser } from "~/services/session.server";
 import { downloadFile, rowsToCSV, rowsToJSON } from "~/utils/dataExport";
 import { EnvironmentParamSchema, organizationBillingPath } from "~/utils/pathBuilder";
-import { FEATURE_FLAG, validateFeatureFlagValue } from "~/v3/featureFlags.server";
+import { canAccessQuery } from "~/v3/canAccessQuery.server";
 import { querySchemas } from "~/v3/querySchemas";
 import { useCurrentPlan } from "../_app.orgs.$organizationSlug/route";
 import { QueryHelpSidebar } from "./QueryHelpSidebar";
@@ -91,40 +91,6 @@ function toISOString(value: Date | string): string {
   return value.toISOString();
 }
 
-async function hasQueryAccess(
-  userId: string,
-  isAdmin: boolean,
-  isImpersonating: boolean,
-  organizationSlug: string
-): Promise<boolean> {
-  if (isAdmin || isImpersonating) {
-    return true;
-  }
-
-  // Check organization feature flags
-  const organization = await prisma.organization.findFirst({
-    where: {
-      slug: organizationSlug,
-      members: { some: { userId } },
-    },
-    select: {
-      featureFlags: true,
-    },
-  });
-
-  if (!organization?.featureFlags) {
-    return false;
-  }
-
-  const flags = organization.featureFlags as Record<string, unknown>;
-  const hasQueryAccessResult = validateFeatureFlagValue(
-    FEATURE_FLAG.hasQueryAccess,
-    flags.hasQueryAccess
-  );
-
-  return hasQueryAccessResult.success && hasQueryAccessResult.data === true;
-}
-
 const scopeOptions = [
   { value: "environment", label: "Environment" },
   { value: "project", label: "Project" },
@@ -135,12 +101,12 @@ export const loader = async ({ request, params }: LoaderFunctionArgs) => {
   const user = await requireUser(request);
   const { projectParam, organizationSlug, envParam } = EnvironmentParamSchema.parse(params);
 
-  const canAccess = await hasQueryAccess(
-    user.id,
-    user.admin,
-    user.isImpersonating,
-    organizationSlug
-  );
+  const canAccess = await canAccessQuery({
+    userId: user.id,
+    isAdmin: user.admin,
+    isImpersonating: user.isImpersonating,
+    organizationSlug,
+  });
   if (!canAccess) {
     throw redirect("/");
   }
@@ -200,12 +166,12 @@ export const action = async ({ request, params }: ActionFunctionArgs) => {
   const user = await requireUser(request);
   const { projectParam, organizationSlug, envParam } = EnvironmentParamSchema.parse(params);
 
-  const canAccess = await hasQueryAccess(
-    user.id,
-    user.admin,
-    user.isImpersonating,
-    organizationSlug
-  );
+  const canAccess = await canAccessQuery({
+    userId: user.id,
+    isAdmin: user.admin,
+    isImpersonating: user.isImpersonating,
+    organizationSlug,
+  });
   if (!canAccess) {
     return typedjson(
       {

apps/webapp/app/v3/canAccessQuery.server.ts

@@ -0,0 +1,47 @@
+import { prisma } from "~/db.server";
+import { env } from "~/env.server";
+import { FEATURE_FLAG, makeFlag } from "~/v3/featureFlags.server";
+
+export async function canAccessQuery(options: {
+  userId: string;
+  isAdmin: boolean;
+  isImpersonating: boolean;
+  organizationSlug: string;
+}): Promise<boolean> {
+  const { userId, isAdmin, isImpersonating, organizationSlug } = options;
+
+  // 1. If it's on then we have access
+  const globallyEnabled = env.QUERY_FEATURE_ENABLED === "1";
+  if (globallyEnabled) {
+    return true;
+  }
+
+  // 2. Admins always have access
+  if (isAdmin || isImpersonating) {
+    return true;
+  }
+
+  // 3. Check if org/global feature flag is on
+  const org = await prisma.organization.findFirst({
+    where: {
+      slug: organizationSlug,
+      members: { some: { userId } },
+    },
+    select: {
+      featureFlags: true,
+    },
+  });
+
+  const flag = makeFlag();
+  const flagResult = await flag({
+    key: FEATURE_FLAG.hasQueryAccess,
+    defaultValue: false,
+    overrides: (org?.featureFlags as Record<string, unknown>) ?? {},
+  });
+  if (flagResult) {
+    return true;
+  }
+
+  // 4. Not enabled anywhere
+  return false;
+}