dify - 💡(How to fix) Fix Add a read-only "viewer" workspace role [1 pull requests]

Self Checks

• I have read the Contributing Guide and Language Policy.
• I have searched for existing issues search for existing issues, including closed ones.
• I confirm that I am using English to submit this report, otherwise it will be closed.
• Please do not modify this template :) and fill in all the required fields.

1. Is this request related to a challenge you're experiencing? Tell me about your story.

Today a workspace member is either an editor (owner/admin/editor — full edit, run, and history access) or a normal member (can only use published apps, with no access to the Studio at all). There is no role in between.

In our team, stakeholders such as reviewers, QA, and cross-team engineers frequently need to inspect how a workflow / chatflow is
built — open the canvas, read node configuration and variables — but they should not be able to modify the draft, trigger test
runs, restore versions, or browse run history.

With the current roles we are forced to choose between two bad options:

1. Grant editor, which over-privileges them and risks accidental edits or runs against a shared draft; or
2. Grant normal, which hides the Studio entirely, so they cannot see the workflow design at all.

I was trying to give a reviewer "look but don't touch" access to a workflow app, and there was simply no way to express that. It
was frustrating because read-only inspection is a very common need and currently has no safe answer.

Proposed solution — a new read-only viewer role:

• May open workflow-style apps (workflow / advanced-chat) in the editor in read-only mode (canvas + node config + variables).
• May not edit the draft, run/preview the workflow, view run history, or restore versions — the corresponding entries are hidden
  and their backend endpoints reject the role.
• For non-workflow apps, behaves like a normal member (lands on the overview page).
• Assignable through the existing member invite / change-role flow, like any other role.

2. Additional context or comments

• Backend: a new TenantAccountRole.VIEWER, a view_permission_required decorator (allows owner/admin/editor/viewer) applied to the
  workflow & draft-variable GET endpoints, while all write/run endpoints stay guarded by edit_permission_required.
  • Frontend: an isCurrentWorkspaceViewer context flag and an isViewerReadOnly store flag that forces the canvas read-only and hides the run / preview / history / version-restore controls; viewer-aware redirection and navigation; a viewer option in member management.
  • i18n: members.viewer / members.viewerTip added across all supported locales.
  • This is scoped to workflow-style apps only; it intentionally does not expose the prompt configuration or logs pages to viewers.

3. Can you help us with this feature?

• I am interested in contributing to this feature.