Skip to content

fix(teams): add organization scope to membership operations #26964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
pedroccastro wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

fix(teams): add organization scope to membership operations #26964

pedroccastro wants to merge 2 commits into from
+149 −20

Conversation

@pedroccastro
Copy link
Contributor

@pedroccastro pedroccastro commented Jan 17, 2026
edited
Loading

What does this PR do?

Adds organization scope validation to the removeMember handler when PBAC is disabled. Org admin operations now verify that target teams belong to the admin's organization before proceeding.

Changes

Layer File(s) Change
Interface IRemoveMemberService.ts Add organizationId to context
Handler removeMember.handler.ts Pass organization context to service
Service LegacyRemoveMemberService.ts Validate team ownership before granting permission
Tests removeMember.handler.test.ts Update tests for new context fields

Technical Details

New validation in LegacyRemoveMemberService.checkRemovePermissions():

// Verify all target teams belong to admin's organization
const teams = await prisma.team.findMany({
  where: {
    id: { in: teamIds },
    OR: [{ id: organizationId }, { parentId: organizationId }],
  },
});

How should this be tested?

  1. As org admin, remove member from own team → should work
  2. As org admin, remove member from own org → should work
  3. As org admin, attempt to remove member from unrelated team → should return UNAUTHORIZED
  4. As non-admin with OWNER/ADMIN role, remove member → should work (existing flow)

Mandatory Tasks

  • I have self-reviewed the code.
  • N/A I have updated the developer docs in /docs if this PR makes changes that would require a documentation change
  • I confirm automated tests are in place that prove my fix is effective or that my feature works.

@pedroccastro
refactor(teams): improve membership validation for org admins
3fb62b5 
- Add organization scope validation to removeMember handler
- Ensure team operations are scoped to users organization context
- Update related tests
@github-actions
Copy link
Contributor

github-actions bot commented Jan 17, 2026
edited
Loading

E2E results are ready!

@pedroccastro
test(teams): align removeMember tests with updated interface
e4f7e90 
- Add organizationId to test contexts
- Add team.findMany mock for org validation
- Add test cases for org scope validation
@pull-request-size pull-request-size bot added size/L and removed size/M labels Jan 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ready-for-e2e size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pedroccastro