Allow everyone to create Orgs

src/Share/Web/Authorization.hs

@@ -667,6 +667,10 @@ assertUserHasProjectPermission rolePermission mayReqUserId projId = do
   guardM $ PG.runTransaction $ do
     Q.userHasProjectPermission mayReqUserId projId rolePermission
 
+assertUserIsSuperadmin :: UserId -> MaybeT WebApp ()
+assertUserIsSuperadmin userId = do
+  guardM . lift . PG.runTransaction $ Q.isSuperadmin userId
+
 maybePermissionFailure :: WrapperPermissions -> MaybeT WebApp a -> WebApp (Either AuthZFailure a)
 maybePermissionFailure perm m = do
   runMaybeT m >>= \case
@@ -687,9 +691,11 @@ checkUserIsOrgMember reqUserId orgUserId = do
     PG.runTransaction $
       Q.isOrgMember reqUserId orgUserId
 
-checkCreateOrg :: UserId -> UserId -> WebApp (Either AuthZFailure AuthZ.AuthZReceipt)
-checkCreateOrg reqUserId ownerUserId = maybePermissionFailure (OrgPermission (OrgCreate ownerUserId)) $ do
-  guardM . PG.runTransaction $ Q.isSuperadmin reqUserId
+checkCreateOrg :: UserId -> UserId -> Bool -> WebApp (Either AuthZFailure AuthZ.AuthZReceipt)
+checkCreateOrg reqUserId ownerUserId isCommercial = maybePermissionFailure (OrgPermission (OrgCreate ownerUserId)) $ do
+  if isCommercial
+    then assertUserIsSuperadmin reqUserId
+    else assertUserIsSuperadmin reqUserId <|> assertUsersEqual reqUserId ownerUserId
   pure $ AuthZ.UnsafeAuthZReceipt Nothing
 
 checkReadOrgRolesList :: UserId -> OrgId -> WebApp (Either AuthZFailure AuthZ.AuthZReceipt)

src/Share/Web/Share/Orgs/Impl.hs

@@ -61,7 +61,7 @@ server =
 orgCreateEndpoint :: UserId -> CreateOrgRequest -> WebApp OrgDisplayInfo
 orgCreateEndpoint callerUserId (CreateOrgRequest {name, handle, avatarUrl, email, owner = ownerHandle, isCommercial}) = do
   User {user_id = ownerUserId} <- PG.runTransaction (UserQ.userByHandle ownerHandle) `whenNothingM` respondError (EntityMissing (ErrorID "missing-user") "Owner not found")
-  authZReceipt <- AuthZ.permissionGuard $ AuthZ.checkCreateOrg callerUserId ownerUserId
+  authZReceipt <- AuthZ.permissionGuard $ AuthZ.checkCreateOrg callerUserId ownerUserId isCommercial
   orgId <- PG.runTransactionOrRespondError $ OrgOps.createOrg authZReceipt name handle email avatarUrl ownerUserId callerUserId isCommercial
   PG.runTransaction $ OrgQ.orgDisplayInfoOf id orgId
 

transcripts/share-apis/orgs/org-create-non-commercial-non-admin.json

@@ -0,0 +1,17 @@
+{
+  "body": {
+    "isCommercial": false,
+    "orgId": "ORG-<UUID>",
+    "user": {
+      "avatarUrl": "https://example.com/staples.png",
+      "handle": "orgco",
+      "name": "OrgCo",
+      "userId": "U-<UUID>"
+    }
+  },
+  "status": [
+    {
+      "status_code": 200
+    }
+  ]
+}

transcripts/share-apis/orgs/run.zsh

@@ -10,7 +10,7 @@ new_member="$(create_user newuser)"
 # Org creation workflow
 
 # Should fail
-fetch "$unauthorized_user" POST org-create-unauthorized '/orgs' '{
+fetch "$unauthorized_user" POST org-create-unauthorized-commercial '/orgs' '{
   "name": "ACME",
   "handle": "acme",
   "avatarUrl": "https://example.com/anvil.png",
@@ -19,6 +19,16 @@ fetch "$unauthorized_user" POST org-create-unauthorized '/orgs' '{
   "isCommercial": true
 }'
 
+# Should succeed, regular users can create non-commercial orgs
+fetch "$unauthorized_user" POST org-create-non-commercial-non-admin '/orgs' '{
+  "name": "OrgCo",
+  "handle": "orgco",
+  "avatarUrl": "https://example.com/staples.png",
+  "owner": "unauthorized",
+  "email": "[email protected]",
+  "isCommercial": false
+}'
+
 # Admin can create an org and assign any owner.
 fetch "$admin_user" POST org-create-by-admin-non-commercial '/orgs' '{
   "name": "Noncom",