Fixed bugs in memberships management

2024-04-20 18:12:04 +08:00
parent efd27aa7de
commit bf0d2e1c87
10 changed files with 2114 additions and 2255 deletions
--- a/packages/features/team-accounts/src/server/actions/team-members-server-actions.ts
+++ b/packages/features/team-accounts/src/server/actions/team-members-server-actions.ts
@@ -33,6 +33,9 @@ export async function removeMemberFromAccountAction(
    userId,
  });

+  // revalidate all pages that depend on the account
+  revalidatePath('/home/[account]', 'layout');
+
  return { success: true };
 }

@@ -44,12 +47,20 @@ export async function updateMemberRoleAction(
  await assertSession(client);

  const service = new AccountMembersService(client);
+  const adminClient = getSupabaseServerActionClient({ admin: true });

-  await service.updateMemberRole({
-    accountId: params.accountId,
-    userId: params.userId,
-    role: params.role,
-  });
+  // update the role of the member
+  await service.updateMemberRole(
+    {
+      accountId: params.accountId,
+      userId: params.userId,
+      role: params.role,
+    },
+    adminClient,
+  );
+
+  // revalidate all pages that depend on the account
+  revalidatePath('/home/[account]', 'layout');

  return { success: true };
 }
--- a/packages/features/team-accounts/src/server/services/account-members.service.ts
+++ b/packages/features/team-accounts/src/server/services/account-members.service.ts
@@ -59,7 +59,10 @@ export class AccountMembersService {
    return data;
  }

-  async updateMemberRole(params: z.infer<typeof UpdateMemberRoleSchema>) {
+  async updateMemberRole(
+    params: z.infer<typeof UpdateMemberRoleSchema>,
+    adminClient: SupabaseClient<Database>,
+  ) {
    const logger = await getLogger();

    const ctx = {
@@ -67,9 +70,33 @@ export class AccountMembersService {
      ...params,
    };

-    logger.info(ctx, `Updating member role...`);
+    logger.info(ctx, `Validating permissions to update member role...`);

-    const { data, error } = await this.client
+    const { data: canActionAccountMember, error: accountError } =
+      await this.client.rpc('can_action_account_member', {
+        user_id: params.userId,
+        target_team_account_id: params.accountId,
+      });
+
+    if (accountError ?? !canActionAccountMember) {
+      logger.error(
+        {
+          ...ctx,
+          accountError,
+        },
+        `Failed to validate permissions to update member role`,
+      );
+
+      throw new Error(`Failed to validate permissions to update member role`);
+    }
+
+    logger.info(ctx, `Permissions validated. Updating member role...`);
+
+    // we use the Admin client to update the role
+    // since we do not set any RLS policies on the accounts_memberships table
+    // for updating accounts_memberships. Instead, we use the can_action_account_member
+    // RPC to validate permissions to update the role
+    const { data, error } = await adminClient
      .from('accounts_memberships')
      .update({
        account_role: params.role,