code cleanup

Author: icecrasher321

apps/sim/app/api/invitations/[id]/resend/route.ts

@@ -5,9 +5,17 @@ import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { AuditAction, AuditResourceType, recordAudit } from '@/lib/audit/log'
 import { getSession } from '@/lib/auth'
+import { getOrganizationSubscription } from '@/lib/billing/core/billing'
+import { isEnterprise, isTeam } from '@/lib/billing/plan-helpers'
+import { hasUsableSubscriptionStatus } from '@/lib/billing/subscriptions/utils'
 import { getInvitationById } from '@/lib/invitations/core'
-import { resendInvitationEmail, sendInvitationEmail } from '@/lib/invitations/send'
-import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
+import {
+  persistInvitationResend,
+  prepareInvitationResend,
+  sendInvitationEmail,
+} from '@/lib/invitations/send'
+import { getWorkspaceWithOwner, hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
+import { getWorkspaceInvitePolicy } from '@/lib/workspaces/policy'
 
 const logger = createLogger('InvitationResendAPI')
 
@@ -54,7 +62,48 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       )
     }
 
-    const { token } = await resendInvitationEmail({ invitationId: id, rotateToken: true })
+    for (const grant of inv.grants) {
+      const workspaceDetails = await getWorkspaceWithOwner(grant.workspaceId)
+      if (!workspaceDetails) {
+        return NextResponse.json(
+          { error: 'Invitation references a workspace that no longer exists' },
+          { status: 409 }
+        )
+      }
+      const policy = await getWorkspaceInvitePolicy(workspaceDetails)
+      if (!policy.allowed) {
+        return NextResponse.json(
+          {
+            error: policy.reason ?? 'Invites are no longer allowed on this workspace',
+            upgradeRequired: policy.upgradeRequired,
+          },
+          { status: 403 }
+        )
+      }
+    }
+
+    if (inv.kind === 'organization' && inv.grants.length === 0 && inv.organizationId) {
+      const orgSubscription = await getOrganizationSubscription(inv.organizationId)
+      const orgOnTeamOrEnterprise =
+        !!orgSubscription &&
+        hasUsableSubscriptionStatus(orgSubscription.status) &&
+        (isTeam(orgSubscription.plan) || isEnterprise(orgSubscription.plan))
+      if (!orgOnTeamOrEnterprise) {
+        return NextResponse.json(
+          {
+            error: 'Invites are no longer allowed on this organization',
+            upgradeRequired: true,
+          },
+          { status: 403 }
+        )
+      }
+    }
+
+    const { tokenForEmail, nextToken, nextExpiresAt } = await prepareInvitationResend({
+      invitationId: id,
+      rotateToken: true,
+      currentToken: inv.token,
+    })
 
     const [inviterRow] = await db
       .select({ name: user.name, email: user.email })
@@ -64,7 +113,7 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
 
     const emailResult = await sendInvitationEmail({
       invitationId: inv.id,
-      token,
+      token: tokenForEmail,
       kind: inv.kind,
       email: inv.email,
       inviterName: inviterRow?.name || inviterRow?.email || 'A user',
@@ -83,6 +132,8 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       )
     }
 
+    await persistInvitationResend({ invitationId: id, nextToken, nextExpiresAt })
+
     recordAudit({
       workspaceId: inv.grants[0]?.workspaceId ?? null,
       actorId: session.user.id,

apps/sim/app/api/organizations/[id]/members/[memberId]/route.ts

@@ -193,22 +193,29 @@ export async function PUT(
       return NextResponse.json({ error: 'Cannot change owner role' }, { status: 400 })
     }
 
-    if (role === 'admin' && userMember[0].role !== 'owner') {
+    if (role === 'owner' && userMember[0].role !== 'owner') {
       return NextResponse.json(
-        { error: 'Only owners can promote members to admin' },
+        { error: 'Only the current owner can transfer ownership' },
         { status: 403 }
       )
     }
 
-    if (targetMember[0].role === 'admin' && userMember[0].role !== 'owner') {
-      return NextResponse.json({ error: 'Only owners can change admin roles' }, { status: 403 })
-    }
+    const isOwnershipTransfer = role === 'owner'
 
-    const updatedMember = await db
-      .update(member)
-      .set({ role })
-      .where(and(eq(member.organizationId, organizationId), eq(member.userId, memberId)))
-      .returning()
+    const updatedMember = await db.transaction(async (tx) => {
+      if (isOwnershipTransfer) {
+        await tx
+          .update(member)
+          .set({ role: 'admin' })
+          .where(and(eq(member.organizationId, organizationId), eq(member.role, 'owner')))
+      }
+
+      return tx
+        .update(member)
+        .set({ role })
+        .where(and(eq(member.organizationId, organizationId), eq(member.userId, memberId)))
+        .returning()
+    })
 
     if (updatedMember.length === 0) {
       return NextResponse.json({ error: 'Failed to update member role' }, { status: 500 })

apps/sim/app/api/organizations/[id]/members/route.ts

@@ -19,6 +19,10 @@ import {
   sendInvitationEmail,
 } from '@/lib/invitations/send'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
+import {
+  InvitationsNotAllowedError,
+  validateInvitationsAllowed,
+} from '@/ee/access-control/utils/permission-check'
 
 const logger = createLogger('OrganizationMembersAPI')
 
@@ -157,10 +161,11 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
+    await validateInvitationsAllowed(session.user.id)
+
     const { id: organizationId } = await params
     const { email, role = 'member' } = await request.json()
 
-    // Validate input
     if (!email) {
       return NextResponse.json({ error: 'Email is required' }, { status: 400 })
     }
@@ -323,6 +328,9 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       },
     })
   } catch (error) {
+    if (error instanceof InvitationsNotAllowedError) {
+      return NextResponse.json({ error: error.message }, { status: 403 })
+    }
     logger.error('Failed to invite organization member', {
       organizationId: (await params).id,
       error,

apps/sim/app/api/organizations/[id]/roster/route.ts

@@ -8,9 +8,10 @@ import {
   workspace,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq, inArray } from 'drizzle-orm'
+import { and, eq, inArray, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
+import { expireStalePendingInvitationsForOrganization } from '@/lib/invitations/core'
 
 const logger = createLogger('OrganizationRosterAPI')
 
@@ -42,6 +43,15 @@ export async function GET(_request: NextRequest, { params }: { params: Promise<{
       )
     }
 
+    if (callerMembership.role !== 'owner' && callerMembership.role !== 'admin') {
+      return NextResponse.json(
+        { error: 'Forbidden - Organization admin access required' },
+        { status: 403 }
+      )
+    }
+
+    await expireStalePendingInvitationsForOrganization(organizationId)
+
     const orgWorkspaces = await db
       .select({ id: workspace.id, name: workspace.name })
       .from(workspace)
@@ -118,7 +128,7 @@ export async function GET(_request: NextRequest, { params }: { params: Promise<{
         inviteeImage: user.image,
       })
       .from(invitation)
-      .leftJoin(user, eq(user.email, invitation.email))
+      .leftJoin(user, sql`lower(${user.email}) = lower(${invitation.email})`)
       .where(and(eq(invitation.organizationId, organizationId), eq(invitation.status, 'pending')))
 
     const pendingInvitationIds = pendingInvitationRows.map((row) => row.id)

apps/sim/app/api/workspaces/invitations/route.test.ts

@@ -7,6 +7,7 @@ import { beforeEach, describe, expect, it, vi } from 'vitest'
 const {
   mockGetSession,
   mockGetWorkspaceWithOwner,
+  mockGetWorkspaceInvitePolicy,
   mockValidateInvitationsAllowed,
   mockValidateSeatAvailability,
   mockGetUserOrganization,
@@ -19,6 +20,7 @@ const {
 } = vi.hoisted(() => ({
   mockGetSession: vi.fn(),
   mockGetWorkspaceWithOwner: vi.fn(),
+  mockGetWorkspaceInvitePolicy: vi.fn(),
   mockValidateInvitationsAllowed: vi.fn().mockResolvedValue(undefined),
   mockValidateSeatAvailability: vi.fn(),
   mockGetUserOrganization: vi.fn(),
@@ -66,6 +68,14 @@ vi.mock('drizzle-orm', () => ({
   eq: vi.fn((field: unknown, value: unknown) => ({ type: 'eq', field, value })),
   inArray: vi.fn((field: unknown, values: unknown[]) => ({ type: 'inArray', field, values })),
   isNull: vi.fn((field: unknown) => ({ type: 'isNull', field })),
+  sql: Object.assign(
+    vi.fn((strings: TemplateStringsArray, ...values: unknown[]) => ({
+      type: 'sql',
+      strings,
+      values,
+    })),
+    { raw: vi.fn((value: unknown) => ({ type: 'sql.raw', value })) }
+  ),
 }))
 
 vi.mock('@sim/logger', () => ({
@@ -81,10 +91,7 @@ vi.mock('@/lib/workspaces/permissions/utils', () => ({
 }))
 
 vi.mock('@/lib/workspaces/policy', () => ({
-  canWorkspaceInviteMembers: (ws: { workspaceMode?: string | null }) =>
-    ws.workspaceMode !== 'personal',
-  getWorkspaceInviteDisabledReason: () =>
-    'Member invites are only available for organization-owned or grandfathered shared workspaces.',
+  getWorkspaceInvitePolicy: mockGetWorkspaceInvitePolicy,
   isOrganizationWorkspace: (ws: {
     workspaceMode?: string | null
     organizationId?: string | null
@@ -146,6 +153,13 @@ describe('POST /api/workspaces/invitations', () => {
       billedAccountUserId: 'user-1',
     })
     mockValidateInvitationsAllowed.mockResolvedValue(undefined)
+    mockGetWorkspaceInvitePolicy.mockResolvedValue({
+      allowed: true,
+      reason: null,
+      requiresSeat: false,
+      organizationId: null,
+      upgradeRequired: false,
+    })
     mockValidateSeatAvailability.mockResolvedValue({
       canInvite: true,
       currentSeats: 1,
@@ -162,7 +176,7 @@ describe('POST /api/workspaces/invitations', () => {
     mockFindPendingGrantForWorkspaceEmail.mockResolvedValue(null)
   })
 
-  it('blocks invites for personal workspaces', async () => {
+  it('blocks invites for personal workspaces with an upgrade prompt', async () => {
     mockGetWorkspaceWithOwner.mockResolvedValueOnce({
       id: 'workspace-1',
       name: 'Personal Workspace',
@@ -171,6 +185,13 @@ describe('POST /api/workspaces/invitations', () => {
       workspaceMode: 'personal',
       billedAccountUserId: 'user-1',
     })
+    mockGetWorkspaceInvitePolicy.mockResolvedValueOnce({
+      allowed: false,
+      reason: 'Upgrade to invite more members',
+      requiresSeat: false,
+      organizationId: null,
+      upgradeRequired: true,
+    })
     mockDbResults.value = [[{ permissionType: 'admin' }]]
 
     const request = createMockRequest('POST', {
@@ -182,8 +203,41 @@ describe('POST /api/workspaces/invitations', () => {
     const response = await POST(request)
     const data = await response.json()
 
-    expect(response.status).toBe(400)
-    expect(data.error).toContain('Member invites are only available')
+    expect(response.status).toBe(403)
+    expect(data.error).toBe('Upgrade to invite more members')
+    expect(data.upgradeRequired).toBe(true)
+  })
+
+  it('blocks invites for grandfathered workspaces without a team plan', async () => {
+    mockGetWorkspaceWithOwner.mockResolvedValueOnce({
+      id: 'workspace-1',
+      name: 'Grandfathered Workspace',
+      ownerId: 'user-1',
+      organizationId: null,
+      workspaceMode: 'grandfathered_shared',
+      billedAccountUserId: 'user-1',
+    })
+    mockGetWorkspaceInvitePolicy.mockResolvedValueOnce({
+      allowed: false,
+      reason: 'Upgrade to invite more members',
+      requiresSeat: false,
+      organizationId: null,
+      upgradeRequired: true,
+    })
+    mockDbResults.value = [[{ permissionType: 'admin' }]]
+
+    const request = createMockRequest('POST', {
+      workspaceId: 'workspace-1',
+      email: 'new@example.com',
+      permission: 'read',
+    })
+
+    const response = await POST(request)
+    const data = await response.json()
+
+    expect(response.status).toBe(403)
+    expect(data.upgradeRequired).toBe(true)
+    expect(mockCreatePendingInvitation).not.toHaveBeenCalled()
   })
 
   it('rejects org-owned invites when the organization has no available seats', async () => {
@@ -195,6 +249,13 @@ describe('POST /api/workspaces/invitations', () => {
       workspaceMode: 'organization',
       billedAccountUserId: 'owner-1',
     })
+    mockGetWorkspaceInvitePolicy.mockResolvedValueOnce({
+      allowed: true,
+      reason: null,
+      requiresSeat: true,
+      organizationId: 'org-1',
+      upgradeRequired: false,
+    })
     mockValidateSeatAvailability.mockResolvedValueOnce({
       canInvite: false,
       reason: 'No available seats. Currently using 5 of 5 seats.',
@@ -228,6 +289,13 @@ describe('POST /api/workspaces/invitations', () => {
       workspaceMode: 'organization',
       billedAccountUserId: 'owner-1',
     })
+    mockGetWorkspaceInvitePolicy.mockResolvedValueOnce({
+      allowed: true,
+      reason: null,
+      requiresSeat: true,
+      organizationId: 'org-1',
+      upgradeRequired: false,
+    })
     mockGetUserOrganization.mockResolvedValueOnce({
       organizationId: 'org-2',
       role: 'member',