address more comments

Author: icecrasher321

apps/sim/app/api/organizations/[id]/invitations/route.ts

@@ -94,9 +94,10 @@ export const POST = withRouteHandler(
         return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
       }
 
-      await validateInvitationsAllowed(session.user.id)
-
       const { id: organizationId } = await params
+
+      await validateInvitationsAllowed(session.user.id, { organizationId })
+
       const url = new URL(request.url)
       const validateOnly = url.searchParams.get('validate') === 'true'
       const isBatch = url.searchParams.get('batch') === 'true'

apps/sim/app/api/organizations/[id]/members/route.ts

@@ -165,9 +165,10 @@ export const POST = withRouteHandler(
         return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
       }
 
-      await validateInvitationsAllowed(session.user.id)
-
       const { id: organizationId } = await params
+
+      await validateInvitationsAllowed(session.user.id, { organizationId })
+
       const { email, role = 'member' } = await request.json()
 
       if (!email) {

…ission-groups/[id]/members/bulk/route.ts …n-groups/[groupId]/members/bulk/route.tsapps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/members/bulk/route.ts renamed to apps/sim/app/api/workspaces/[id]/permission-groups/[groupId]/members/bulk/route.ts apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/members/bulk/route.ts renamed to apps/sim/app/api/workspaces/[id]/permission-groups/[groupId]/members/bulk/route.ts

@@ -35,16 +35,13 @@ const bulkAddSchema = z.object({
 })
 
 export const POST = withRouteHandler(
-  async (
-    req: NextRequest,
-    { params }: { params: Promise<{ workspaceId: string; id: string }> }
-  ) => {
+  async (req: NextRequest, { params }: { params: Promise<{ id: string; groupId: string }> }) => {
     const session = await getSession()
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const { workspaceId, id } = await params
+    const { id: workspaceId, groupId: id } = await params
 
     try {
       const isWorkspaceAdmin = await hasWorkspaceAdminAccess(session.user.id, workspaceId)

…/permission-groups/[id]/members/route.ts …ission-groups/[groupId]/members/route.tsapps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/members/route.ts renamed to apps/sim/app/api/workspaces/[id]/permission-groups/[groupId]/members/route.ts apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/members/route.ts renamed to apps/sim/app/api/workspaces/[id]/permission-groups/[groupId]/members/route.ts

@@ -30,16 +30,13 @@ async function loadGroupInWorkspace(groupId: string, workspaceId: string) {
 }
 
 export const GET = withRouteHandler(
-  async (
-    _req: NextRequest,
-    { params }: { params: Promise<{ workspaceId: string; id: string }> }
-  ) => {
+  async (_req: NextRequest, { params }: { params: Promise<{ id: string; groupId: string }> }) => {
     const session = await getSession()
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const { workspaceId, id } = await params
+    const { id: workspaceId, groupId: id } = await params
 
     const access = await checkWorkspaceAccess(workspaceId, session.user.id)
     if (!access.exists) {
@@ -84,16 +81,13 @@ const addMemberSchema = z.object({
 })
 
 export const POST = withRouteHandler(
-  async (
-    req: NextRequest,
-    { params }: { params: Promise<{ workspaceId: string; id: string }> }
-  ) => {
+  async (req: NextRequest, { params }: { params: Promise<{ id: string; groupId: string }> }) => {
     const session = await getSession()
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const { workspaceId, id } = await params
+    const { id: workspaceId, groupId: id } = await params
 
     try {
       const isWorkspaceAdmin = await hasWorkspaceAdminAccess(session.user.id, workspaceId)
@@ -242,16 +236,13 @@ export const POST = withRouteHandler(
 )
 
 export const DELETE = withRouteHandler(
-  async (
-    req: NextRequest,
-    { params }: { params: Promise<{ workspaceId: string; id: string }> }
-  ) => {
+  async (req: NextRequest, { params }: { params: Promise<{ id: string; groupId: string }> }) => {
     const session = await getSession()
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const { workspaceId, id } = await params
+    const { id: workspaceId, groupId: id } = await params
     const { searchParams } = new URL(req.url)
     const memberId = searchParams.get('memberId')
 

…spaceId]/permission-groups/[id]/route.ts …id]/permission-groups/[groupId]/route.tsapps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/route.ts renamed to apps/sim/app/api/workspaces/[id]/permission-groups/[groupId]/route.ts apps/sim/app/api/workspaces/[workspaceId]/permission-groups/[id]/route.ts renamed to apps/sim/app/api/workspaces/[id]/permission-groups/[groupId]/route.ts

@@ -45,16 +45,13 @@ async function loadGroupInWorkspace(groupId: string, workspaceId: string) {
 }
 
 export const GET = withRouteHandler(
-  async (
-    _req: NextRequest,
-    { params }: { params: Promise<{ workspaceId: string; id: string }> }
-  ) => {
+  async (_req: NextRequest, { params }: { params: Promise<{ id: string; groupId: string }> }) => {
     const session = await getSession()
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const { workspaceId, id } = await params
+    const { id: workspaceId, groupId: id } = await params
 
     const access = await checkWorkspaceAccess(workspaceId, session.user.id)
     if (!access.exists) {
@@ -88,16 +85,13 @@ export const GET = withRouteHandler(
 )
 
 export const PUT = withRouteHandler(
-  async (
-    req: NextRequest,
-    { params }: { params: Promise<{ workspaceId: string; id: string }> }
-  ) => {
+  async (req: NextRequest, { params }: { params: Promise<{ id: string; groupId: string }> }) => {
     const session = await getSession()
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const { workspaceId, id } = await params
+    const { id: workspaceId, groupId: id } = await params
 
     try {
       const isWorkspaceAdmin = await hasWorkspaceAdminAccess(session.user.id, workspaceId)
@@ -217,16 +211,13 @@ export const PUT = withRouteHandler(
 )
 
 export const DELETE = withRouteHandler(
-  async (
-    req: NextRequest,
-    { params }: { params: Promise<{ workspaceId: string; id: string }> }
-  ) => {
+  async (req: NextRequest, { params }: { params: Promise<{ id: string; groupId: string }> }) => {
     const session = await getSession()
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const { workspaceId, id } = await params
+    const { id: workspaceId, groupId: id } = await params
 
     try {
       const isWorkspaceAdmin = await hasWorkspaceAdminAccess(session.user.id, workspaceId)

…[workspaceId]/permission-groups/route.ts …rkspaces/[id]/permission-groups/route.tsapps/sim/app/api/workspaces/[workspaceId]/permission-groups/route.ts renamed to apps/sim/app/api/workspaces/[id]/permission-groups/route.ts apps/sim/app/api/workspaces/[workspaceId]/permission-groups/route.ts renamed to apps/sim/app/api/workspaces/[id]/permission-groups/route.ts

@@ -27,13 +27,13 @@ const createSchema = z.object({
 })
 
 export const GET = withRouteHandler(
-  async (_req: NextRequest, { params }: { params: Promise<{ workspaceId: string }> }) => {
+  async (_req: NextRequest, { params }: { params: Promise<{ id: string }> }) => {
     const session = await getSession()
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const { workspaceId } = await params
+    const { id: workspaceId } = await params
 
     const access = await checkWorkspaceAccess(workspaceId, session.user.id)
     if (!access.exists) {
@@ -89,13 +89,13 @@ export const GET = withRouteHandler(
 )
 
 export const POST = withRouteHandler(
-  async (req: NextRequest, { params }: { params: Promise<{ workspaceId: string }> }) => {
+  async (req: NextRequest, { params }: { params: Promise<{ id: string }> }) => {
     const session = await getSession()
     if (!session?.user?.id) {
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
-    const { workspaceId } = await params
+    const { id: workspaceId } = await params
 
     try {
       const isWorkspaceAdmin = await hasWorkspaceAdminAccess(session.user.id, workspaceId)

apps/sim/ee/access-control/utils/permission-check.ts

@@ -1,7 +1,7 @@
 import { db } from '@sim/db'
-import { permissionGroup, permissionGroupMember } from '@sim/db/schema'
+import { permissionGroup, permissionGroupMember, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, asc, eq } from 'drizzle-orm'
+import { and, asc, eq, sql } from 'drizzle-orm'
 import { isWorkspaceOnEnterprisePlan } from '@/lib/billing'
 import {
   getAllowedIntegrationsFromEnv,
@@ -296,32 +296,63 @@ export async function validateSkillsAllowed(
 }
 
 /**
- * Validates if the user is allowed to send invitations for the given workspace.
- * Also checks the global feature flag. When `workspaceId` is omitted only the
- * feature-flag check runs (no permission-group gate).
+ * Validates if the user is allowed to send invitations. Pass one of:
+ *  - `workspaceId` — workspace-scoped invite: block when the user's group in that workspace has
+ *    `disableInvitations`.
+ *  - `organizationId` — organization-level invite (no specific workspace target): block when the
+ *    user has `disableInvitations` set on their group in any organization-owned workspace. This
+ *    mirrors the pre-refactor behavior where `disableInvitations` was an organization-level
+ *    policy.
+ *  - neither — only the global feature flag is checked.
  */
 export async function validateInvitationsAllowed(
   userId: string | undefined,
-  workspaceId?: string
+  scope: string | { workspaceId?: string; organizationId?: string } = {}
 ): Promise<void> {
   if (isInvitationsDisabled) {
     logger.warn('Invitations blocked by feature flag')
     throw new InvitationsNotAllowedError()
   }
 
-  if (!userId || !workspaceId) {
+  if (!userId) {
     return
   }
 
-  const config = await getUserPermissionConfig(userId, workspaceId)
+  const { workspaceId, organizationId } =
+    typeof scope === 'string' ? { workspaceId: scope, organizationId: undefined } : scope
 
-  if (!config) {
+  if (workspaceId) {
+    const config = await getUserPermissionConfig(userId, workspaceId)
+    if (config?.disableInvitations) {
+      logger.warn('Invitations blocked by permission group', { userId, workspaceId })
+      throw new InvitationsNotAllowedError()
+    }
     return
   }
 
-  if (config.disableInvitations) {
-    logger.warn('Invitations blocked by permission group', { userId, workspaceId })
-    throw new InvitationsNotAllowedError()
+  if (organizationId) {
+    const [row] = await db
+      .select({ id: permissionGroup.id })
+      .from(permissionGroupMember)
+      .innerJoin(permissionGroup, eq(permissionGroupMember.permissionGroupId, permissionGroup.id))
+      .innerJoin(workspace, eq(permissionGroup.workspaceId, workspace.id))
+      .where(
+        and(
+          eq(permissionGroupMember.userId, userId),
+          eq(workspace.organizationId, organizationId),
+          sql`${permissionGroup.config} @> '{"disableInvitations": true}'::jsonb`
+        )
+      )
+      .limit(1)
+
+    if (row) {
+      logger.warn('Invitations blocked by permission group (organization-wide)', {
+        userId,
+        organizationId,
+        permissionGroupId: row.id,
+      })
+      throw new InvitationsNotAllowedError()
+    }
   }
 }