support multi role on create user and invites

2026-03-30 22:46:40 +00:00 · 2026-03-29 12:11:22 -07:00
parent ee6fb34906
commit 2828dee94c
16 changed files with 629 additions and 416 deletions
--- a/server/routers/user/createOrgUser.ts
+++ b/server/routers/user/createOrgUser.ts
@@ -6,8 +6,8 @@ import createHttpError from "http-errors";
 import logger from "@server/logger";
 import { fromError } from "zod-validation-error";
 import { OpenAPITags, registry } from "@server/openApi";
-import { db, orgs, UserOrg } from "@server/db";
-import { and, eq, inArray, ne } from "drizzle-orm";
+import { db, orgs } from "@server/db";
+import { and, eq, inArray } from "drizzle-orm";
 import { idp, idpOidcConfig, roles, userOrgs, users } from "@server/db";
 import { generateId } from "@server/auth/sessions/app";
 import { usageService } from "@server/lib/billing/usageService";
@@ -15,21 +15,43 @@ import { FeatureId } from "@server/lib/billing";
 import { build } from "@server/build";
 import { calculateUserClientsForOrgs } from "@server/lib/calculateUserClientsForOrgs";
 import { isSubscribed } from "#dynamic/lib/isSubscribed";
-import { tierMatrix } from "@server/lib/billing/tierMatrix";
+import { TierFeature, tierMatrix } from "@server/lib/billing/tierMatrix";
 import { assignUserToOrg } from "@server/lib/userOrg";
+import { isLicensedOrSubscribed } from "#dynamic/lib/isLicencedOrSubscribed";

 const paramsSchema = z.strictObject({
    orgId: z.string().nonempty()
 });

-const bodySchema = z.strictObject({
-    email: z.string().email().toLowerCase().optional(),
-    username: z.string().nonempty().toLowerCase(),
-    name: z.string().optional(),
-    type: z.enum(["internal", "oidc"]).optional(),
-    idpId: z.number().optional(),
-    roleId: z.number()
-});
+const bodySchema = z
+    .strictObject({
+        email: z.string().email().toLowerCase().optional(),
+        username: z.string().nonempty().toLowerCase(),
+        name: z.string().optional(),
+        type: z.enum(["internal", "oidc"]).optional(),
+        idpId: z.number().optional(),
+        roleIds: z.array(z.number().int().positive()).min(1).optional(),
+        roleId: z.number().int().positive().optional()
+    })
+    .refine(
+        (d) =>
+            (d.roleIds != null && d.roleIds.length > 0) || d.roleId != null,
+        { message: "roleIds or roleId is required", path: ["roleIds"] }
+    )
+    .transform((data) => ({
+        email: data.email,
+        username: data.username,
+        name: data.name,
+        type: data.type,
+        idpId: data.idpId,
+        roleIds: [
+            ...new Set(
+                data.roleIds && data.roleIds.length > 0
+                    ? data.roleIds
+                    : [data.roleId!]
+            )
+        ]
+    }));

 export type CreateOrgUserResponse = {};

@@ -78,7 +100,8 @@ export async function createOrgUser(
        }

        const { orgId } = parsedParams.data;
-        const { username, email, name, type, idpId, roleId } = parsedBody.data;
+        const { username, email, name, type, idpId, roleIds: uniqueRoleIds } =
+            parsedBody.data;

        if (build == "saas") {
            const usage = await usageService.getUsage(orgId, FeatureId.USERS);
@@ -109,17 +132,6 @@ export async function createOrgUser(
            }
        }

-        const [role] = await db
-            .select()
-            .from(roles)
-            .where(eq(roles.roleId, roleId));
-
-        if (!role) {
-            return next(
-                createHttpError(HttpCode.BAD_REQUEST, "Role ID not found")
-            );
-        }
-
        if (type === "internal") {
            return next(
                createHttpError(
@@ -152,6 +164,38 @@ export async function createOrgUser(
                );
            }

+            const supportsMultiRole = await isLicensedOrSubscribed(
+                orgId,
+                tierMatrix[TierFeature.FullRbac]
+            );
+            if (!supportsMultiRole && uniqueRoleIds.length > 1) {
+                return next(
+                    createHttpError(
+                        HttpCode.FORBIDDEN,
+                        "Multiple roles per user require a subscription or license that includes full RBAC."
+                    )
+                );
+            }
+
+            const orgRoles = await db
+                .select({ roleId: roles.roleId })
+                .from(roles)
+                .where(
+                    and(
+                        eq(roles.orgId, orgId),
+                        inArray(roles.roleId, uniqueRoleIds)
+                    )
+                );
+
+            if (orgRoles.length !== uniqueRoleIds.length) {
+                return next(
+                    createHttpError(
+                        HttpCode.BAD_REQUEST,
+                        "Invalid role ID or role does not belong to this organization"
+                    )
+                );
+            }
+
            const [org] = await db
                .select()
                .from(orgs)
@@ -228,7 +272,7 @@ export async function createOrgUser(
                            userId: existingUser.userId,
                            autoProvisioned: false,
                        },
-                        role.roleId,
+                        uniqueRoleIds,
                        trx
                    );
                } else {
@@ -255,7 +299,7 @@ export async function createOrgUser(
                                userId: newUser.userId,
                                autoProvisioned: false,
                            },
-                            role.roleId,
+                            uniqueRoleIds,
                            trx
                        );
                }