From a80ae49a33f000b02e211f1555b0af195f7f7917 Mon Sep 17 00:00:00 2001
From: Owen <owen@txv.io>
Date: Mon, 4 May 2026 14:54:20 -0700
Subject: [PATCH] Support multiple roles

---
 server/middlewares/verifyResourcePolicyAccess.ts     | 12 +++++++-----
 .../private/routers/policy/createResourcePolicy.ts   |  7 +++++--
 .../private/routers/policy/listResourcePolicies.ts   |  2 +-
 server/routers/policy/updateResourcePolicy.ts        |  2 +-
 server/routers/resource/createResource.ts            |  4 ++--
 5 files changed, 16 insertions(+), 11 deletions(-)

diff --git a/server/middlewares/verifyResourcePolicyAccess.ts b/server/middlewares/verifyResourcePolicyAccess.ts
index 83eb69d7f..142468d15 100644
--- a/server/middlewares/verifyResourcePolicyAccess.ts
+++ b/server/middlewares/verifyResourcePolicyAccess.ts
@@ -5,6 +5,7 @@ import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 import { checkOrgAccessPolicy } from "#dynamic/lib/checkOrgAccessPolicy";
+import { getUserOrgRoleIds } from "@server/lib/userOrgRoles";
 
 export async function verifyResourcePolicyAccess(
     req: Request,
@@ -16,10 +17,8 @@ export async function verifyResourcePolicyAccess(
         req.params?.resourcePolicyId ||
         req.body?.resourcePolicyId ||
         req.query?.resourcePolicyId;
-    const niceId =
-        req.params?.niceId || req.body?.niceId || req.query?.niceId;
-    const orgId =
-        req.params?.orgId || req.body?.orgId || req.query?.orgId;
+    const niceId = req.params?.niceId || req.body?.niceId || req.query?.niceId;
+    const orgId = req.params?.orgId || req.body?.orgId || req.query?.orgId;
 
     try {
         if (!userId) {
@@ -110,7 +109,10 @@ export async function verifyResourcePolicyAccess(
             }
         }
 
-        req.userOrgRoleId = req.userOrg.roleId;
+        req.userOrgRoleIds = await getUserOrgRoleIds(
+            req.userOrg.userId,
+            orgId!
+        );
         req.userOrgId = policy.orgId;
 
         return next();
diff --git a/server/private/routers/policy/createResourcePolicy.ts b/server/private/routers/policy/createResourcePolicy.ts
index 1bbdfe153..48b336f1f 100644
--- a/server/private/routers/policy/createResourcePolicy.ts
+++ b/server/private/routers/policy/createResourcePolicy.ts
@@ -143,7 +143,7 @@ export async function createResourcePolicy(
         }
         const { orgId } = parsedParams.data;
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && req.userOrgRoleIds?.length === 0) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
@@ -304,7 +304,10 @@ export async function createResourcePolicy(
 
             const usersToAdd: InferInsertModel<typeof userPolicies>[] = [];
 
-            if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+            if (
+                req.user &&
+                !req.userOrgRoleIds?.includes(adminRole[0].roleId)
+            ) {
                 // make sure the user can access the policy
                 usersToAdd.push({
                     userId: req.user?.userId!,
diff --git a/server/private/routers/policy/listResourcePolicies.ts b/server/private/routers/policy/listResourcePolicies.ts
index 58a83df04..5e6a4982c 100644
--- a/server/private/routers/policy/listResourcePolicies.ts
+++ b/server/private/routers/policy/listResourcePolicies.ts
@@ -145,7 +145,7 @@ export async function listResourcePolicies(
                 .where(
                     or(
                         eq(userPolicies.userId, req.user!.userId),
-                        eq(rolePolicies.roleId, req.userOrgRoleId!)
+                        inArray(rolePolicies.roleId, req.userOrgRoleIds || [])
                     )
                 );
         } else {
diff --git a/server/routers/policy/updateResourcePolicy.ts b/server/routers/policy/updateResourcePolicy.ts
index 77443e1a2..ad8b19639 100644
--- a/server/routers/policy/updateResourcePolicy.ts
+++ b/server/routers/policy/updateResourcePolicy.ts
@@ -54,7 +54,7 @@ export async function updateResourcePolicy(
             );
         }
 
-        if (req.user && !req.userOrgRoleId) {
+        if (req.user && req.userOrgRoleIds?.length === 0) {
             return next(
                 createHttpError(HttpCode.FORBIDDEN, "User does not have a role")
             );
diff --git a/server/routers/resource/createResource.ts b/server/routers/resource/createResource.ts
index b14da3743..a0258c751 100644
--- a/server/routers/resource/createResource.ts
+++ b/server/routers/resource/createResource.ts
@@ -353,7 +353,7 @@ async function createHttpResource(
         });
 
         // make this policy visible by the current user
-        if (req.user && req.userOrgRoleId !== adminRole[0].roleId) {
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
             await trx.insert(userPolicies).values({
                 userId: req.user?.userId!,
                 resourcePolicyId: defaultPolicy.resourcePolicyId
@@ -479,7 +479,7 @@ async function createRawResource(
         });
 
         // make this policy visible by the current user
-        if (req.user && req.userOrgRoleId != adminRole[0].roleId) {
+        if (req.user && !req.userOrgRoleIds?.includes(adminRole[0].roleId)) {
             await trx.insert(userPolicies).values({
                 userId: req.user?.userId!,
                 resourcePolicyId: defaultPolicy.resourcePolicyId