feat(organization): refine organization deletion logic with enhanced membership checks

- Added verification to ensure the user is a member of the organization before allowing deletion. - Implemented checks to confirm the user is either the organization owner or has the owner role. - Improved error handling to return a FORBIDDEN response if the user is not authorized to delete the organization.
2026-06-15 20:25:23 +02:00 · 2025-12-08 00:08:07 -06:00
parent c42e859215
commit 07bf520e9b
1 changed files with 22 additions and 7 deletions
--- a/apps/dokploy/server/api/routers/organization.ts
+++ b/apps/dokploy/server/api/routers/organization.ts
@@ -165,12 +165,7 @@ export const organizationRouter = createTRPCRouter({
 			}),
 		)
 		.mutation(async ({ ctx, input }) => {
-			if (ctx.user.role !== "owner" && ctx.user.role !== "admin" && !IS_CLOUD) {
-				throw new TRPCError({
-					code: "FORBIDDEN",
-					message: "Only the organization owner can delete it",
-				});
-			}
+			// First, verify the organization exists
 			const org = await db.query.organization.findFirst({
 				where: eq(organization.id, input.organizationId),
 			});
@@ -182,7 +177,27 @@ export const organizationRouter = createTRPCRouter({
 				});
 			}

-			if (org.ownerId !== ctx.user.id) {
+			// Verify user is a member of this organization
+			const userMember = await db.query.member.findFirst({
+				where: and(
+					eq(member.organizationId, input.organizationId),
+					eq(member.userId, ctx.user.id),
+				),
+			});
+
+			if (!userMember) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "You are not a member of this organization",
+				});
+			}
+
+			// Only owners can delete the organization
+			// Verify the user is either the organization owner or has the owner role
+			const isOwner =
+				org.ownerId === ctx.user.id || userMember.role === "owner";
+
+			if (!isOwner) {
 				throw new TRPCError({
 					code: "FORBIDDEN",
 					message: "Only the organization owner can delete it",