From e666cfb37463db7a80c637131f783bab67162671 Mon Sep 17 00:00:00 2001
From: Mauricio Siu <siumauricio@icloud.com>
Date: Mon, 8 Dec 2025 00:02:27 -0600
Subject: [PATCH] feat(organization): enhance organization update logic with
 member verification

- Added checks to ensure the organization exists before allowing updates.
- Implemented user membership verification to restrict updates to organization members only.
- Ensured that only the organization owner or users with the owner role can perform updates.
---
 .../server/api/routers/organization.ts        | 37 +++++++++++++++++--
 1 file changed, 34 insertions(+), 3 deletions(-)

diff --git a/apps/dokploy/server/api/routers/organization.ts b/apps/dokploy/server/api/routers/organization.ts
index 38536cc44..e6301eb51 100644
--- a/apps/dokploy/server/api/routers/organization.ts
+++ b/apps/dokploy/server/api/routers/organization.ts
@@ -32,8 +32,6 @@ export const organizationRouter = createTRPCRouter({
 				.returning()
 				.then((res) => res[0]);
 
-			console.log("result", result);
-
 			if (!result) {
 				throw new TRPCError({
 					code: "INTERNAL_SERVER_ERROR",
@@ -96,12 +94,45 @@ export const organizationRouter = createTRPCRouter({
 			}),
 		)
 		.mutation(async ({ ctx, input }) => {
-			if (ctx.user.role !== "owner" && ctx.user.role !== "admin" && !IS_CLOUD) {
+			// First, verify the organization exists
+			const org = await db.query.organization.findFirst({
+				where: eq(organization.id, input.organizationId),
+			});
+
+			if (!org) {
+				throw new TRPCError({
+					code: "NOT_FOUND",
+					message: "Organization not found",
+				});
+			}
+
+			// Verify user is a member of this organization
+			const userMember = await db.query.member.findFirst({
+				where: and(
+					eq(member.organizationId, input.organizationId),
+					eq(member.userId, ctx.user.id),
+				),
+			});
+
+			if (!userMember) {
+				throw new TRPCError({
+					code: "FORBIDDEN",
+					message: "You are not a member of this organization",
+				});
+			}
+
+			// Only owners can update the organization
+			// Verify the user is either the organization owner or has the owner role
+			const isOwner =
+				org.ownerId === ctx.user.id || userMember.role === "owner";
+
+			if (!isOwner) {
 				throw new TRPCError({
 					code: "FORBIDDEN",
 					message: "Only the organization owner can update it",
 				});
 			}
+
 			const result = await db
 				.update(organization)
 				.set({