Dont pull org from api key

Fixes #1361
2026-02-03 00:29:10 +00:00 · 2025-08-30 22:12:35 -07:00
parent 9455adf61f
commit ccf8e5e6f4
3 changed files with 22 additions and 12 deletions
--- a/server/middlewares/verifyRoleAccess.ts
+++ b/server/middlewares/verifyRoleAccess.ts
@@ -22,7 +22,7 @@ export async function verifyRoleAccess(
        );
    }

-    const { roleIds } = req.body;
+    const roleIds = req.body?.roleIds;
    const allRoleIds = roleIds || (isNaN(singleRoleId) ? [] : [singleRoleId]);

    if (allRoleIds.length === 0) {
--- a/server/routers/resource/setResourceRoles.ts
+++ b/server/routers/resource/setResourceRoles.ts
@@ -1,6 +1,6 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
-import { db } from "@server/db";
+import { db, resources } from "@server/db";
 import { apiKeys, roleResources, roles } from "@server/db";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -74,13 +74,18 @@ export async function setResourceRoles(

        const { resourceId } = parsedParams.data;

-        const orgId = req.userOrg?.orgId || req.apiKeyOrg?.orgId;
+        // get the resource
+        const [resource] = await db
+            .select()
+            .from(resources)
+            .where(eq(resources.resourceId, resourceId))
+            .limit(1);

-        if (!orgId) {
+        if (!resource) {
            return next(
                createHttpError(
                    HttpCode.INTERNAL_SERVER_ERROR,
-                    "Organization not found"
+                    "Resource not found"
                )
            );
        }
@@ -92,7 +97,7 @@ export async function setResourceRoles(
            .where(
                and(
                    eq(roles.name, "Admin"),
-                    eq(roles.orgId, orgId)
+                    eq(roles.orgId, resource.orgId)
                )
            )
            .limit(1);
--- a/server/routers/user/addUserRole.ts
+++ b/server/routers/user/addUserRole.ts
@@ -58,18 +58,23 @@ export async function addUserRole(
            );
        }

-        const orgId = req.userOrg?.orgId || req.apiKeyOrg?.orgId;
+        // get the role
+        const [role] = await db
+            .select()
+            .from(roles)
+            .where(eq(roles.roleId, roleId))
+            .limit(1);

-        if (!orgId) {
+        if (!role) {
            return next(
-                createHttpError(HttpCode.BAD_REQUEST, "Invalid organization ID")
+                createHttpError(HttpCode.BAD_REQUEST, "Invalid role ID")
            );
        }

        const existingUser = await db
            .select()
            .from(userOrgs)
-            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId)))
            .limit(1);

        if (existingUser.length === 0) {
@@ -93,7 +98,7 @@ export async function addUserRole(
        const roleExists = await db
            .select()
            .from(roles)
-            .where(and(eq(roles.roleId, roleId), eq(roles.orgId, orgId)))
+            .where(and(eq(roles.roleId, roleId), eq(roles.orgId, role.orgId)))
            .limit(1);

        if (roleExists.length === 0) {
@@ -108,7 +113,7 @@ export async function addUserRole(
        const newUserRole = await db
            .update(userOrgs)
            .set({ roleId })
-            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, orgId)))
+            .where(and(eq(userOrgs.userId, userId), eq(userOrgs.orgId, role.orgId)))
            .returning();

        return response(res, {