feat: add teams (#848)

## Description

Add support for teams which will allow users to collaborate on
documents.

Teams features allows users to:

- Create, manage and transfer teams
- Manage team members
- Manage team emails
- Manage a shared team inbox and documents

These changes do NOT include the following, which are planned for a
future release:

- Team templates
- Team API
- Search menu integration

## Testing Performed

- Added E2E tests for general team management
- Added E2E tests to validate document counts

## Checklist

- [X] I have tested these changes locally and they work as expected.
- [X] I have added/updated tests that prove the effectiveness of these
changes.
- [ ] I have updated the documentation to reflect these changes, if
applicable.
- [X] I have followed the project's coding style guidelines.

packages/lib/server-only/team/update-team-member.ts

@@ -0,0 +1,92 @@
+import { TEAM_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/teams';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { isTeamRoleWithinUserHierarchy } from '@documenso/lib/utils/teams';
+import { prisma } from '@documenso/prisma';
+import type { TeamMemberRole } from '@documenso/prisma/client';
+
+export type UpdateTeamMemberOptions = {
+  userId: number;
+  teamId: number;
+  teamMemberId: number;
+  data: {
+    role: TeamMemberRole;
+  };
+};
+
+export const updateTeamMember = async ({
+  userId,
+  teamId,
+  teamMemberId,
+  data,
+}: UpdateTeamMemberOptions) => {
+  await prisma.$transaction(async (tx) => {
+    // Find the team and validate that the user is allowed to update members.
+    const team = await tx.team.findFirstOrThrow({
+      where: {
+        id: teamId,
+        members: {
+          some: {
+            userId,
+            role: {
+              in: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+            },
+          },
+        },
+      },
+      include: {
+        members: {
+          select: {
+            id: true,
+            userId: true,
+            role: true,
+          },
+        },
+      },
+    });
+
+    const currentTeamMember = team.members.find((member) => member.userId === userId);
+    const teamMemberToUpdate = team.members.find((member) => member.id === teamMemberId);
+
+    if (!teamMemberToUpdate || !currentTeamMember) {
+      throw new AppError(AppErrorCode.NOT_FOUND, 'Team member does not exist');
+    }
+
+    if (teamMemberToUpdate.userId === team.ownerUserId) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, 'Cannot update the owner');
+    }
+
+    const isMemberToUpdateHigherRole = !isTeamRoleWithinUserHierarchy(
+      currentTeamMember.role,
+      teamMemberToUpdate.role,
+    );
+
+    if (isMemberToUpdateHigherRole) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, 'Cannot update a member with a higher role');
+    }
+
+    const isNewMemberRoleHigherThanCurrentRole = !isTeamRoleWithinUserHierarchy(
+      currentTeamMember.role,
+      data.role,
+    );
+
+    if (isNewMemberRoleHigherThanCurrentRole) {
+      throw new AppError(
+        AppErrorCode.UNAUTHORIZED,
+        'Cannot give a member a role higher than the user initating the update',
+      );
+    }
+
+    return await tx.teamMember.update({
+      where: {
+        id: teamMemberId,
+        teamId,
+        userId: {
+          not: team.ownerUserId,
+        },
+      },
+      data: {
+        role: data.role,
+      },
+    });
+  });
+};