fix: invalid folder queries (#1898)

Currently the majority of folder mutations only work if the user is the owner of the folder.
2025-11-13 16:23:06 +10:00 · 2025-07-16 14:37:55 +10:00
parent e5aaa17545
commit 32a5d33a16
20 changed files with 139 additions and 146 deletions
--- a/packages/lib/server-only/folder/pin-folder.ts
+++ b/packages/lib/server-only/folder/pin-folder.ts
@ -2,6 +2,7 @@ import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import { prisma } from '@documenso/prisma';

 import type { TFolderType } from '../../types/folder-type';
+import { buildTeamWhereQuery } from '../../utils/teams';

 export interface PinFolderOptions {
  userId: number;
@ -14,8 +15,10 @@ export const pinFolder = async ({ userId, teamId, folderId, type }: PinFolderOpt
  const folder = await prisma.folder.findFirst({
    where: {
      id: folderId,
-      userId,
-      teamId,
+      team: buildTeamWhereQuery({
+        teamId,
+        userId,
+      }),
      type,
    },
  });