feat: add organisations (#1820)

2025-11-14 00:32:43 +10:00 · 2025-06-10 11:49:52 +10:00
parent 0b37f19641
commit e6dc237ad2
631 changed files with 37616 additions and 25695 deletions
--- a/packages/lib/server-only/recipient/create-document-recipients.ts
+++ b/packages/lib/server-only/recipient/create-document-recipients.ts
@ -1,7 +1,6 @@
 import { RecipientRole } from '@prisma/client';
 import { SendStatus, SigningStatus } from '@prisma/client';

-import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { TRecipientAccessAuthTypes } from '@documenso/lib/types/document-auth';
 import { type TRecipientActionAuthTypes } from '@documenso/lib/types/document-auth';
@ -12,10 +11,11 @@ import { createRecipientAuthOptions } from '@documenso/lib/utils/document-auth';
 import { prisma } from '@documenso/prisma';

 import { AppError, AppErrorCode } from '../../errors/app-error';
+import { getDocumentWhereInput } from '../document/get-document-by-id';

 export interface CreateDocumentRecipientsOptions {
  userId: number;
-  teamId?: number;
+  teamId: number;
  documentId: number;
  recipients: {
    email: string;
@ -35,27 +35,25 @@ export const createDocumentRecipients = async ({
  recipients: recipientsToCreate,
  requestMetadata,
 }: CreateDocumentRecipientsOptions) => {
+  const { documentWhereInput } = await getDocumentWhereInput({
+    documentId,
+    userId,
+    teamId,
+  });
+
  const document = await prisma.document.findFirst({
-    where: {
-      id: documentId,
-      ...(teamId
-        ? {
-            team: {
-              id: teamId,
-              members: {
-                some: {
-                  userId,
-                },
-              },
-            },
-          }
-        : {
-            userId,
-            teamId: null,
-          }),
-    },
+    where: documentWhereInput,
    include: {
      recipients: true,
+      team: {
+        select: {
+          organisation: {
+            select: {
+              organisationClaim: true,
+            },
+          },
+        },
+      },
    },
  });

@ -76,17 +74,10 @@ export const createDocumentRecipients = async ({
  );

  // Check if user has permission to set the global action auth.
-  if (recipientsHaveActionAuth) {
-    const isEnterprise = await isUserEnterprise({
-      userId,
-      teamId,
+  if (recipientsHaveActionAuth && !document.team.organisation.organisationClaim.flags.cfr21) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, {
+      message: 'You do not have permission to set the action auth',
    });
-
-    if (!isEnterprise) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You do not have permission to set the action auth',
-      });
-    }
  }

  const normalizedRecipients = recipientsToCreate.map((recipient) => ({
--- a/packages/lib/server-only/recipient/create-template-recipients.ts
+++ b/packages/lib/server-only/recipient/create-template-recipients.ts
@ -1,7 +1,6 @@
 import { RecipientRole } from '@prisma/client';
 import { SendStatus, SigningStatus } from '@prisma/client';

-import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import type { TRecipientAccessAuthTypes } from '@documenso/lib/types/document-auth';
 import { type TRecipientActionAuthTypes } from '@documenso/lib/types/document-auth';
 import { nanoid } from '@documenso/lib/universal/id';
@ -9,10 +8,11 @@ import { createRecipientAuthOptions } from '@documenso/lib/utils/document-auth';
 import { prisma } from '@documenso/prisma';

 import { AppError, AppErrorCode } from '../../errors/app-error';
+import { buildTeamWhereQuery } from '../../utils/teams';

 export interface CreateTemplateRecipientsOptions {
  userId: number;
-  teamId?: number;
+  teamId: number;
  templateId: number;
  recipients: {
    email: string;
@ -33,24 +33,19 @@ export const createTemplateRecipients = async ({
  const template = await prisma.template.findFirst({
    where: {
      id: templateId,
-      ...(teamId
-        ? {
-            team: {
-              id: teamId,
-              members: {
-                some: {
-                  userId,
-                },
-              },
-            },
-          }
-        : {
-            userId,
-            teamId: null,
-          }),
+      team: buildTeamWhereQuery({ teamId, userId }),
    },
    include: {
      recipients: true,
+      team: {
+        select: {
+          organisation: {
+            select: {
+              organisationClaim: true,
+            },
+          },
+        },
+      },
    },
  });

@ -65,17 +60,10 @@ export const createTemplateRecipients = async ({
  );

  // Check if user has permission to set the global action auth.
-  if (recipientsHaveActionAuth) {
-    const isEnterprise = await isUserEnterprise({
-      userId,
-      teamId,
+  if (recipientsHaveActionAuth && !template.team.organisation.organisationClaim.flags.cfr21) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, {
+      message: 'You do not have permission to set the action auth',
    });
-
-    if (!isEnterprise) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You do not have permission to set the action auth',
-      });
-    }
  }

  const normalizedRecipients = recipientsToCreate.map((recipient) => ({
--- a/packages/lib/server-only/recipient/delete-document-recipient.ts
+++ b/packages/lib/server-only/recipient/delete-document-recipient.ts
@ -16,10 +16,12 @@ import { AppError, AppErrorCode } from '../../errors/app-error';
 import { extractDerivedDocumentEmailSettings } from '../../types/document-email';
 import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
 import { renderEmailWithI18N } from '../../utils/render-email-with-i18n';
+import { buildTeamWhereQuery } from '../../utils/teams';
+import { getEmailContext } from '../email/get-email-context';

 export interface DeleteDocumentRecipientOptions {
  userId: number;
-  teamId?: number;
+  teamId: number;
  recipientId: number;
  requestMetadata: ApiRequestMetadata;
 }
@ -37,21 +39,7 @@ export const deleteDocumentRecipient = async ({
          id: recipientId,
        },
      },
-      ...(teamId
-        ? {
-            team: {
-              id: teamId,
-              members: {
-                some: {
-                  userId,
-                },
-              },
-            },
-          }
-        : {
-            userId,
-            teamId: null,
-          }),
+      team: buildTeamWhereQuery({ teamId, userId }),
    },
    include: {
      documentMeta: true,
@ -137,12 +125,21 @@ export const deleteDocumentRecipient = async ({
      assetBaseUrl,
    });

+    const { branding, settings } = await getEmailContext({
+      source: {
+        type: 'team',
+        teamId: document.teamId,
+      },
+    });
+
+    const lang = document.documentMeta?.language ?? settings.documentLanguage;
+
    const [html, text] = await Promise.all([
-      renderEmailWithI18N(template, { lang: document.documentMeta?.language }),
-      renderEmailWithI18N(template, { lang: document.documentMeta?.language, plainText: true }),
+      renderEmailWithI18N(template, { lang, branding }),
+      renderEmailWithI18N(template, { lang, branding, plainText: true }),
    ]);

-    const i18n = await getI18nInstance(document.documentMeta?.language);
+    const i18n = await getI18nInstance(lang);

    await mailer.sendMail({
      to: {
--- a/packages/lib/server-only/recipient/delete-recipient.ts
+++ b/packages/lib/server-only/recipient/delete-recipient.ts
@ -1,16 +1,17 @@
-import type { Team } from '@prisma/client';
 import { SendStatus } from '@prisma/client';

 import { prisma } from '@documenso/prisma';

+import { AppError, AppErrorCode } from '../../errors/app-error';
 import type { RequestMetadata } from '../../universal/extract-request-metadata';
 import { createDocumentAuditLogData } from '../../utils/document-audit-logs';
+import { buildTeamWhereQuery } from '../../utils/teams';

 export type DeleteRecipientOptions = {
  documentId: number;
  recipientId: number;
  userId: number;
-  teamId?: number;
+  teamId: number;
  requestMetadata?: RequestMetadata;
 };

@ -26,21 +27,8 @@ export const deleteRecipient = async ({
      id: recipientId,
      document: {
        id: documentId,
-        ...(teamId
-          ? {
-              team: {
-                id: teamId,
-                members: {
-                  some: {
-                    userId,
-                  },
-                },
-              },
-            }
-          : {
-              userId,
-              teamId: null,
-            }),
+        userId,
+        team: buildTeamWhereQuery({ teamId, userId }),
      },
    },
  });
@ -59,19 +47,12 @@ export const deleteRecipient = async ({
    },
  });

-  let team: Team | null = null;
+  const team = await prisma.team.findFirst({
+    where: buildTeamWhereQuery({ teamId, userId }),
+  });

-  if (teamId) {
-    team = await prisma.team.findFirst({
-      where: {
-        id: teamId,
-        members: {
-          some: {
-            userId,
-          },
-        },
-      },
-    });
+  if (!team) {
+    throw new AppError(AppErrorCode.NOT_FOUND);
  }

  const deletedRecipient = await prisma.$transaction(async (tx) => {
--- a/packages/lib/server-only/recipient/delete-template-recipient.ts
+++ b/packages/lib/server-only/recipient/delete-template-recipient.ts
@ -1,10 +1,11 @@
 import { prisma } from '@documenso/prisma';

 import { AppError, AppErrorCode } from '../../errors/app-error';
+import { buildTeamWhereQuery } from '../../utils/teams';

 export interface DeleteTemplateRecipientOptions {
  userId: number;
-  teamId?: number;
+  teamId: number;
  recipientId: number;
 }

@ -20,21 +21,7 @@ export const deleteTemplateRecipient = async ({
          id: recipientId,
        },
      },
-      ...(teamId
-        ? {
-            team: {
-              id: teamId,
-              members: {
-                some: {
-                  userId,
-                },
-              },
-            },
-          }
-        : {
-            userId,
-            teamId: null,
-          }),
+      team: buildTeamWhereQuery({ teamId, userId }),
    },
    include: {
      recipients: {
--- a/packages/lib/server-only/recipient/get-recipient-by-id.ts
+++ b/packages/lib/server-only/recipient/get-recipient-by-id.ts
@ -1,11 +1,12 @@
 import { prisma } from '@documenso/prisma';

 import { AppError, AppErrorCode } from '../../errors/app-error';
+import { buildTeamWhereQuery } from '../../utils/teams';

 export type GetRecipientByIdOptions = {
  recipientId: number;
  userId: number;
-  teamId?: number;
+  teamId: number;
 };

 /**
@ -20,21 +21,9 @@ export const getRecipientById = async ({
  const recipient = await prisma.recipient.findFirst({
    where: {
      id: recipientId,
-      document: teamId
-        ? {
-            team: {
-              id: teamId,
-              members: {
-                some: {
-                  userId,
-                },
-              },
-            },
-          }
-        : {
-            userId,
-            teamId: null,
-          },
+      document: {
+        team: buildTeamWhereQuery({ teamId, userId }),
+      },
    },
    include: {
      fields: true,
--- a/packages/lib/server-only/recipient/get-recipients-for-document.ts
+++ b/packages/lib/server-only/recipient/get-recipients-for-document.ts
@ -1,9 +1,11 @@
 import { prisma } from '@documenso/prisma';

+import { getDocumentWhereInput } from '../document/get-document-by-id';
+
 export interface GetRecipientsForDocumentOptions {
  documentId: number;
  userId: number;
-  teamId?: number;
+  teamId: number;
 }

 export const getRecipientsForDocument = async ({
@ -11,24 +13,15 @@ export const getRecipientsForDocument = async ({
  userId,
  teamId,
 }: GetRecipientsForDocumentOptions) => {
+  const { documentWhereInput } = await getDocumentWhereInput({
+    documentId,
+    userId,
+    teamId,
+  });
+
  const recipients = await prisma.recipient.findMany({
    where: {
-      documentId,
-      document: teamId
-        ? {
-            team: {
-              id: teamId,
-              members: {
-                some: {
-                  userId,
-                },
-              },
-            },
-          }
-        : {
-            userId,
-            teamId: null,
-          },
+      document: documentWhereInput,
    },
    orderBy: {
      id: 'asc',
--- a/packages/lib/server-only/recipient/get-recipients-for-template.ts
+++ b/packages/lib/server-only/recipient/get-recipients-for-template.ts
@ -3,7 +3,7 @@ import { prisma } from '@documenso/prisma';
 export interface GetRecipientsForTemplateOptions {
  templateId: number;
  userId: number;
-  teamId?: number;
+  teamId: number;
 }

 export const getRecipientsForTemplate = async ({
--- a/packages/lib/server-only/recipient/set-document-recipients.ts
+++ b/packages/lib/server-only/recipient/set-document-recipients.ts
@ -6,7 +6,6 @@ import { RecipientRole } from '@prisma/client';
 import { SendStatus, SigningStatus } from '@prisma/client';
 import { isDeepEqual } from 'remeda';

-import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import { mailer } from '@documenso/email/mailer';
 import RecipientRemovedFromDocumentTemplate from '@documenso/email/templates/recipient-removed-from-document';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
@ -31,11 +30,12 @@ import { AppError, AppErrorCode } from '../../errors/app-error';
 import { extractDerivedDocumentEmailSettings } from '../../types/document-email';
 import { canRecipientBeModified } from '../../utils/recipients';
 import { renderEmailWithI18N } from '../../utils/render-email-with-i18n';
-import { teamGlobalSettingsToBranding } from '../../utils/team-global-settings-to-branding';
+import { getDocumentWhereInput } from '../document/get-document-by-id';
+import { getEmailContext } from '../email/get-email-context';

 export interface SetDocumentRecipientsOptions {
  userId: number;
-  teamId?: number;
+  teamId: number;
  documentId: number;
  recipients: RecipientData[];
  requestMetadata: ApiRequestMetadata;
@ -48,36 +48,36 @@ export const setDocumentRecipients = async ({
  recipients,
  requestMetadata,
 }: SetDocumentRecipientsOptions) => {
+  const { documentWhereInput } = await getDocumentWhereInput({
+    documentId,
+    userId,
+    teamId,
+  });
+
  const document = await prisma.document.findFirst({
-    where: {
-      id: documentId,
-      ...(teamId
-        ? {
-            team: {
-              id: teamId,
-              members: {
-                some: {
-                  userId,
-                },
-              },
-            },
-          }
-        : {
-            userId,
-            teamId: null,
-          }),
-    },
+    where: documentWhereInput,
    include: {
      fields: true,
      documentMeta: true,
      team: {
-        include: {
-          teamGlobalSettings: true,
+        select: {
+          organisation: {
+            select: {
+              organisationClaim: true,
+            },
+          },
        },
      },
    },
  });

+  const { branding, settings } = await getEmailContext({
+    source: {
+      type: 'team',
+      teamId,
+    },
+  });
+
  const user = await prisma.user.findFirstOrThrow({
    where: {
      id: userId,
@ -102,17 +102,10 @@ export const setDocumentRecipients = async ({
  );

  // Check if user has permission to set the global action auth.
-  if (recipientsHaveActionAuth) {
-    const isDocumentEnterprise = await isUserEnterprise({
-      userId,
-      teamId,
+  if (recipientsHaveActionAuth && !document.team.organisation.organisationClaim.flags.cfr21) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, {
+      message: 'You do not have permission to set the action auth',
    });
-
-    if (!isDocumentEnterprise) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You do not have permission to set the action auth',
-      });
-    }
  }

  const normalizedRecipients = recipients.map((recipient) => ({
@ -309,16 +302,14 @@ export const setDocumentRecipients = async ({
          assetBaseUrl,
        });

-        const branding = document.team?.teamGlobalSettings
-          ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
-          : undefined;
+        const lang = document.documentMeta?.language ?? settings.documentLanguage;

        const [html, text] = await Promise.all([
-          renderEmailWithI18N(template, { lang: document.documentMeta?.language }),
-          renderEmailWithI18N(template, { lang: document.documentMeta?.language, plainText: true }),
+          renderEmailWithI18N(template, { lang, branding }),
+          renderEmailWithI18N(template, { lang, branding, plainText: true }),
        ]);

-        const i18n = await getI18nInstance(document.documentMeta?.language);
+        const i18n = await getI18nInstance(lang);

        await mailer.sendMail({
          to: {
--- a/packages/lib/server-only/recipient/set-template-recipients.ts
+++ b/packages/lib/server-only/recipient/set-template-recipients.ts
@ -1,7 +1,6 @@
 import type { Recipient } from '@prisma/client';
 import { RecipientRole } from '@prisma/client';

-import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import {
  DIRECT_TEMPLATE_RECIPIENT_EMAIL,
  DIRECT_TEMPLATE_RECIPIENT_NAME,
@ -15,10 +14,11 @@ import {
 } from '../../types/document-auth';
 import { nanoid } from '../../universal/id';
 import { createRecipientAuthOptions } from '../../utils/document-auth';
+import { buildTeamWhereQuery } from '../../utils/teams';

 export type SetTemplateRecipientsOptions = {
  userId: number;
-  teamId?: number;
+  teamId: number;
  templateId: number;
  recipients: {
    id?: number;
@ -39,24 +39,19 @@ export const setTemplateRecipients = async ({
  const template = await prisma.template.findFirst({
    where: {
      id: templateId,
-      ...(teamId
-        ? {
-            team: {
-              id: teamId,
-              members: {
-                some: {
-                  userId,
-                },
-              },
-            },
-          }
-        : {
-            userId,
-            teamId: null,
-          }),
+      team: buildTeamWhereQuery({ teamId, userId }),
    },
    include: {
      directLink: true,
+      team: {
+        select: {
+          organisation: {
+            select: {
+              organisationClaim: true,
+            },
+          },
+        },
+      },
    },
  });

@ -69,17 +64,10 @@ export const setTemplateRecipients = async ({
  );

  // Check if user has permission to set the global action auth.
-  if (recipientsHaveActionAuth) {
-    const isDocumentEnterprise = await isUserEnterprise({
-      userId,
-      teamId,
+  if (recipientsHaveActionAuth && !template.team.organisation.organisationClaim.flags.cfr21) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, {
+      message: 'You do not have permission to set the action auth',
    });
-
-    if (!isDocumentEnterprise) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You do not have permission to set the action auth',
-      });
-    }
  }

  const normalizedRecipients = recipients.map((recipient) => {
--- a/packages/lib/server-only/recipient/update-document-recipients.ts
+++ b/packages/lib/server-only/recipient/update-document-recipients.ts
@ -3,7 +3,6 @@ import { RecipientRole } from '@prisma/client';
 import { SendStatus, SigningStatus } from '@prisma/client';
 import { isDeepEqual } from 'remeda';

-import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { TRecipientAccessAuthTypes } from '@documenso/lib/types/document-auth';
 import {
@ -20,10 +19,11 @@ import { prisma } from '@documenso/prisma';

 import { AppError, AppErrorCode } from '../../errors/app-error';
 import { canRecipientBeModified } from '../../utils/recipients';
+import { getDocumentWhereInput } from '../document/get-document-by-id';

 export interface UpdateDocumentRecipientsOptions {
  userId: number;
-  teamId?: number;
+  teamId: number;
  documentId: number;
  recipients: RecipientData[];
  requestMetadata: ApiRequestMetadata;
@ -36,28 +36,26 @@ export const updateDocumentRecipients = async ({
  recipients,
  requestMetadata,
 }: UpdateDocumentRecipientsOptions) => {
+  const { documentWhereInput } = await getDocumentWhereInput({
+    documentId,
+    userId,
+    teamId,
+  });
+
  const document = await prisma.document.findFirst({
-    where: {
-      id: documentId,
-      ...(teamId
-        ? {
-            team: {
-              id: teamId,
-              members: {
-                some: {
-                  userId,
-                },
-              },
-            },
-          }
-        : {
-            userId,
-            teamId: null,
-          }),
-    },
+    where: documentWhereInput,
    include: {
      fields: true,
      recipients: true,
+      team: {
+        select: {
+          organisation: {
+            select: {
+              organisationClaim: true,
+            },
+          },
+        },
+      },
    },
  });

@ -78,17 +76,10 @@ export const updateDocumentRecipients = async ({
  );

  // Check if user has permission to set the global action auth.
-  if (recipientsHaveActionAuth) {
-    const isEnterprise = await isUserEnterprise({
-      userId,
-      teamId,
+  if (recipientsHaveActionAuth && !document.team.organisation.organisationClaim.flags.cfr21) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, {
+      message: 'You do not have permission to set the action auth',
    });
-
-    if (!isEnterprise) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You do not have permission to set the action auth',
-      });
-    }
  }

  const recipientsToUpdate = recipients.map((recipient) => {
--- a/packages/lib/server-only/recipient/update-recipient.ts
+++ b/packages/lib/server-only/recipient/update-recipient.ts
@ -1,153 +0,0 @@
-import type { RecipientRole, Team } from '@prisma/client';
-
-import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
-import { prisma } from '@documenso/prisma';
-
-import { AppError, AppErrorCode } from '../../errors/app-error';
-import { DOCUMENT_AUDIT_LOG_TYPE } from '../../types/document-audit-logs';
-import {
-  type TRecipientActionAuthTypes,
-  ZRecipientAuthOptionsSchema,
-} from '../../types/document-auth';
-import type { RequestMetadata } from '../../universal/extract-request-metadata';
-import { createDocumentAuditLogData, diffRecipientChanges } from '../../utils/document-audit-logs';
-import { createRecipientAuthOptions } from '../../utils/document-auth';
-
-export type UpdateRecipientOptions = {
-  documentId: number;
-  recipientId: number;
-  email?: string;
-  name?: string;
-  role?: RecipientRole;
-  signingOrder?: number | null;
-  actionAuth?: TRecipientActionAuthTypes[];
-  userId: number;
-  teamId?: number;
-  requestMetadata?: RequestMetadata;
-};
-
-export const updateRecipient = async ({
-  documentId,
-  recipientId,
-  email,
-  name,
-  role,
-  signingOrder,
-  actionAuth,
-  userId,
-  teamId,
-  requestMetadata,
-}: UpdateRecipientOptions) => {
-  const recipient = await prisma.recipient.findFirst({
-    where: {
-      id: recipientId,
-      document: {
-        id: documentId,
-        ...(teamId
-          ? {
-              team: {
-                id: teamId,
-                members: {
-                  some: {
-                    userId,
-                  },
-                },
-              },
-            }
-          : {
-              userId,
-              teamId: null,
-            }),
-      },
-    },
-    include: {
-      document: true,
-    },
-  });
-
-  let team: Team | null = null;
-
-  if (teamId) {
-    team = await prisma.team.findFirst({
-      where: {
-        id: teamId,
-        members: {
-          some: {
-            userId,
-          },
-        },
-      },
-    });
-  }
-
-  const user = await prisma.user.findFirstOrThrow({
-    where: {
-      id: userId,
-    },
-  });
-
-  if (!recipient) {
-    throw new Error('Recipient not found');
-  }
-
-  if (actionAuth && actionAuth.length > 0) {
-    const isDocumentEnterprise = await isUserEnterprise({
-      userId,
-      teamId,
-    });
-
-    if (!isDocumentEnterprise) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You do not have permission to set the action auth',
-      });
-    }
-  }
-
-  const recipientAuthOptions = ZRecipientAuthOptionsSchema.parse(recipient.authOptions);
-
-  const updatedRecipient = await prisma.$transaction(async (tx) => {
-    const persisted = await prisma.recipient.update({
-      where: {
-        id: recipient.id,
-      },
-      data: {
-        email: email?.toLowerCase() ?? recipient.email,
-        name: name ?? recipient.name,
-        role: role ?? recipient.role,
-        signingOrder,
-        authOptions: createRecipientAuthOptions({
-          accessAuth: recipientAuthOptions.accessAuth,
-          actionAuth: actionAuth ?? [],
-        }),
-      },
-    });
-
-    const changes = diffRecipientChanges(recipient, persisted);
-
-    if (changes.length > 0) {
-      await tx.documentAuditLog.create({
-        data: createDocumentAuditLogData({
-          type: DOCUMENT_AUDIT_LOG_TYPE.RECIPIENT_UPDATED,
-          documentId: documentId,
-          user: {
-            id: team?.id ?? user.id,
-            name: team?.name ?? user.name,
-            email: team ? '' : user.email,
-          },
-          requestMetadata,
-          data: {
-            changes,
-            recipientId,
-            recipientEmail: persisted.email,
-            recipientName: persisted.name,
-            recipientRole: persisted.role,
-          },
-        }),
-      });
-
-      return persisted;
-    }
-  });
-
-  return updatedRecipient;
-};
--- a/packages/lib/server-only/recipient/update-template-recipients.ts
+++ b/packages/lib/server-only/recipient/update-template-recipients.ts
@ -1,7 +1,6 @@
 import { RecipientRole } from '@prisma/client';
 import { SendStatus, SigningStatus } from '@prisma/client';

-import { isUserEnterprise } from '@documenso/ee/server-only/util/is-document-enterprise';
 import type { TRecipientAccessAuthTypes } from '@documenso/lib/types/document-auth';
 import {
  type TRecipientActionAuthTypes,
@ -11,10 +10,11 @@ import { createRecipientAuthOptions } from '@documenso/lib/utils/document-auth';
 import { prisma } from '@documenso/prisma';

 import { AppError, AppErrorCode } from '../../errors/app-error';
+import { buildTeamWhereQuery } from '../../utils/teams';

 export interface UpdateTemplateRecipientsOptions {
  userId: number;
-  teamId?: number;
+  teamId: number;
  templateId: number;
  recipients: {
    id: number;
@ -36,24 +36,19 @@ export const updateTemplateRecipients = async ({
  const template = await prisma.template.findFirst({
    where: {
      id: templateId,
-      ...(teamId
-        ? {
-            team: {
-              id: teamId,
-              members: {
-                some: {
-                  userId,
-                },
-              },
-            },
-          }
-        : {
-            userId,
-            teamId: null,
-          }),
+      team: buildTeamWhereQuery({ teamId, userId }),
    },
    include: {
      recipients: true,
+      team: {
+        select: {
+          organisation: {
+            select: {
+              organisationClaim: true,
+            },
+          },
+        },
+      },
    },
  });

@ -68,17 +63,10 @@ export const updateTemplateRecipients = async ({
  );

  // Check if user has permission to set the global action auth.
-  if (recipientsHaveActionAuth) {
-    const isEnterprise = await isUserEnterprise({
-      userId,
-      teamId,
+  if (recipientsHaveActionAuth && !template.team.organisation.organisationClaim.flags.cfr21) {
+    throw new AppError(AppErrorCode.UNAUTHORIZED, {
+      message: 'You do not have permission to set the action auth',
    });
-
-    if (!isEnterprise) {
-      throw new AppError(AppErrorCode.UNAUTHORIZED, {
-        message: 'You do not have permission to set the action auth',
-      });
-    }
  }

  const recipientsToUpdate = recipients.map((recipient) => {