feat: add organisations (#1820)

2025-11-13 16:23:06 +10:00 · 2025-06-10 11:49:52 +10:00
parent 0b37f19641
commit e6dc237ad2
631 changed files with 37616 additions and 25695 deletions
--- a/packages/trpc/server/team-router/delete-team-group.ts
+++ b/packages/trpc/server/team-router/delete-team-group.ts
@ -0,0 +1,84 @@
+import { TEAM_MEMBER_ROLE_PERMISSIONS_MAP } from '@documenso/lib/constants/teams';
+import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { getMemberRoles } from '@documenso/lib/server-only/team/get-member-roles';
+import { buildTeamWhereQuery, isTeamRoleWithinUserHierarchy } from '@documenso/lib/utils/teams';
+import { prisma } from '@documenso/prisma';
+import { OrganisationGroupType, OrganisationMemberRole } from '@documenso/prisma/generated/types';
+
+import { authenticatedProcedure } from '../trpc';
+import {
+  ZDeleteTeamGroupRequestSchema,
+  ZDeleteTeamGroupResponseSchema,
+} from './delete-team-group.types';
+
+export const deleteTeamGroupRoute = authenticatedProcedure
+  // .meta(deleteTeamGroupMeta)
+  .input(ZDeleteTeamGroupRequestSchema)
+  .output(ZDeleteTeamGroupResponseSchema)
+  .mutation(async ({ input, ctx }) => {
+    const { teamGroupId, teamId } = input;
+    const { user } = ctx;
+
+    const team = await prisma.team.findFirst({
+      where: buildTeamWhereQuery({
+        teamId,
+        userId: user.id,
+        roles: TEAM_MEMBER_ROLE_PERMISSIONS_MAP['MANAGE_TEAM'],
+      }),
+    });
+
+    if (!team) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED);
+    }
+
+    const group = await prisma.teamGroup.findFirst({
+      where: {
+        id: teamGroupId,
+        team: {
+          id: teamId,
+        },
+      },
+      include: {
+        organisationGroup: true,
+      },
+    });
+
+    if (!group) {
+      throw new AppError(AppErrorCode.NOT_FOUND, {
+        message: 'Team group not found',
+      });
+    }
+
+    // You cannot delete internal organisation groups.
+    // The only exception is deleting the "member" organisation group which is used to allow
+    // all organisation members to access a team.
+    if (
+      group.organisationGroup.type === OrganisationGroupType.INTERNAL_ORGANISATION &&
+      group.organisationGroup.organisationRole !== OrganisationMemberRole.MEMBER
+    ) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, {
+        message: 'You are not allowed to delete internal organisaion groups',
+      });
+    }
+
+    const { teamRole: currentUserTeamRole } = await getMemberRoles({
+      teamId,
+      reference: {
+        type: 'User',
+        id: user.id,
+      },
+    });
+
+    if (!isTeamRoleWithinUserHierarchy(currentUserTeamRole, group.teamRole)) {
+      throw new AppError(AppErrorCode.UNAUTHORIZED, {
+        message: 'You are not allowed to delete this team group',
+      });
+    }
+
+    await prisma.teamGroup.delete({
+      where: {
+        id: teamGroupId,
+        teamId,
+      },
+    });
+  });