v1.9.0-rc.5

## Description

<!--- Describe the changes introduced by this pull request. -->
<!--- Explain what problem it solves or what feature/fix it adds. -->

## Related Issue

<!--- If this pull request is related to a specific issue, reference it
here using #issue_number. -->
<!--- For example, "Fixes #123" or "Addresses #456". -->

## Changes Made

<!--- Provide a summary of the changes made in this pull request. -->
<!--- Include any relevant technical details or architecture changes.
-->

- Change 1
- Change 2
- ...

## Testing Performed

<!--- Describe the testing that you have performed to validate these
changes. -->
<!--- Include information about test cases, testing environments, and
results. -->

- Tested feature X in scenario Y.
- Ran unit tests for component Z.
- Tested on browsers A, B, and C.
- ...

## Checklist

<!--- Please check the boxes that apply to this pull request. -->
<!--- You can add or remove items as needed. -->

- [ ] I have tested these changes locally and they work as expected.
- [ ] I have added/updated tests that prove the effectiveness of these
changes.
- [ ] I have updated the documentation to reflect these changes, if
applicable.
- [ ] I have followed the project's coding style guidelines.
- [ ] I have addressed the code review feedback from the previous
submission, if applicable.

## Additional Notes

<!--- Provide any additional context or notes for the reviewers. -->
<!--- This might include details about design decisions, potential
concerns, or anything else relevant. -->

apps/documentation/pages/users/teams/document-visibility.mdx

@@ -17,23 +17,25 @@ The default document visibility option allows you to control who can view and ac
 
 The default document visibility is set to "_EVERYONE_" by default. You can change this setting by going to the [team's general preferences page](/users/teams/preferences) and selecting a different visibility option.
 
-<Callout type="warning">
-  If the team member uploading the document has a role lower than the default document visibility,
-  the document visibility will be set to a lower visibility level matching the team member's role.
-</Callout>
-
 Here's how it works:
 
-- If a user with the "_Member_" role creates a document and the default document visibility is set to "_Admin_" or "_Managers and above_", the document's visibility is set to "_Everyone_".
-- If a user with the "_Manager_" role creates a document and the default document visibility is set to "_Admin_", the document's visibility is set to "_Managers and above_".
-- Otherwise, the document's visibility is set to the default document visibility.
+- If a user with the "_Member_" role creates a document and the default document visibility is set to "_Everyone_", the document's visibility is set to "_EVERYONE_".
+  - The user can't change the visibility of the document in the document editor.
+- If a user with the "_Member_" role creates a document and the default document visibility is set to "_Admin_" or "_Managers and above_", the document's visibility is set to the default document visibility ("_Admin_" or "_Managers and above_" in this case).
+  - The user can't change the visibility of the document in the document editor.
+- If a user with the "_Manager_" role creates a document and the default document visibility is set to "_Everyone_" or "_Managers and above_", the document's visibility is set to the default document visibility ("_Everyone_" or "_Managers and above_" in this case).
+  - The user can change the visibility of the document to any of these options, except "_Admin_", in the document editor.
+- If a user with the "_Manager_" role creates a document and the default document visibility is set to "_Admin_", the document's visibility is set to "_Admin_".
+  - The user can't change the visibility of the document in the document editor.
+- If a user with the "_Admin_" role creates a document, and the default document visibility is set to "_Everyone_", "_Managers and above_", or "_Admin_", the document's visibility is set to the default document visibility.
+  - The user can change the visibility of the document to any of these options in the document editor.
 
 You can change the visibility of a document at any time by editing the document and selecting a different visibility option.
 
 ![A screenshot of the Documenso's document editor page where you can update the document visibility](/teams/document-visibility-settings.webp)
 
 <Callout type="warning">
-  Updating the default document visibility in the team's general settings will not affect the
+  Updating the default document visibility in the team's general preferences will not affect the
   visibility of existing documents. You will need to update the visibility of each document
   individually.
 </Callout>

apps/marketing/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@documenso/marketing",
-  "version": "1.9.0-rc.3",
+  "version": "1.9.0-rc.5",
   "private": true,
   "license": "AGPL-3.0",
   "scripts": {
@@ -47,7 +47,7 @@
     "recharts": "^2.7.2",
     "sharp": "0.32.6",
     "typescript": "5.2.2",
-    "zod": "^3.23.8"
+    "zod": "3.24.1"
   },
   "devDependencies": {
     "@lingui/loader": "^4.11.3",

apps/web/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@documenso/web",
-  "version": "1.9.0-rc.3",
+  "version": "1.9.0-rc.5",
   "private": true,
   "license": "AGPL-3.0",
   "scripts": {
@@ -60,7 +60,7 @@
     "ts-pattern": "^5.0.5",
     "ua-parser-js": "^1.0.37",
     "uqr": "^0.1.2",
-    "zod": "^3.23.8"
+    "zod": "3.24.1"
   },
   "devDependencies": {
     "@documenso/tailwind-config": "*",

apps/web/src/app/(signing)/sign/[token]/checkbox-field.tsx

@@ -12,6 +12,7 @@ import { DO_NOT_INVALIDATE_QUERY_ON_MUTATION } from '@documenso/lib/constants/tr
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
 import type { TRecipientActionAuth } from '@documenso/lib/types/document-auth';
 import { ZCheckboxFieldMeta } from '@documenso/lib/types/field-meta';
+import { fromCheckboxValue, toCheckboxValue } from '@documenso/lib/universal/field-checkbox';
 import type { Recipient } from '@documenso/prisma/client';
 import type { FieldWithSignatureAndFieldMeta } from '@documenso/prisma/types/field-with-signature-and-fieldmeta';
 import { trpc } from '@documenso/trpc/react';
@@ -54,6 +55,7 @@ export const CheckboxField = ({
     ...item,
     value: item.value.length > 0 ? item.value : `empty-value-${item.id}`,
   }));
+
   const [checkedValues, setCheckedValues] = useState(
     values
       ?.map((item) =>
@@ -97,7 +99,7 @@ export const CheckboxField = ({
       const payload: TSignFieldWithTokenMutationSchema = {
         token: recipient.token,
         fieldId: field.id,
-        value: checkedValues.join(','),
+        value: toCheckboxValue(checkedValues),
         isBase64: true,
         authOptions,
       };
@@ -191,7 +193,7 @@ export const CheckboxField = ({
           await signFieldWithToken({
             token: recipient.token,
             fieldId: field.id,
-            value: updatedValues.join(','),
+            value: toCheckboxValue(checkedValues),
             isBase64: true,
           });
         }
@@ -228,6 +230,11 @@ export const CheckboxField = ({
     }
   }, [checkedValues, isLengthConditionMet, field.inserted]);
 
+  const parsedCheckedValues = useMemo(
+    () => fromCheckboxValue(field.customText),
+    [field.customText],
+  );
+
   return (
     <SigningFieldContainer field={field} onSign={onSign} onRemove={onRemove} type="Checkbox">
       {isLoading && (
@@ -277,9 +284,7 @@ export const CheckboxField = ({
                   className="h-3 w-3"
                   checkClassName="text-white"
                   id={`checkbox-${index}`}
-                  checked={field.customText
-                    .split(',')
-                    .some((customValue) => customValue === itemValue)}
+                  checked={parsedCheckedValues.includes(itemValue)}
                   disabled={isLoading}
                   onCheckedChange={() => void handleCheckboxOptionClick(item)}
                 />

apps/web/src/components/forms/signin.tsx

@@ -53,6 +53,7 @@ const ERROR_MESSAGES: Partial<Record<keyof typeof ErrorCode, string>> = {
   [ErrorCode.INCORRECT_TWO_FACTOR_BACKUP_CODE]: 'The backup code provided is incorrect',
   [ErrorCode.UNVERIFIED_EMAIL]:
     'This account has not been verified. Please verify your account before signing in.',
+  [ErrorCode.ACCOUNT_DISABLED]: 'This account has been disabled. Please contact support.',
 };
 
 const TwoFactorEnabledErrorCode = ErrorCode.TWO_FACTOR_MISSING_CREDENTIALS;

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "@documenso/root",
-  "version": "1.9.0-rc.3",
+  "version": "1.9.0-rc.5",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@documenso/root",
-      "version": "1.9.0-rc.3",
+      "version": "1.9.0-rc.5",
       "workspaces": [
         "apps/*",
         "packages/*"
@@ -17,8 +17,10 @@
         "@lingui/core": "^4.11.3",
         "inngest-cli": "^0.29.1",
         "luxon": "^3.5.0",
+        "mupdf": "^1.0.0",
         "next-runtime-env": "^3.2.0",
-        "react": "^18"
+        "react": "^18",
+        "zod": "3.24.1"
       },
       "devDependencies": {
         "@commitlint/cli": "^17.7.1",
@@ -79,7 +81,7 @@
     },
     "apps/marketing": {
       "name": "@documenso/marketing",
-      "version": "1.9.0-rc.3",
+      "version": "1.9.0-rc.5",
       "license": "AGPL-3.0",
       "dependencies": {
         "@documenso/assets": "*",
@@ -115,7 +117,7 @@
         "recharts": "^2.7.2",
         "sharp": "0.32.6",
         "typescript": "5.2.2",
-        "zod": "^3.23.8"
+        "zod": "3.24.1"
       },
       "devDependencies": {
         "@lingui/loader": "^4.11.3",
@@ -492,7 +494,7 @@
     },
     "apps/web": {
       "name": "@documenso/web",
-      "version": "1.9.0-rc.3",
+      "version": "1.9.0-rc.5",
       "license": "AGPL-3.0",
       "dependencies": {
         "@documenso/api": "*",
@@ -540,7 +542,7 @@
         "ts-pattern": "^5.0.5",
         "ua-parser-js": "^1.0.37",
         "uqr": "^0.1.2",
-        "zod": "^3.23.8"
+        "zod": "3.24.1"
       },
       "devDependencies": {
         "@documenso/tailwind-config": "*",
@@ -10723,15 +10725,6 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/@trigger.dev/cli/node_modules/zod": {
-      "version": "3.22.3",
-      "resolved": "https://registry.npmjs.org/zod/-/zod-3.22.3.tgz",
-      "integrity": "sha512-EjIevzuJRiRPbVH4mGc8nApb/lVLKVpmUhAaR5R5doKGfAnGJ6Gr3CViAVjP+4FWSxCsybeWQdcgCtbX+7oZug==",
-      "dev": true,
-      "funding": {
-        "url": "https://github.com/sponsors/colinhacks"
-      }
-    },
     "node_modules/@trigger.dev/core": {
       "version": "2.3.18",
       "resolved": "https://registry.npmjs.org/@trigger.dev/core/-/core-2.3.18.tgz",
@@ -10753,14 +10746,6 @@
         "node": ">=18.0.0"
       }
     },
-    "node_modules/@trigger.dev/core/node_modules/zod": {
-      "version": "3.22.3",
-      "resolved": "https://registry.npmjs.org/zod/-/zod-3.22.3.tgz",
-      "integrity": "sha512-EjIevzuJRiRPbVH4mGc8nApb/lVLKVpmUhAaR5R5doKGfAnGJ6Gr3CViAVjP+4FWSxCsybeWQdcgCtbX+7oZug==",
-      "funding": {
-        "url": "https://github.com/sponsors/colinhacks"
-      }
-    },
     "node_modules/@trigger.dev/nextjs": {
       "version": "2.3.18",
       "resolved": "https://registry.npmjs.org/@trigger.dev/nextjs/-/nextjs-2.3.18.tgz",
@@ -10824,14 +10809,6 @@
         "uuid": "dist/bin/uuid"
       }
     },
-    "node_modules/@trigger.dev/sdk/node_modules/zod": {
-      "version": "3.22.3",
-      "resolved": "https://registry.npmjs.org/zod/-/zod-3.22.3.tgz",
-      "integrity": "sha512-EjIevzuJRiRPbVH4mGc8nApb/lVLKVpmUhAaR5R5doKGfAnGJ6Gr3CViAVjP+4FWSxCsybeWQdcgCtbX+7oZug==",
-      "funding": {
-        "url": "https://github.com/sponsors/colinhacks"
-      }
-    },
     "node_modules/@trigger.dev/yalt": {
       "version": "2.3.18",
       "resolved": "https://registry.npmjs.org/@trigger.dev/yalt/-/yalt-2.3.18.tgz",
@@ -10848,15 +10825,6 @@
         "node": ">=18.0.0"
       }
     },
-    "node_modules/@trigger.dev/yalt/node_modules/zod": {
-      "version": "3.22.3",
-      "resolved": "https://registry.npmjs.org/zod/-/zod-3.22.3.tgz",
-      "integrity": "sha512-EjIevzuJRiRPbVH4mGc8nApb/lVLKVpmUhAaR5R5doKGfAnGJ6Gr3CViAVjP+4FWSxCsybeWQdcgCtbX+7oZug==",
-      "dev": true,
-      "funding": {
-        "url": "https://github.com/sponsors/colinhacks"
-      }
-    },
     "node_modules/@trivago/prettier-plugin-sort-imports": {
       "version": "4.3.0",
       "resolved": "https://registry.npmjs.org/@trivago/prettier-plugin-sort-imports/-/prettier-plugin-sort-imports-4.3.0.tgz",
@@ -20103,14 +20071,6 @@
         "node": ">=6"
       }
     },
-    "node_modules/inngest/node_modules/zod": {
-      "version": "3.22.5",
-      "resolved": "https://registry.npmjs.org/zod/-/zod-3.22.5.tgz",
-      "integrity": "sha512-HqnGsCdVZ2xc0qWPLdO25WnseXThh0kEYKIdV5F/hTHO75hNZFp8thxSeHhiPrHZKrFTo1SOgkAj9po5bexZlw==",
-      "funding": {
-        "url": "https://github.com/sponsors/colinhacks"
-      }
-    },
     "node_modules/input-otp": {
       "version": "1.2.4",
       "resolved": "https://registry.npmjs.org/input-otp/-/input-otp-1.2.4.tgz",
@@ -24284,6 +24244,12 @@
       "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.2.tgz",
       "integrity": "sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w=="
     },
+    "node_modules/mupdf": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/mupdf/-/mupdf-1.0.0.tgz",
+      "integrity": "sha512-AWT27abYSX5gQmWs7+jDEtmGJpWyZrqdxROpYf5BDAJBA+iYqlNztk2EMlKvuRLBzajj00kf4PtFiergDSKDTg==",
+      "license": "AGPL-3.0-or-later"
+    },
     "node_modules/mute-stream": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/mute-stream/-/mute-stream-1.0.0.tgz",
@@ -35762,7 +35728,7 @@
         "superjson": "^1.13.1",
         "swagger-ui-react": "^5.11.0",
         "ts-pattern": "^5.0.5",
-        "zod": "^3.23.8"
+        "zod": "3.24.1"
       }
     },
     "packages/api/node_modules/@ts-rest/next": {
@@ -35827,7 +35793,7 @@
         "next-auth": "4.24.5",
         "react": "^18",
         "ts-pattern": "^5.0.5",
-        "zod": "^3.23.8"
+        "zod": "3.24.1"
       }
     },
     "packages/email": {
@@ -37036,7 +37002,7 @@
         "sharp": "0.32.6",
         "stripe": "^12.7.0",
         "ts-pattern": "^5.0.5",
-        "zod": "^3.23.8"
+        "zod": "3.24.1"
       },
       "devDependencies": {
         "@playwright/browser-chromium": "1.43.0",
@@ -37174,7 +37140,7 @@
         "luxon": "^3.4.0",
         "superjson": "^1.13.1",
         "ts-pattern": "^5.0.5",
-        "zod": "^3.23.8"
+        "zod": "3.24.1"
       }
     },
     "packages/trpc/node_modules/@ts-rest/next": {
@@ -37254,7 +37220,7 @@
         "tailwind-merge": "^1.12.0",
         "tailwindcss-animate": "^1.0.5",
         "ts-pattern": "^5.0.5",
-        "zod": "^3.23.8"
+        "zod": "3.24.1"
       },
       "devDependencies": {
         "@documenso/tailwind-config": "*",

package.json

@@ -1,6 +1,6 @@
 {
   "private": true,
-  "version": "1.9.0-rc.3",
+  "version": "1.9.0-rc.5",
   "scripts": {
     "build": "turbo run build",
     "build:web": "turbo run build --filter=@documenso/web",
@@ -68,11 +68,14 @@
     "@lingui/core": "^4.11.3",
     "inngest-cli": "^0.29.1",
     "luxon": "^3.5.0",
+    "mupdf": "^1.0.0",
     "next-runtime-env": "^3.2.0",
-    "react": "^18"
+    "react": "^18",
+    "zod": "3.24.1"
   },
   "overrides": {
-    "next": "14.2.6"
+    "next": "14.2.6",
+    "zod": "3.24.1"
   },
   "trigger.dev": {
     "endpointId": "documenso-app"

packages/api/package.json

@@ -25,6 +25,6 @@
     "superjson": "^1.13.1",
     "swagger-ui-react": "^5.11.0",
     "ts-pattern": "^5.0.5",
-    "zod": "^3.23.8"
+    "zod": "3.24.1"
   }
-}
+}

packages/app-tests/e2e/teams/team-documents.spec.ts

@@ -1,6 +1,7 @@
 import { expect, test } from '@playwright/test';
 
-import { DocumentStatus, TeamMemberRole } from '@documenso/prisma/client';
+import { DocumentStatus, DocumentVisibility, TeamMemberRole } from '@documenso/prisma/client';
+import { seedBlankDocument } from '@documenso/prisma/seed/documents';
 import { seedDocuments, seedTeamDocuments } from '@documenso/prisma/seed/documents';
 import { seedTeam, seedTeamEmail, seedTeamMember } from '@documenso/prisma/seed/teams';
 import { seedUser } from '@documenso/prisma/seed/users';
@@ -538,7 +539,7 @@ test('[TEAMS]: ensure recipient can see document regardless of visibility', asyn
   await apiSignout({ page });
 });
 
-test('[TEAMS]: check that members cannot see ADMIN-only documents', async ({ page }) => {
+test('[TEAMS]: check that MEMBER role cannot see ADMIN-only documents', async ({ page }) => {
   const team = await seedTeam();
 
   // Seed a member user
@@ -575,7 +576,46 @@ test('[TEAMS]: check that members cannot see ADMIN-only documents', async ({ pag
   await apiSignout({ page });
 });
 
-test('[TEAMS]: check that managers cannot see ADMIN-only documents', async ({ page }) => {
+test('[TEAMS]: check that MEMBER role cannot see MANAGER_AND_ABOVE-only documents', async ({
+  page,
+}) => {
+  const team = await seedTeam();
+
+  // Seed a member user
+  const memberUser = await seedTeamMember({
+    teamId: team.id,
+    role: TeamMemberRole.MEMBER,
+  });
+
+  // Seed an ADMIN-only document
+  await seedDocuments([
+    {
+      sender: team.owner,
+      recipients: [],
+      type: DocumentStatus.COMPLETED,
+      documentOptions: {
+        teamId: team.id,
+        visibility: 'MANAGER_AND_ABOVE',
+        title: 'Manager and Above Only Document',
+      },
+    },
+  ]);
+
+  await apiSignin({
+    page,
+    email: memberUser.email,
+    redirectPath: `/t/${team.url}/documents?status=COMPLETED`,
+  });
+
+  // Check that the member user cannot see the ADMIN-only document
+  await expect(
+    page.getByRole('link', { name: 'Admin Only Document', exact: true }),
+  ).not.toBeVisible();
+
+  await apiSignout({ page });
+});
+
+test('[TEAMS]: check that MANAGER role cannot see ADMIN-only documents', async ({ page }) => {
   const team = await seedTeam();
 
   // Seed a manager user
@@ -612,7 +652,7 @@ test('[TEAMS]: check that managers cannot see ADMIN-only documents', async ({ pa
   await apiSignout({ page });
 });
 
-test('[TEAMS]: check that admin can see MANAGER_AND_ABOVE documents', async ({ page }) => {
+test('[TEAMS]: check that ADMIN role can see MANAGER_AND_ABOVE documents', async ({ page }) => {
   const team = await seedTeam();
 
   // Seed an admin user
@@ -649,6 +689,187 @@ test('[TEAMS]: check that admin can see MANAGER_AND_ABOVE documents', async ({ p
   await apiSignout({ page });
 });
 
+test('[TEAMS]: check that ADMIN role can change document visibility', async ({ page }) => {
+  const team = await seedTeam({
+    createTeamOptions: {
+      teamGlobalSettings: {
+        create: {
+          documentVisibility: DocumentVisibility.MANAGER_AND_ABOVE,
+        },
+      },
+    },
+  });
+
+  const adminUser = await seedTeamMember({
+    teamId: team.id,
+    role: TeamMemberRole.ADMIN,
+  });
+
+  const document = await seedBlankDocument(adminUser, {
+    createDocumentOptions: {
+      teamId: team.id,
+      visibility: team.teamGlobalSettings?.documentVisibility,
+    },
+  });
+
+  await apiSignin({
+    page,
+    email: adminUser.email,
+    redirectPath: `/t/${team.url}/documents/${document.id}/edit`,
+  });
+
+  await page.getByTestId('documentVisibilitySelectValue').click();
+  await page.getByLabel('Admins only').click();
+
+  await page.getByRole('button', { name: 'Continue' }).click();
+  await expect(page.getByRole('heading', { name: 'Add Signers' })).toBeVisible();
+
+  await page.getByRole('button', { name: 'Go Back' }).click();
+  await expect(page.getByRole('heading', { name: 'General' })).toBeVisible();
+
+  await expect(page.getByTestId('documentVisibilitySelectValue')).toContainText('Admins only');
+});
+
+test('[TEAMS]: check that MEMBER role cannot change visibility of EVERYONE documents', async ({
+  page,
+}) => {
+  const team = await seedTeam({
+    createTeamOptions: {
+      teamGlobalSettings: {
+        create: {
+          documentVisibility: DocumentVisibility.EVERYONE,
+        },
+      },
+    },
+  });
+
+  const teamMember = await seedTeamMember({
+    teamId: team.id,
+    role: TeamMemberRole.MEMBER,
+  });
+
+  const document = await seedBlankDocument(teamMember, {
+    createDocumentOptions: {
+      teamId: team.id,
+      visibility: team.teamGlobalSettings?.documentVisibility,
+    },
+  });
+
+  await apiSignin({
+    page,
+    email: teamMember.email,
+    redirectPath: `/t/${team.url}/documents/${document.id}/edit`,
+  });
+
+  await expect(page.getByTestId('documentVisibilitySelectValue')).toHaveText('Everyone');
+  await expect(page.getByTestId('documentVisibilitySelectValue')).toBeDisabled();
+});
+
+test('[TEAMS]: check that MEMBER role cannot change visibility of MANAGER_AND_ABOVE documents', async ({
+  page,
+}) => {
+  const team = await seedTeam({
+    createTeamOptions: {
+      teamGlobalSettings: {
+        create: {
+          documentVisibility: DocumentVisibility.MANAGER_AND_ABOVE,
+        },
+      },
+    },
+  });
+
+  const teamMember = await seedTeamMember({
+    teamId: team.id,
+    role: TeamMemberRole.MEMBER,
+  });
+
+  const document = await seedBlankDocument(teamMember, {
+    createDocumentOptions: {
+      teamId: team.id,
+      visibility: team.teamGlobalSettings?.documentVisibility,
+    },
+  });
+
+  await apiSignin({
+    page,
+    email: teamMember.email,
+    redirectPath: `/t/${team.url}/documents/${document.id}/edit`,
+  });
+
+  await expect(page.getByTestId('documentVisibilitySelectValue')).toHaveText('Managers and above');
+  await expect(page.getByTestId('documentVisibilitySelectValue')).toBeDisabled();
+});
+
+test('[TEAMS]: check that MEMBER role cannot change visibility of ADMIN documents', async ({
+  page,
+}) => {
+  const team = await seedTeam({
+    createTeamOptions: {
+      teamGlobalSettings: {
+        create: {
+          documentVisibility: DocumentVisibility.ADMIN,
+        },
+      },
+    },
+  });
+
+  const teamMember = await seedTeamMember({
+    teamId: team.id,
+    role: TeamMemberRole.MEMBER,
+  });
+
+  const document = await seedBlankDocument(teamMember, {
+    createDocumentOptions: {
+      teamId: team.id,
+      visibility: team.teamGlobalSettings?.documentVisibility,
+    },
+  });
+
+  await apiSignin({
+    page,
+    email: teamMember.email,
+    redirectPath: `/t/${team.url}/documents/${document.id}/edit`,
+  });
+
+  await expect(page.getByTestId('documentVisibilitySelectValue')).toHaveText('Admins only');
+  await expect(page.getByTestId('documentVisibilitySelectValue')).toBeDisabled();
+});
+
+test('[TEAMS]: check that MANAGER role cannot change visibility of ADMIN documents', async ({
+  page,
+}) => {
+  const team = await seedTeam({
+    createTeamOptions: {
+      teamGlobalSettings: {
+        create: {
+          documentVisibility: DocumentVisibility.ADMIN,
+        },
+      },
+    },
+  });
+
+  const teamManager = await seedTeamMember({
+    teamId: team.id,
+    role: TeamMemberRole.MANAGER,
+  });
+
+  const document = await seedBlankDocument(teamManager, {
+    createDocumentOptions: {
+      teamId: team.id,
+      visibility: team.teamGlobalSettings?.documentVisibility,
+    },
+  });
+
+  await apiSignin({
+    page,
+    email: teamManager.email,
+    redirectPath: `/t/${team.url}/documents/${document.id}/edit`,
+  });
+
+  await expect(page.getByTestId('documentVisibilitySelectValue')).toHaveText('Admins only');
+  await expect(page.getByTestId('documentVisibilitySelectValue')).toBeDisabled();
+});
+
 test('[TEAMS]: users cannot see documents from other teams', async ({ page }) => {
   // Seed two teams with documents
   const { team: teamA, teamMember2: teamAMember } = await seedTeamDocuments();

packages/ee/package.json

@@ -21,6 +21,6 @@
     "next-auth": "4.24.5",
     "react": "^18",
     "ts-pattern": "^5.0.5",
-    "zod": "^3.23.8"
+    "zod": "3.24.1"
   }
-}
+}

packages/lib/jobs/definitions/emails/send-confirmation-email.handler.ts

@@ -0,0 +1,9 @@
+import { sendConfirmationToken } from '../../../server-only/user/send-confirmation-token';
+import type { TSendConfirmationEmailJobDefinition } from './send-confirmation-email';
+
+export const run = async ({ payload }: { payload: TSendConfirmationEmailJobDefinition }) => {
+  await sendConfirmationToken({
+    email: payload.email,
+    force: payload.force,
+  });
+};

packages/lib/jobs/definitions/emails/send-confirmation-email.ts

@@ -1,6 +1,5 @@
 import { z } from 'zod';
 
-import { sendConfirmationToken } from '../../../server-only/user/send-confirmation-token';
 import type { JobDefinition } from '../../client/_internal/job';
 
 const SEND_CONFIRMATION_EMAIL_JOB_DEFINITION_ID = 'send.signup.confirmation.email';
@@ -10,6 +9,10 @@ const SEND_CONFIRMATION_EMAIL_JOB_DEFINITION_SCHEMA = z.object({
   force: z.boolean().optional(),
 });
 
+export type TSendConfirmationEmailJobDefinition = z.infer<
+  typeof SEND_CONFIRMATION_EMAIL_JOB_DEFINITION_SCHEMA
+>;
+
 export const SEND_CONFIRMATION_EMAIL_JOB_DEFINITION = {
   id: SEND_CONFIRMATION_EMAIL_JOB_DEFINITION_ID,
   name: 'Send Confirmation Email',
@@ -19,12 +22,11 @@ export const SEND_CONFIRMATION_EMAIL_JOB_DEFINITION = {
     schema: SEND_CONFIRMATION_EMAIL_JOB_DEFINITION_SCHEMA,
   },
   handler: async ({ payload }) => {
-    await sendConfirmationToken({
-      email: payload.email,
-      force: payload.force,
-    });
+    const handler = await import('./send-confirmation-email.handler');
+
+    await handler.run({ payload });
   },
 } as const satisfies JobDefinition<
   typeof SEND_CONFIRMATION_EMAIL_JOB_DEFINITION_ID,
-  z.infer<typeof SEND_CONFIRMATION_EMAIL_JOB_DEFINITION_SCHEMA>
+  TSendConfirmationEmailJobDefinition
 >;

packages/lib/jobs/definitions/emails/send-rejection-emails.handler.ts

@@ -0,0 +1,156 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/macro';
+
+import { mailer } from '@documenso/email/mailer';
+import DocumentRejectedEmail from '@documenso/email/templates/document-rejected';
+import DocumentRejectionConfirmedEmail from '@documenso/email/templates/document-rejection-confirmed';
+import { prisma } from '@documenso/prisma';
+import { SendStatus, SigningStatus } from '@documenso/prisma/client';
+
+import { getI18nInstance } from '../../../client-only/providers/i18n.server';
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../../constants/app';
+import { FROM_ADDRESS, FROM_NAME } from '../../../constants/email';
+import { extractDerivedDocumentEmailSettings } from '../../../types/document-email';
+import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
+import { teamGlobalSettingsToBranding } from '../../../utils/team-global-settings-to-branding';
+import { formatDocumentsPath } from '../../../utils/teams';
+import type { JobRunIO } from '../../client/_internal/job';
+import type { TSendSigningRejectionEmailsJobDefinition } from './send-rejection-emails';
+
+export const run = async ({
+  payload,
+  io,
+}: {
+  payload: TSendSigningRejectionEmailsJobDefinition;
+  io: JobRunIO;
+}) => {
+  const { documentId, recipientId } = payload;
+
+  const [document, recipient] = await Promise.all([
+    prisma.document.findFirstOrThrow({
+      where: {
+        id: documentId,
+      },
+      include: {
+        User: true,
+        documentMeta: true,
+        team: {
+          select: {
+            teamEmail: true,
+            name: true,
+            url: true,
+            teamGlobalSettings: true,
+          },
+        },
+      },
+    }),
+    prisma.recipient.findFirstOrThrow({
+      where: {
+        id: recipientId,
+        signingStatus: SigningStatus.REJECTED,
+      },
+    }),
+  ]);
+
+  const { documentMeta, team, User: documentOwner } = document;
+
+  const isEmailEnabled = extractDerivedDocumentEmailSettings(
+    document.documentMeta,
+  ).recipientSigningRequest;
+
+  if (!isEmailEnabled) {
+    return;
+  }
+
+  const i18n = await getI18nInstance(documentMeta?.language);
+
+  // Send confirmation email to the recipient who rejected
+  await io.runTask('send-rejection-confirmation-email', async () => {
+    const recipientTemplate = createElement(DocumentRejectionConfirmedEmail, {
+      recipientName: recipient.name,
+      documentName: document.title,
+      documentOwnerName: document.User.name || document.User.email,
+      reason: recipient.rejectionReason || '',
+      assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
+    });
+
+    const branding = document.team?.teamGlobalSettings
+      ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
+      : undefined;
+
+    const [html, text] = await Promise.all([
+      renderEmailWithI18N(recipientTemplate, { lang: documentMeta?.language, branding }),
+      renderEmailWithI18N(recipientTemplate, {
+        lang: documentMeta?.language,
+        branding,
+        plainText: true,
+      }),
+    ]);
+
+    await mailer.sendMail({
+      to: {
+        name: recipient.name,
+        address: recipient.email,
+      },
+      from: {
+        name: FROM_NAME,
+        address: FROM_ADDRESS,
+      },
+      subject: i18n._(msg`Document "${document.title}" - Rejection Confirmed`),
+      html,
+      text,
+    });
+  });
+
+  // Send notification email to document owner
+  await io.runTask('send-owner-notification-email', async () => {
+    const ownerTemplate = createElement(DocumentRejectedEmail, {
+      recipientName: recipient.name,
+      documentName: document.title,
+      documentUrl: `${NEXT_PUBLIC_WEBAPP_URL()}${formatDocumentsPath(document.team?.url)}/${
+        document.id
+      }`,
+      rejectionReason: recipient.rejectionReason || '',
+      assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
+    });
+
+    const branding = document.team?.teamGlobalSettings
+      ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
+      : undefined;
+
+    const [html, text] = await Promise.all([
+      renderEmailWithI18N(ownerTemplate, { lang: documentMeta?.language, branding }),
+      renderEmailWithI18N(ownerTemplate, {
+        lang: documentMeta?.language,
+        branding,
+        plainText: true,
+      }),
+    ]);
+
+    await mailer.sendMail({
+      to: {
+        name: documentOwner.name || '',
+        address: documentOwner.email,
+      },
+      from: {
+        name: FROM_NAME,
+        address: FROM_ADDRESS,
+      },
+      subject: i18n._(msg`Document "${document.title}" - Rejected by ${recipient.name}`),
+      html,
+      text,
+    });
+  });
+
+  await io.runTask('update-recipient', async () => {
+    await prisma.recipient.update({
+      where: {
+        id: recipient.id,
+      },
+      data: {
+        sendStatus: SendStatus.SENT,
+      },
+    });
+  });
+};

packages/lib/jobs/definitions/emails/send-rejection-emails.ts

@@ -1,21 +1,5 @@
-import { createElement } from 'react';
-
-import { msg } from '@lingui/macro';
 import { z } from 'zod';
 
-import { mailer } from '@documenso/email/mailer';
-import DocumentRejectedEmail from '@documenso/email/templates/document-rejected';
-import DocumentRejectionConfirmedEmail from '@documenso/email/templates/document-rejection-confirmed';
-import { prisma } from '@documenso/prisma';
-import { SendStatus, SigningStatus } from '@documenso/prisma/client';
-
-import { getI18nInstance } from '../../../client-only/providers/i18n.server';
-import { NEXT_PUBLIC_WEBAPP_URL } from '../../../constants/app';
-import { FROM_ADDRESS, FROM_NAME } from '../../../constants/email';
-import { extractDerivedDocumentEmailSettings } from '../../../types/document-email';
-import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
-import { teamGlobalSettingsToBranding } from '../../../utils/team-global-settings-to-branding';
-import { formatDocumentsPath } from '../../../utils/teams';
 import { type JobDefinition } from '../../client/_internal/job';
 
 const SEND_SIGNING_REJECTION_EMAILS_JOB_DEFINITION_ID = 'send.signing.rejected.emails';
@@ -25,6 +9,10 @@ const SEND_SIGNING_REJECTION_EMAILS_JOB_DEFINITION_SCHEMA = z.object({
   recipientId: z.number(),
 });
 
+export type TSendSigningRejectionEmailsJobDefinition = z.infer<
+  typeof SEND_SIGNING_REJECTION_EMAILS_JOB_DEFINITION_SCHEMA
+>;
+
 export const SEND_SIGNING_REJECTION_EMAILS_JOB_DEFINITION = {
   id: SEND_SIGNING_REJECTION_EMAILS_JOB_DEFINITION_ID,
   name: 'Send Rejection Emails',
@@ -34,136 +22,11 @@ export const SEND_SIGNING_REJECTION_EMAILS_JOB_DEFINITION = {
     schema: SEND_SIGNING_REJECTION_EMAILS_JOB_DEFINITION_SCHEMA,
   },
   handler: async ({ payload, io }) => {
-    const { documentId, recipientId } = payload;
+    const handler = await import('./send-rejection-emails.handler');
 
-    const [document, recipient] = await Promise.all([
-      prisma.document.findFirstOrThrow({
-        where: {
-          id: documentId,
-        },
-        include: {
-          User: true,
-          documentMeta: true,
-          team: {
-            select: {
-              teamEmail: true,
-              name: true,
-              url: true,
-              teamGlobalSettings: true,
-            },
-          },
-        },
-      }),
-      prisma.recipient.findFirstOrThrow({
-        where: {
-          id: recipientId,
-          signingStatus: SigningStatus.REJECTED,
-        },
-      }),
-    ]);
-
-    const { documentMeta, team, User: documentOwner } = document;
-
-    const isEmailEnabled = extractDerivedDocumentEmailSettings(
-      document.documentMeta,
-    ).recipientSigningRequest;
-
-    if (!isEmailEnabled) {
-      return;
-    }
-
-    const i18n = await getI18nInstance(documentMeta?.language);
-
-    // Send confirmation email to the recipient who rejected
-    await io.runTask('send-rejection-confirmation-email', async () => {
-      const recipientTemplate = createElement(DocumentRejectionConfirmedEmail, {
-        recipientName: recipient.name,
-        documentName: document.title,
-        documentOwnerName: document.User.name || document.User.email,
-        reason: recipient.rejectionReason || '',
-        assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
-      });
-
-      const branding = document.team?.teamGlobalSettings
-        ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
-        : undefined;
-
-      const [html, text] = await Promise.all([
-        renderEmailWithI18N(recipientTemplate, { lang: documentMeta?.language, branding }),
-        renderEmailWithI18N(recipientTemplate, {
-          lang: documentMeta?.language,
-          branding,
-          plainText: true,
-        }),
-      ]);
-
-      await mailer.sendMail({
-        to: {
-          name: recipient.name,
-          address: recipient.email,
-        },
-        from: {
-          name: FROM_NAME,
-          address: FROM_ADDRESS,
-        },
-        subject: i18n._(msg`Document "${document.title}" - Rejection Confirmed`),
-        html,
-        text,
-      });
-    });
-
-    // Send notification email to document owner
-    await io.runTask('send-owner-notification-email', async () => {
-      const ownerTemplate = createElement(DocumentRejectedEmail, {
-        recipientName: recipient.name,
-        documentName: document.title,
-        documentUrl: `${NEXT_PUBLIC_WEBAPP_URL()}${formatDocumentsPath(document.team?.url)}/${
-          document.id
-        }`,
-        rejectionReason: recipient.rejectionReason || '',
-        assetBaseUrl: NEXT_PUBLIC_WEBAPP_URL(),
-      });
-
-      const branding = document.team?.teamGlobalSettings
-        ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
-        : undefined;
-
-      const [html, text] = await Promise.all([
-        renderEmailWithI18N(ownerTemplate, { lang: documentMeta?.language, branding }),
-        renderEmailWithI18N(ownerTemplate, {
-          lang: documentMeta?.language,
-          branding,
-          plainText: true,
-        }),
-      ]);
-
-      await mailer.sendMail({
-        to: {
-          name: documentOwner.name || '',
-          address: documentOwner.email,
-        },
-        from: {
-          name: FROM_NAME,
-          address: FROM_ADDRESS,
-        },
-        subject: i18n._(msg`Document "${document.title}" - Rejected by ${recipient.name}`),
-        html,
-        text,
-      });
-    });
-
-    await io.runTask('update-recipient', async () => {
-      await prisma.recipient.update({
-        where: {
-          id: recipient.id,
-        },
-        data: {
-          sendStatus: SendStatus.SENT,
-        },
-      });
-    });
+    await handler.run({ payload, io });
   },
 } as const satisfies JobDefinition<
   typeof SEND_SIGNING_REJECTION_EMAILS_JOB_DEFINITION_ID,
-  z.infer<typeof SEND_SIGNING_REJECTION_EMAILS_JOB_DEFINITION_SCHEMA>
+  TSendSigningRejectionEmailsJobDefinition
 >;

packages/lib/jobs/definitions/emails/send-signing-email.handler.ts

@@ -0,0 +1,215 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/macro';
+
+import { mailer } from '@documenso/email/mailer';
+import DocumentInviteEmailTemplate from '@documenso/email/templates/document-invite';
+import { prisma } from '@documenso/prisma';
+import {
+  DocumentSource,
+  DocumentStatus,
+  RecipientRole,
+  SendStatus,
+} from '@documenso/prisma/client';
+
+import { getI18nInstance } from '../../../client-only/providers/i18n.server';
+import { NEXT_PUBLIC_WEBAPP_URL } from '../../../constants/app';
+import { FROM_ADDRESS, FROM_NAME } from '../../../constants/email';
+import {
+  RECIPIENT_ROLES_DESCRIPTION,
+  RECIPIENT_ROLE_TO_EMAIL_TYPE,
+} from '../../../constants/recipient-roles';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '../../../types/document-audit-logs';
+import { extractDerivedDocumentEmailSettings } from '../../../types/document-email';
+import { createDocumentAuditLogData } from '../../../utils/document-audit-logs';
+import { renderCustomEmailTemplate } from '../../../utils/render-custom-email-template';
+import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
+import { teamGlobalSettingsToBranding } from '../../../utils/team-global-settings-to-branding';
+import type { JobRunIO } from '../../client/_internal/job';
+import type { TSendSigningEmailJobDefinition } from './send-signing-email';
+
+export const run = async ({
+  payload,
+  io,
+}: {
+  payload: TSendSigningEmailJobDefinition;
+  io: JobRunIO;
+}) => {
+  const { userId, documentId, recipientId, requestMetadata } = payload;
+
+  const [user, document, recipient] = await Promise.all([
+    prisma.user.findFirstOrThrow({
+      where: {
+        id: userId,
+      },
+    }),
+    prisma.document.findFirstOrThrow({
+      where: {
+        id: documentId,
+        status: DocumentStatus.PENDING,
+      },
+      include: {
+        documentMeta: true,
+        team: {
+          select: {
+            teamEmail: true,
+            name: true,
+            teamGlobalSettings: true,
+          },
+        },
+      },
+    }),
+    prisma.recipient.findFirstOrThrow({
+      where: {
+        id: recipientId,
+      },
+    }),
+  ]);
+
+  const { documentMeta, team } = document;
+
+  if (recipient.role === RecipientRole.CC) {
+    return;
+  }
+
+  const isRecipientSigningRequestEmailEnabled = extractDerivedDocumentEmailSettings(
+    document.documentMeta,
+  ).recipientSigningRequest;
+
+  if (!isRecipientSigningRequestEmailEnabled) {
+    return;
+  }
+
+  const customEmail = document?.documentMeta;
+  const isDirectTemplate = document.source === DocumentSource.TEMPLATE_DIRECT_LINK;
+  const isTeamDocument = document.teamId !== null;
+
+  const recipientEmailType = RECIPIENT_ROLE_TO_EMAIL_TYPE[recipient.role];
+
+  const { email, name } = recipient;
+  const selfSigner = email === user.email;
+
+  const i18n = await getI18nInstance(documentMeta?.language);
+
+  const recipientActionVerb = i18n
+    ._(RECIPIENT_ROLES_DESCRIPTION[recipient.role].actionVerb)
+    .toLowerCase();
+
+  let emailMessage = customEmail?.message || '';
+  let emailSubject = i18n._(msg`Please ${recipientActionVerb} this document`);
+
+  if (selfSigner) {
+    emailMessage = i18n._(
+      msg`You have initiated the document ${`"${document.title}"`} that requires you to ${recipientActionVerb} it.`,
+    );
+    emailSubject = i18n._(msg`Please ${recipientActionVerb} your document`);
+  }
+
+  if (isDirectTemplate) {
+    emailMessage = i18n._(
+      msg`A document was created by your direct template that requires you to ${recipientActionVerb} it.`,
+    );
+    emailSubject = i18n._(
+      msg`Please ${recipientActionVerb} this document created by your direct template`,
+    );
+  }
+
+  if (isTeamDocument && team) {
+    emailSubject = i18n._(msg`${team.name} invited you to ${recipientActionVerb} a document`);
+    emailMessage = customEmail?.message ?? '';
+
+    if (!emailMessage) {
+      emailMessage = i18n._(
+        team.teamGlobalSettings?.includeSenderDetails
+          ? msg`${user.name} on behalf of "${team.name}" has invited you to ${recipientActionVerb} the document "${document.title}".`
+          : msg`${team.name} has invited you to ${recipientActionVerb} the document "${document.title}".`,
+      );
+    }
+  }
+
+  const customEmailTemplate = {
+    'signer.name': name,
+    'signer.email': email,
+    'document.name': document.title,
+  };
+
+  const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
+  const signDocumentLink = `${NEXT_PUBLIC_WEBAPP_URL()}/sign/${recipient.token}`;
+
+  const template = createElement(DocumentInviteEmailTemplate, {
+    documentName: document.title,
+    inviterName: user.name || undefined,
+    inviterEmail: isTeamDocument ? team?.teamEmail?.email || user.email : user.email,
+    assetBaseUrl,
+    signDocumentLink,
+    customBody: renderCustomEmailTemplate(emailMessage, customEmailTemplate),
+    role: recipient.role,
+    selfSigner,
+    isTeamInvite: isTeamDocument,
+    teamName: team?.name,
+    teamEmail: team?.teamEmail?.email,
+    includeSenderDetails: team?.teamGlobalSettings?.includeSenderDetails,
+  });
+
+  await io.runTask('send-signing-email', async () => {
+    const branding = document.team?.teamGlobalSettings
+      ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
+      : undefined;
+
+    const [html, text] = await Promise.all([
+      renderEmailWithI18N(template, { lang: documentMeta?.language, branding }),
+      renderEmailWithI18N(template, {
+        lang: documentMeta?.language,
+        branding,
+        plainText: true,
+      }),
+    ]);
+
+    await mailer.sendMail({
+      to: {
+        name: recipient.name,
+        address: recipient.email,
+      },
+      from: {
+        name: FROM_NAME,
+        address: FROM_ADDRESS,
+      },
+      subject: renderCustomEmailTemplate(
+        documentMeta?.subject || emailSubject,
+        customEmailTemplate,
+      ),
+      html,
+      text,
+    });
+  });
+
+  await io.runTask('update-recipient', async () => {
+    await prisma.recipient.update({
+      where: {
+        id: recipient.id,
+      },
+      data: {
+        sendStatus: SendStatus.SENT,
+      },
+    });
+  });
+
+  await io.runTask('store-audit-log', async () => {
+    await prisma.documentAuditLog.create({
+      data: createDocumentAuditLogData({
+        type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
+        documentId: document.id,
+        user,
+        requestMetadata,
+        data: {
+          emailType: recipientEmailType,
+          recipientId: recipient.id,
+          recipientName: recipient.name,
+          recipientEmail: recipient.email,
+          recipientRole: recipient.role,
+          isResending: false,
+        },
+      }),
+    });
+  });
+};

packages/lib/jobs/definitions/emails/send-signing-email.ts

@@ -1,32 +1,6 @@
-import { createElement } from 'react';
-
-import { msg } from '@lingui/macro';
 import { z } from 'zod';
 
-import { mailer } from '@documenso/email/mailer';
-import DocumentInviteEmailTemplate from '@documenso/email/templates/document-invite';
-import { prisma } from '@documenso/prisma';
-import {
-  DocumentSource,
-  DocumentStatus,
-  RecipientRole,
-  SendStatus,
-} from '@documenso/prisma/client';
-
-import { getI18nInstance } from '../../../client-only/providers/i18n.server';
-import { NEXT_PUBLIC_WEBAPP_URL } from '../../../constants/app';
-import { FROM_ADDRESS, FROM_NAME } from '../../../constants/email';
-import {
-  RECIPIENT_ROLES_DESCRIPTION,
-  RECIPIENT_ROLE_TO_EMAIL_TYPE,
-} from '../../../constants/recipient-roles';
-import { DOCUMENT_AUDIT_LOG_TYPE } from '../../../types/document-audit-logs';
-import { extractDerivedDocumentEmailSettings } from '../../../types/document-email';
 import { ZRequestMetadataSchema } from '../../../universal/extract-request-metadata';
-import { createDocumentAuditLogData } from '../../../utils/document-audit-logs';
-import { renderCustomEmailTemplate } from '../../../utils/render-custom-email-template';
-import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
-import { teamGlobalSettingsToBranding } from '../../../utils/team-global-settings-to-branding';
 import { type JobDefinition } from '../../client/_internal/job';
 
 const SEND_SIGNING_EMAIL_JOB_DEFINITION_ID = 'send.signing.requested.email';
@@ -38,6 +12,10 @@ const SEND_SIGNING_EMAIL_JOB_DEFINITION_SCHEMA = z.object({
   requestMetadata: ZRequestMetadataSchema.optional(),
 });
 
+export type TSendSigningEmailJobDefinition = z.infer<
+  typeof SEND_SIGNING_EMAIL_JOB_DEFINITION_SCHEMA
+>;
+
 export const SEND_SIGNING_EMAIL_JOB_DEFINITION = {
   id: SEND_SIGNING_EMAIL_JOB_DEFINITION_ID,
   name: 'Send Signing Email',
@@ -47,185 +25,11 @@ export const SEND_SIGNING_EMAIL_JOB_DEFINITION = {
     schema: SEND_SIGNING_EMAIL_JOB_DEFINITION_SCHEMA,
   },
   handler: async ({ payload, io }) => {
-    const { userId, documentId, recipientId, requestMetadata } = payload;
+    const handler = await import('./send-signing-email.handler');
 
-    const [user, document, recipient] = await Promise.all([
-      prisma.user.findFirstOrThrow({
-        where: {
-          id: userId,
-        },
-      }),
-      prisma.document.findFirstOrThrow({
-        where: {
-          id: documentId,
-          status: DocumentStatus.PENDING,
-        },
-        include: {
-          documentMeta: true,
-          team: {
-            select: {
-              teamEmail: true,
-              name: true,
-              teamGlobalSettings: true,
-            },
-          },
-        },
-      }),
-      prisma.recipient.findFirstOrThrow({
-        where: {
-          id: recipientId,
-        },
-      }),
-    ]);
-
-    const { documentMeta, team } = document;
-
-    if (recipient.role === RecipientRole.CC) {
-      return;
-    }
-
-    const isRecipientSigningRequestEmailEnabled = extractDerivedDocumentEmailSettings(
-      document.documentMeta,
-    ).recipientSigningRequest;
-
-    if (!isRecipientSigningRequestEmailEnabled) {
-      return;
-    }
-
-    const customEmail = document?.documentMeta;
-    const isDirectTemplate = document.source === DocumentSource.TEMPLATE_DIRECT_LINK;
-    const isTeamDocument = document.teamId !== null;
-
-    const recipientEmailType = RECIPIENT_ROLE_TO_EMAIL_TYPE[recipient.role];
-
-    const { email, name } = recipient;
-    const selfSigner = email === user.email;
-
-    const i18n = await getI18nInstance(documentMeta?.language);
-
-    const recipientActionVerb = i18n
-      ._(RECIPIENT_ROLES_DESCRIPTION[recipient.role].actionVerb)
-      .toLowerCase();
-
-    let emailMessage = customEmail?.message || '';
-    let emailSubject = i18n._(msg`Please ${recipientActionVerb} this document`);
-
-    if (selfSigner) {
-      emailMessage = i18n._(
-        msg`You have initiated the document ${`"${document.title}"`} that requires you to ${recipientActionVerb} it.`,
-      );
-      emailSubject = i18n._(msg`Please ${recipientActionVerb} your document`);
-    }
-
-    if (isDirectTemplate) {
-      emailMessage = i18n._(
-        msg`A document was created by your direct template that requires you to ${recipientActionVerb} it.`,
-      );
-      emailSubject = i18n._(
-        msg`Please ${recipientActionVerb} this document created by your direct template`,
-      );
-    }
-
-    if (isTeamDocument && team) {
-      emailSubject = i18n._(msg`${team.name} invited you to ${recipientActionVerb} a document`);
-      emailMessage = customEmail?.message ?? '';
-
-      if (!emailMessage) {
-        emailMessage = i18n._(
-          team.teamGlobalSettings?.includeSenderDetails
-            ? msg`${user.name} on behalf of "${team.name}" has invited you to ${recipientActionVerb} the document "${document.title}".`
-            : msg`${team.name} has invited you to ${recipientActionVerb} the document "${document.title}".`,
-        );
-      }
-    }
-
-    const customEmailTemplate = {
-      'signer.name': name,
-      'signer.email': email,
-      'document.name': document.title,
-    };
-
-    const assetBaseUrl = NEXT_PUBLIC_WEBAPP_URL() || 'http://localhost:3000';
-    const signDocumentLink = `${NEXT_PUBLIC_WEBAPP_URL()}/sign/${recipient.token}`;
-
-    const template = createElement(DocumentInviteEmailTemplate, {
-      documentName: document.title,
-      inviterName: user.name || undefined,
-      inviterEmail: isTeamDocument ? team?.teamEmail?.email || user.email : user.email,
-      assetBaseUrl,
-      signDocumentLink,
-      customBody: renderCustomEmailTemplate(emailMessage, customEmailTemplate),
-      role: recipient.role,
-      selfSigner,
-      isTeamInvite: isTeamDocument,
-      teamName: team?.name,
-      teamEmail: team?.teamEmail?.email,
-      includeSenderDetails: team?.teamGlobalSettings?.includeSenderDetails,
-    });
-
-    await io.runTask('send-signing-email', async () => {
-      const branding = document.team?.teamGlobalSettings
-        ? teamGlobalSettingsToBranding(document.team.teamGlobalSettings)
-        : undefined;
-
-      const [html, text] = await Promise.all([
-        renderEmailWithI18N(template, { lang: documentMeta?.language, branding }),
-        renderEmailWithI18N(template, {
-          lang: documentMeta?.language,
-          branding,
-          plainText: true,
-        }),
-      ]);
-
-      await mailer.sendMail({
-        to: {
-          name: recipient.name,
-          address: recipient.email,
-        },
-        from: {
-          name: FROM_NAME,
-          address: FROM_ADDRESS,
-        },
-        subject: renderCustomEmailTemplate(
-          documentMeta?.subject || emailSubject,
-          customEmailTemplate,
-        ),
-        html,
-        text,
-      });
-    });
-
-    await io.runTask('update-recipient', async () => {
-      await prisma.recipient.update({
-        where: {
-          id: recipient.id,
-        },
-        data: {
-          sendStatus: SendStatus.SENT,
-        },
-      });
-    });
-
-    await io.runTask('store-audit-log', async () => {
-      await prisma.documentAuditLog.create({
-        data: createDocumentAuditLogData({
-          type: DOCUMENT_AUDIT_LOG_TYPE.EMAIL_SENT,
-          documentId: document.id,
-          user,
-          requestMetadata,
-          data: {
-            emailType: recipientEmailType,
-            recipientId: recipient.id,
-            recipientName: recipient.name,
-            recipientEmail: recipient.email,
-            recipientRole: recipient.role,
-            isResending: false,
-          },
-        }),
-      });
-    });
+    await handler.run({ payload, io });
   },
 } as const satisfies JobDefinition<
   typeof SEND_SIGNING_EMAIL_JOB_DEFINITION_ID,
-  z.infer<typeof SEND_SIGNING_EMAIL_JOB_DEFINITION_SCHEMA>
+  TSendSigningEmailJobDefinition
 >;

packages/lib/jobs/definitions/emails/send-team-deleted-email.handler.ts

@@ -0,0 +1,23 @@
+import { sendTeamDeleteEmail } from '../../../server-only/team/delete-team';
+import type { JobRunIO } from '../../client/_internal/job';
+import type { TSendTeamDeletedEmailJobDefinition } from './send-team-deleted-email';
+
+export const run = async ({
+  payload,
+  io,
+}: {
+  payload: TSendTeamDeletedEmailJobDefinition;
+  io: JobRunIO;
+}) => {
+  const { team, members } = payload;
+
+  for (const member of members) {
+    await io.runTask(`send-team-deleted-email--${team.url}_${member.id}`, async () => {
+      await sendTeamDeleteEmail({
+        email: member.email,
+        team,
+        isOwner: member.id === team.ownerUserId,
+      });
+    });
+  }
+};

packages/lib/jobs/definitions/emails/send-team-deleted-email.ts

@@ -2,7 +2,6 @@ import { z } from 'zod';
 
 import { DocumentVisibility } from '@documenso/prisma/client';
 
-import { sendTeamDeleteEmail } from '../../../server-only/team/delete-team';
 import type { JobDefinition } from '../../client/_internal/job';
 
 const SEND_TEAM_DELETED_EMAIL_JOB_DEFINITION_ID = 'send.team-deleted.email';
@@ -37,6 +36,10 @@ const SEND_TEAM_DELETED_EMAIL_JOB_DEFINITION_SCHEMA = z.object({
   ),
 });
 
+export type TSendTeamDeletedEmailJobDefinition = z.infer<
+  typeof SEND_TEAM_DELETED_EMAIL_JOB_DEFINITION_SCHEMA
+>;
+
 export const SEND_TEAM_DELETED_EMAIL_JOB_DEFINITION = {
   id: SEND_TEAM_DELETED_EMAIL_JOB_DEFINITION_ID,
   name: 'Send Team Deleted Email',
@@ -46,19 +49,11 @@ export const SEND_TEAM_DELETED_EMAIL_JOB_DEFINITION = {
     schema: SEND_TEAM_DELETED_EMAIL_JOB_DEFINITION_SCHEMA,
   },
   handler: async ({ payload, io }) => {
-    const { team, members } = payload;
+    const handler = await import('./send-team-deleted-email.handler');
 
-    for (const member of members) {
-      await io.runTask(`send-team-deleted-email--${team.url}_${member.id}`, async () => {
-        await sendTeamDeleteEmail({
-          email: member.email,
-          team,
-          isOwner: member.id === team.ownerUserId,
-        });
-      });
-    }
+    await handler.run({ payload, io });
   },
 } as const satisfies JobDefinition<
   typeof SEND_TEAM_DELETED_EMAIL_JOB_DEFINITION_ID,
-  z.infer<typeof SEND_TEAM_DELETED_EMAIL_JOB_DEFINITION_SCHEMA>
+  TSendTeamDeletedEmailJobDefinition
 >;

packages/lib/jobs/definitions/emails/send-team-member-joined-email.handler.ts

@@ -0,0 +1,105 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/macro';
+
+import { mailer } from '@documenso/email/mailer';
+import TeamJoinEmailTemplate from '@documenso/email/templates/team-join';
+import { prisma } from '@documenso/prisma';
+import { TeamMemberRole } from '@documenso/prisma/client';
+
+import { getI18nInstance } from '../../../client-only/providers/i18n.server';
+import { WEBAPP_BASE_URL } from '../../../constants/app';
+import { FROM_ADDRESS, FROM_NAME } from '../../../constants/email';
+import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
+import { teamGlobalSettingsToBranding } from '../../../utils/team-global-settings-to-branding';
+import type { JobRunIO } from '../../client/_internal/job';
+import type { TSendTeamMemberJoinedEmailJobDefinition } from './send-team-member-joined-email';
+
+export const run = async ({
+  payload,
+  io,
+}: {
+  payload: TSendTeamMemberJoinedEmailJobDefinition;
+  io: JobRunIO;
+}) => {
+  const team = await prisma.team.findFirstOrThrow({
+    where: {
+      id: payload.teamId,
+    },
+    include: {
+      members: {
+        where: {
+          role: {
+            in: [TeamMemberRole.ADMIN, TeamMemberRole.MANAGER],
+          },
+        },
+        include: {
+          user: true,
+        },
+      },
+      teamGlobalSettings: true,
+    },
+  });
+
+  const invitedMember = await prisma.teamMember.findFirstOrThrow({
+    where: {
+      id: payload.memberId,
+      teamId: payload.teamId,
+    },
+    include: {
+      user: true,
+    },
+  });
+
+  for (const member of team.members) {
+    if (member.id === invitedMember.id) {
+      continue;
+    }
+
+    await io.runTask(
+      `send-team-member-joined-email--${invitedMember.id}_${member.id}`,
+      async () => {
+        const emailContent = createElement(TeamJoinEmailTemplate, {
+          assetBaseUrl: WEBAPP_BASE_URL,
+          baseUrl: WEBAPP_BASE_URL,
+          memberName: invitedMember.user.name || '',
+          memberEmail: invitedMember.user.email,
+          teamName: team.name,
+          teamUrl: team.url,
+        });
+
+        const branding = team.teamGlobalSettings
+          ? teamGlobalSettingsToBranding(team.teamGlobalSettings)
+          : undefined;
+
+        const lang = team.teamGlobalSettings?.documentLanguage;
+
+        // !: Replace with the actual language of the recipient later
+        const [html, text] = await Promise.all([
+          renderEmailWithI18N(emailContent, {
+            lang,
+            branding,
+          }),
+          renderEmailWithI18N(emailContent, {
+            lang,
+            branding,
+            plainText: true,
+          }),
+        ]);
+
+        const i18n = await getI18nInstance(lang);
+
+        await mailer.sendMail({
+          to: member.user.email,
+          from: {
+            name: FROM_NAME,
+            address: FROM_ADDRESS,
+          },
+          subject: i18n._(msg`A new member has joined your team`),
+          html,
+          text,
+        });
+      },
+    );
+  }
+};

packages/lib/jobs/definitions/emails/send-team-member-joined-email.ts

@@ -1,18 +1,5 @@
-import { createElement } from 'react';
-
-import { msg } from '@lingui/macro';
 import { z } from 'zod';
 
-import { mailer } from '@documenso/email/mailer';
-import TeamJoinEmailTemplate from '@documenso/email/templates/team-join';
-import { prisma } from '@documenso/prisma';
-import { TeamMemberRole } from '@documenso/prisma/client';
-
-import { getI18nInstance } from '../../../client-only/providers/i18n.server';
-import { WEBAPP_BASE_URL } from '../../../constants/app';
-import { FROM_ADDRESS, FROM_NAME } from '../../../constants/email';
-import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
-import { teamGlobalSettingsToBranding } from '../../../utils/team-global-settings-to-branding';
 import type { JobDefinition } from '../../client/_internal/job';
 
 const SEND_TEAM_MEMBER_JOINED_EMAIL_JOB_DEFINITION_ID = 'send.team-member-joined.email';
@@ -22,6 +9,10 @@ const SEND_TEAM_MEMBER_JOINED_EMAIL_JOB_DEFINITION_SCHEMA = z.object({
   memberId: z.number(),
 });
 
+export type TSendTeamMemberJoinedEmailJobDefinition = z.infer<
+  typeof SEND_TEAM_MEMBER_JOINED_EMAIL_JOB_DEFINITION_SCHEMA
+>;
+
 export const SEND_TEAM_MEMBER_JOINED_EMAIL_JOB_DEFINITION = {
   id: SEND_TEAM_MEMBER_JOINED_EMAIL_JOB_DEFINITION_ID,
   name: 'Send Team Member Joined Email',
@@ -31,88 +22,11 @@ export const SEND_TEAM_MEMBER_JOINED_EMAIL_JOB_DEFINITION = {
     schema: SEND_TEAM_MEMBER_JOINED_EMAIL_JOB_DEFINITION_SCHEMA,
   },
   handler: async ({ payload, io }) => {
-    const team = await prisma.team.findFirstOrThrow({
-      where: {
-        id: payload.teamId,
-      },
-      include: {
-        members: {
-          where: {
-            role: {
-              in: [TeamMemberRole.ADMIN, TeamMemberRole.MANAGER],
-            },
-          },
-          include: {
-            user: true,
-          },
-        },
-        teamGlobalSettings: true,
-      },
-    });
+    const handler = await import('./send-team-member-joined-email.handler');
 
-    const invitedMember = await prisma.teamMember.findFirstOrThrow({
-      where: {
-        id: payload.memberId,
-        teamId: payload.teamId,
-      },
-      include: {
-        user: true,
-      },
-    });
-
-    for (const member of team.members) {
-      if (member.id === invitedMember.id) {
-        continue;
-      }
-
-      await io.runTask(
-        `send-team-member-joined-email--${invitedMember.id}_${member.id}`,
-        async () => {
-          const emailContent = createElement(TeamJoinEmailTemplate, {
-            assetBaseUrl: WEBAPP_BASE_URL,
-            baseUrl: WEBAPP_BASE_URL,
-            memberName: invitedMember.user.name || '',
-            memberEmail: invitedMember.user.email,
-            teamName: team.name,
-            teamUrl: team.url,
-          });
-
-          const branding = team.teamGlobalSettings
-            ? teamGlobalSettingsToBranding(team.teamGlobalSettings)
-            : undefined;
-
-          const lang = team.teamGlobalSettings?.documentLanguage;
-
-          // !: Replace with the actual language of the recipient later
-          const [html, text] = await Promise.all([
-            renderEmailWithI18N(emailContent, {
-              lang,
-              branding,
-            }),
-            renderEmailWithI18N(emailContent, {
-              lang,
-              branding,
-              plainText: true,
-            }),
-          ]);
-
-          const i18n = await getI18nInstance(lang);
-
-          await mailer.sendMail({
-            to: member.user.email,
-            from: {
-              name: FROM_NAME,
-              address: FROM_ADDRESS,
-            },
-            subject: i18n._(msg`A new member has joined your team`),
-            html,
-            text,
-          });
-        },
-      );
-    }
+    await handler.run({ payload, io });
   },
 } as const satisfies JobDefinition<
   typeof SEND_TEAM_MEMBER_JOINED_EMAIL_JOB_DEFINITION_ID,
-  z.infer<typeof SEND_TEAM_MEMBER_JOINED_EMAIL_JOB_DEFINITION_SCHEMA>
+  TSendTeamMemberJoinedEmailJobDefinition
 >;

packages/lib/jobs/definitions/emails/send-team-member-left-email.handler.ts

@@ -0,0 +1,93 @@
+import { createElement } from 'react';
+
+import { msg } from '@lingui/macro';
+
+import { mailer } from '@documenso/email/mailer';
+import TeamJoinEmailTemplate from '@documenso/email/templates/team-join';
+import { prisma } from '@documenso/prisma';
+import { TeamMemberRole } from '@documenso/prisma/client';
+
+import { getI18nInstance } from '../../../client-only/providers/i18n.server';
+import { WEBAPP_BASE_URL } from '../../../constants/app';
+import { FROM_ADDRESS, FROM_NAME } from '../../../constants/email';
+import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
+import { teamGlobalSettingsToBranding } from '../../../utils/team-global-settings-to-branding';
+import type { JobRunIO } from '../../client/_internal/job';
+import type { TSendTeamMemberLeftEmailJobDefinition } from './send-team-member-left-email';
+
+export const run = async ({
+  payload,
+  io,
+}: {
+  payload: TSendTeamMemberLeftEmailJobDefinition;
+  io: JobRunIO;
+}) => {
+  const team = await prisma.team.findFirstOrThrow({
+    where: {
+      id: payload.teamId,
+    },
+    include: {
+      members: {
+        where: {
+          role: {
+            in: [TeamMemberRole.ADMIN, TeamMemberRole.MANAGER],
+          },
+        },
+        include: {
+          user: true,
+        },
+      },
+      teamGlobalSettings: true,
+    },
+  });
+
+  const oldMember = await prisma.user.findFirstOrThrow({
+    where: {
+      id: payload.memberUserId,
+    },
+  });
+
+  for (const member of team.members) {
+    await io.runTask(`send-team-member-left-email--${oldMember.id}_${member.id}`, async () => {
+      const emailContent = createElement(TeamJoinEmailTemplate, {
+        assetBaseUrl: WEBAPP_BASE_URL,
+        baseUrl: WEBAPP_BASE_URL,
+        memberName: oldMember.name || '',
+        memberEmail: oldMember.email,
+        teamName: team.name,
+        teamUrl: team.url,
+      });
+
+      const branding = team.teamGlobalSettings
+        ? teamGlobalSettingsToBranding(team.teamGlobalSettings)
+        : undefined;
+
+      const lang = team.teamGlobalSettings?.documentLanguage;
+
+      const [html, text] = await Promise.all([
+        renderEmailWithI18N(emailContent, {
+          lang,
+          branding,
+        }),
+        renderEmailWithI18N(emailContent, {
+          lang,
+          branding,
+          plainText: true,
+        }),
+      ]);
+
+      const i18n = await getI18nInstance(lang);
+
+      await mailer.sendMail({
+        to: member.user.email,
+        from: {
+          name: FROM_NAME,
+          address: FROM_ADDRESS,
+        },
+        subject: i18n._(msg`A team member has left ${team.name}`),
+        html,
+        text,
+      });
+    });
+  }
+};

packages/lib/jobs/definitions/emails/send-team-member-left-email.ts

@@ -1,18 +1,5 @@
-import { createElement } from 'react';
-
-import { msg } from '@lingui/macro';
 import { z } from 'zod';
 
-import { mailer } from '@documenso/email/mailer';
-import TeamJoinEmailTemplate from '@documenso/email/templates/team-join';
-import { prisma } from '@documenso/prisma';
-import { TeamMemberRole } from '@documenso/prisma/client';
-
-import { getI18nInstance } from '../../../client-only/providers/i18n.server';
-import { WEBAPP_BASE_URL } from '../../../constants/app';
-import { FROM_ADDRESS, FROM_NAME } from '../../../constants/email';
-import { renderEmailWithI18N } from '../../../utils/render-email-with-i18n';
-import { teamGlobalSettingsToBranding } from '../../../utils/team-global-settings-to-branding';
 import type { JobDefinition } from '../../client/_internal/job';
 
 const SEND_TEAM_MEMBER_LEFT_EMAIL_JOB_DEFINITION_ID = 'send.team-member-left.email';
@@ -22,6 +9,10 @@ const SEND_TEAM_MEMBER_LEFT_EMAIL_JOB_DEFINITION_SCHEMA = z.object({
   memberUserId: z.number(),
 });
 
+export type TSendTeamMemberLeftEmailJobDefinition = z.infer<
+  typeof SEND_TEAM_MEMBER_LEFT_EMAIL_JOB_DEFINITION_SCHEMA
+>;
+
 export const SEND_TEAM_MEMBER_LEFT_EMAIL_JOB_DEFINITION = {
   id: SEND_TEAM_MEMBER_LEFT_EMAIL_JOB_DEFINITION_ID,
   name: 'Send Team Member Left Email',
@@ -31,76 +22,11 @@ export const SEND_TEAM_MEMBER_LEFT_EMAIL_JOB_DEFINITION = {
     schema: SEND_TEAM_MEMBER_LEFT_EMAIL_JOB_DEFINITION_SCHEMA,
   },
   handler: async ({ payload, io }) => {
-    const team = await prisma.team.findFirstOrThrow({
-      where: {
-        id: payload.teamId,
-      },
-      include: {
-        members: {
-          where: {
-            role: {
-              in: [TeamMemberRole.ADMIN, TeamMemberRole.MANAGER],
-            },
-          },
-          include: {
-            user: true,
-          },
-        },
-        teamGlobalSettings: true,
-      },
-    });
+    const handler = await import('./send-team-member-left-email.handler');
 
-    const oldMember = await prisma.user.findFirstOrThrow({
-      where: {
-        id: payload.memberUserId,
-      },
-    });
-
-    for (const member of team.members) {
-      await io.runTask(`send-team-member-left-email--${oldMember.id}_${member.id}`, async () => {
-        const emailContent = createElement(TeamJoinEmailTemplate, {
-          assetBaseUrl: WEBAPP_BASE_URL,
-          baseUrl: WEBAPP_BASE_URL,
-          memberName: oldMember.name || '',
-          memberEmail: oldMember.email,
-          teamName: team.name,
-          teamUrl: team.url,
-        });
-
-        const branding = team.teamGlobalSettings
-          ? teamGlobalSettingsToBranding(team.teamGlobalSettings)
-          : undefined;
-
-        const lang = team.teamGlobalSettings?.documentLanguage;
-
-        const [html, text] = await Promise.all([
-          renderEmailWithI18N(emailContent, {
-            lang,
-            branding,
-          }),
-          renderEmailWithI18N(emailContent, {
-            lang,
-            branding,
-            plainText: true,
-          }),
-        ]);
-
-        const i18n = await getI18nInstance(lang);
-
-        await mailer.sendMail({
-          to: member.user.email,
-          from: {
-            name: FROM_NAME,
-            address: FROM_ADDRESS,
-          },
-          subject: i18n._(msg`A team member has left ${team.name}`),
-          html,
-          text,
-        });
-      });
-    }
+    await handler.run({ payload, io });
   },
 } as const satisfies JobDefinition<
   typeof SEND_TEAM_MEMBER_LEFT_EMAIL_JOB_DEFINITION_ID,
-  z.infer<typeof SEND_TEAM_MEMBER_LEFT_EMAIL_JOB_DEFINITION_SCHEMA>
+  TSendTeamMemberLeftEmailJobDefinition
 >;

packages/lib/jobs/definitions/internal/seal-document.handler.ts

@@ -0,0 +1,253 @@
+import { nanoid } from 'nanoid';
+import path from 'node:path';
+import { PDFDocument } from 'pdf-lib';
+
+import { prisma } from '@documenso/prisma';
+import {
+  DocumentStatus,
+  RecipientRole,
+  SigningStatus,
+  WebhookTriggerEvents,
+} from '@documenso/prisma/client';
+import { signPdf } from '@documenso/signing';
+
+import { sendCompletedEmail } from '../../../server-only/document/send-completed-email';
+import PostHogServerClient from '../../../server-only/feature-flags/get-post-hog-server-client';
+import { getCertificatePdf } from '../../../server-only/htmltopdf/get-certificate-pdf';
+import { flattenAnnotations } from '../../../server-only/pdf/flatten-annotations';
+import { flattenForm } from '../../../server-only/pdf/flatten-form';
+import { insertFieldInPDF } from '../../../server-only/pdf/insert-field-in-pdf';
+import { normalizeSignatureAppearances } from '../../../server-only/pdf/normalize-signature-appearances';
+import { triggerWebhook } from '../../../server-only/webhooks/trigger/trigger-webhook';
+import { DOCUMENT_AUDIT_LOG_TYPE } from '../../../types/document-audit-logs';
+import { ZWebhookDocumentSchema } from '../../../types/webhook-payload';
+import { getFile } from '../../../universal/upload/get-file';
+import { putPdfFile } from '../../../universal/upload/put-file';
+import { createDocumentAuditLogData } from '../../../utils/document-audit-logs';
+import type { JobRunIO } from '../../client/_internal/job';
+import type { TSealDocumentJobDefinition } from './seal-document';
+
+export const run = async ({
+  payload,
+  io,
+}: {
+  payload: TSealDocumentJobDefinition;
+  io: JobRunIO;
+}) => {
+  const { documentId, sendEmail = true, isResealing = false, requestMetadata } = payload;
+
+  const document = await prisma.document.findFirstOrThrow({
+    where: {
+      id: documentId,
+      Recipient: {
+        every: {
+          signingStatus: SigningStatus.SIGNED,
+        },
+      },
+    },
+    include: {
+      documentMeta: true,
+      Recipient: true,
+      team: {
+        select: {
+          teamGlobalSettings: {
+            select: {
+              includeSigningCertificate: true,
+            },
+          },
+        },
+      },
+    },
+  });
+
+  // Seems silly but we need to do this in case the job is re-ran
+  // after it has already run through the update task further below.
+  // eslint-disable-next-line @typescript-eslint/require-await
+  const documentStatus = await io.runTask('get-document-status', async () => {
+    return document.status;
+  });
+
+  // This is the same case as above.
+  // eslint-disable-next-line @typescript-eslint/require-await
+  const documentDataId = await io.runTask('get-document-data-id', async () => {
+    return document.documentDataId;
+  });
+
+  const documentData = await prisma.documentData.findFirst({
+    where: {
+      id: documentDataId,
+    },
+  });
+
+  if (!documentData) {
+    throw new Error(`Document ${document.id} has no document data`);
+  }
+
+  const recipients = await prisma.recipient.findMany({
+    where: {
+      documentId: document.id,
+      role: {
+        not: RecipientRole.CC,
+      },
+    },
+  });
+
+  if (recipients.some((recipient) => recipient.signingStatus !== SigningStatus.SIGNED)) {
+    throw new Error(`Document ${document.id} has unsigned recipients`);
+  }
+
+  const fields = await prisma.field.findMany({
+    where: {
+      documentId: document.id,
+    },
+    include: {
+      Signature: true,
+    },
+  });
+
+  if (fields.some((field) => !field.inserted)) {
+    throw new Error(`Document ${document.id} has unsigned fields`);
+  }
+
+  if (isResealing) {
+    // If we're resealing we want to use the initial data for the document
+    // so we aren't placing fields on top of eachother.
+    documentData.data = documentData.initialData;
+  }
+
+  const pdfData = await getFile(documentData);
+
+  const certificateData =
+    (document.team?.teamGlobalSettings?.includeSigningCertificate ?? true)
+      ? await getCertificatePdf({
+          documentId,
+          language: document.documentMeta?.language,
+        }).catch(() => null)
+      : null;
+
+  const newDataId = await io.runTask('decorate-and-sign-pdf', async () => {
+    const pdfDoc = await PDFDocument.load(pdfData);
+
+    // Normalize and flatten layers that could cause issues with the signature
+    normalizeSignatureAppearances(pdfDoc);
+    flattenForm(pdfDoc);
+    flattenAnnotations(pdfDoc);
+
+    if (certificateData) {
+      const certificateDoc = await PDFDocument.load(certificateData);
+
+      const certificatePages = await pdfDoc.copyPages(
+        certificateDoc,
+        certificateDoc.getPageIndices(),
+      );
+
+      certificatePages.forEach((page) => {
+        pdfDoc.addPage(page);
+      });
+    }
+
+    for (const field of fields) {
+      await insertFieldInPDF(pdfDoc, field);
+    }
+
+    // Re-flatten the form to handle our checkbox and radio fields that
+    // create native arcoFields
+    flattenForm(pdfDoc);
+
+    const pdfBytes = await pdfDoc.save();
+    const pdfBuffer = await signPdf({ pdf: Buffer.from(pdfBytes) });
+
+    const { name } = path.parse(document.title);
+
+    const documentData = await putPdfFile({
+      name: `${name}_signed.pdf`,
+      type: 'application/pdf',
+      arrayBuffer: async () => Promise.resolve(pdfBuffer),
+    });
+
+    return documentData.id;
+  });
+
+  const postHog = PostHogServerClient();
+
+  if (postHog) {
+    postHog.capture({
+      distinctId: nanoid(),
+      event: 'App: Document Sealed',
+      properties: {
+        documentId: document.id,
+      },
+    });
+  }
+
+  await io.runTask('update-document', async () => {
+    await prisma.$transaction(async (tx) => {
+      const newData = await tx.documentData.findFirstOrThrow({
+        where: {
+          id: newDataId,
+        },
+      });
+
+      await tx.document.update({
+        where: {
+          id: document.id,
+        },
+        data: {
+          status: DocumentStatus.COMPLETED,
+          completedAt: new Date(),
+        },
+      });
+
+      await tx.documentData.update({
+        where: {
+          id: documentData.id,
+        },
+        data: {
+          data: newData.data,
+        },
+      });
+
+      await tx.documentAuditLog.create({
+        data: createDocumentAuditLogData({
+          type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_COMPLETED,
+          documentId: document.id,
+          requestMetadata,
+          user: null,
+          data: {
+            transactionId: nanoid(),
+          },
+        }),
+      });
+    });
+  });
+
+  await io.runTask('send-completed-email', async () => {
+    let shouldSendCompletedEmail = sendEmail && !isResealing;
+
+    if (isResealing && documentStatus !== DocumentStatus.COMPLETED) {
+      shouldSendCompletedEmail = sendEmail;
+    }
+
+    if (shouldSendCompletedEmail) {
+      await sendCompletedEmail({ documentId, requestMetadata });
+    }
+  });
+
+  const updatedDocument = await prisma.document.findFirstOrThrow({
+    where: {
+      id: document.id,
+    },
+    include: {
+      documentData: true,
+      documentMeta: true,
+      Recipient: true,
+    },
+  });
+
+  await triggerWebhook({
+    event: WebhookTriggerEvents.DOCUMENT_COMPLETED,
+    data: ZWebhookDocumentSchema.parse(updatedDocument),
+    userId: updatedDocument.userId,
+    teamId: updatedDocument.teamId ?? undefined,
+  });
+};

packages/lib/jobs/definitions/internal/seal-document.ts

@@ -1,31 +1,6 @@
-import { nanoid } from 'nanoid';
-import path from 'node:path';
-import { PDFDocument } from 'pdf-lib';
 import { z } from 'zod';
 
-import { prisma } from '@documenso/prisma';
-import {
-  DocumentStatus,
-  RecipientRole,
-  SigningStatus,
-  WebhookTriggerEvents,
-} from '@documenso/prisma/client';
-import { signPdf } from '@documenso/signing';
-
-import { sendCompletedEmail } from '../../../server-only/document/send-completed-email';
-import PostHogServerClient from '../../../server-only/feature-flags/get-post-hog-server-client';
-import { getCertificatePdf } from '../../../server-only/htmltopdf/get-certificate-pdf';
-import { flattenAnnotations } from '../../../server-only/pdf/flatten-annotations';
-import { flattenForm } from '../../../server-only/pdf/flatten-form';
-import { insertFieldInPDF } from '../../../server-only/pdf/insert-field-in-pdf';
-import { normalizeSignatureAppearances } from '../../../server-only/pdf/normalize-signature-appearances';
-import { triggerWebhook } from '../../../server-only/webhooks/trigger/trigger-webhook';
-import { DOCUMENT_AUDIT_LOG_TYPE } from '../../../types/document-audit-logs';
-import { ZWebhookDocumentSchema } from '../../../types/webhook-payload';
 import { ZRequestMetadataSchema } from '../../../universal/extract-request-metadata';
-import { getFile } from '../../../universal/upload/get-file';
-import { putPdfFile } from '../../../universal/upload/put-file';
-import { createDocumentAuditLogData } from '../../../utils/document-audit-logs';
 import { type JobDefinition } from '../../client/_internal/job';
 
 const SEAL_DOCUMENT_JOB_DEFINITION_ID = 'internal.seal-document';
@@ -37,6 +12,8 @@ const SEAL_DOCUMENT_JOB_DEFINITION_SCHEMA = z.object({
   requestMetadata: ZRequestMetadataSchema.optional(),
 });
 
+export type TSealDocumentJobDefinition = z.infer<typeof SEAL_DOCUMENT_JOB_DEFINITION_SCHEMA>;
+
 export const SEAL_DOCUMENT_JOB_DEFINITION = {
   id: SEAL_DOCUMENT_JOB_DEFINITION_ID,
   name: 'Seal Document',
@@ -46,223 +23,11 @@ export const SEAL_DOCUMENT_JOB_DEFINITION = {
     schema: SEAL_DOCUMENT_JOB_DEFINITION_SCHEMA,
   },
   handler: async ({ payload, io }) => {
-    const { documentId, sendEmail = true, isResealing = false, requestMetadata } = payload;
+    const handler = await import('./seal-document.handler');
 
-    const document = await prisma.document.findFirstOrThrow({
-      where: {
-        id: documentId,
-        Recipient: {
-          every: {
-            signingStatus: SigningStatus.SIGNED,
-          },
-        },
-      },
-      include: {
-        documentMeta: true,
-        Recipient: true,
-        team: {
-          select: {
-            teamGlobalSettings: {
-              select: {
-                includeSigningCertificate: true,
-              },
-            },
-          },
-        },
-      },
-    });
-
-    // Seems silly but we need to do this in case the job is re-ran
-    // after it has already run through the update task further below.
-    // eslint-disable-next-line @typescript-eslint/require-await
-    const documentStatus = await io.runTask('get-document-status', async () => {
-      return document.status;
-    });
-
-    // This is the same case as above.
-    // eslint-disable-next-line @typescript-eslint/require-await
-    const documentDataId = await io.runTask('get-document-data-id', async () => {
-      return document.documentDataId;
-    });
-
-    const documentData = await prisma.documentData.findFirst({
-      where: {
-        id: documentDataId,
-      },
-    });
-
-    if (!documentData) {
-      throw new Error(`Document ${document.id} has no document data`);
-    }
-
-    const recipients = await prisma.recipient.findMany({
-      where: {
-        documentId: document.id,
-        role: {
-          not: RecipientRole.CC,
-        },
-      },
-    });
-
-    if (recipients.some((recipient) => recipient.signingStatus !== SigningStatus.SIGNED)) {
-      throw new Error(`Document ${document.id} has unsigned recipients`);
-    }
-
-    const fields = await prisma.field.findMany({
-      where: {
-        documentId: document.id,
-      },
-      include: {
-        Signature: true,
-      },
-    });
-
-    if (fields.some((field) => !field.inserted)) {
-      throw new Error(`Document ${document.id} has unsigned fields`);
-    }
-
-    if (isResealing) {
-      // If we're resealing we want to use the initial data for the document
-      // so we aren't placing fields on top of eachother.
-      documentData.data = documentData.initialData;
-    }
-
-    const pdfData = await getFile(documentData);
-    const certificateData =
-      (document.team?.teamGlobalSettings?.includeSigningCertificate ?? true)
-        ? await getCertificatePdf({
-            documentId,
-            language: document.documentMeta?.language,
-          }).catch(() => null)
-        : null;
-
-    const newDataId = await io.runTask('decorate-and-sign-pdf', async () => {
-      const pdfDoc = await PDFDocument.load(pdfData);
-
-      // Normalize and flatten layers that could cause issues with the signature
-      normalizeSignatureAppearances(pdfDoc);
-      flattenForm(pdfDoc);
-      flattenAnnotations(pdfDoc);
-
-      if (certificateData) {
-        const certificateDoc = await PDFDocument.load(certificateData);
-
-        const certificatePages = await pdfDoc.copyPages(
-          certificateDoc,
-          certificateDoc.getPageIndices(),
-        );
-
-        certificatePages.forEach((page) => {
-          pdfDoc.addPage(page);
-        });
-      }
-
-      for (const field of fields) {
-        await insertFieldInPDF(pdfDoc, field);
-      }
-
-      // Re-flatten the form to handle our checkbox and radio fields that
-      // create native arcoFields
-      flattenForm(pdfDoc);
-
-      const pdfBytes = await pdfDoc.save();
-      const pdfBuffer = await signPdf({ pdf: Buffer.from(pdfBytes) });
-
-      const { name } = path.parse(document.title);
-
-      const documentData = await putPdfFile({
-        name: `${name}_signed.pdf`,
-        type: 'application/pdf',
-        arrayBuffer: async () => Promise.resolve(pdfBuffer),
-      });
-
-      return documentData.id;
-    });
-
-    const postHog = PostHogServerClient();
-
-    if (postHog) {
-      postHog.capture({
-        distinctId: nanoid(),
-        event: 'App: Document Sealed',
-        properties: {
-          documentId: document.id,
-        },
-      });
-    }
-
-    await io.runTask('update-document', async () => {
-      await prisma.$transaction(async (tx) => {
-        const newData = await tx.documentData.findFirstOrThrow({
-          where: {
-            id: newDataId,
-          },
-        });
-
-        await tx.document.update({
-          where: {
-            id: document.id,
-          },
-          data: {
-            status: DocumentStatus.COMPLETED,
-            completedAt: new Date(),
-          },
-        });
-
-        await tx.documentData.update({
-          where: {
-            id: documentData.id,
-          },
-          data: {
-            data: newData.data,
-          },
-        });
-
-        await tx.documentAuditLog.create({
-          data: createDocumentAuditLogData({
-            type: DOCUMENT_AUDIT_LOG_TYPE.DOCUMENT_COMPLETED,
-            documentId: document.id,
-            requestMetadata,
-            user: null,
-            data: {
-              transactionId: nanoid(),
-            },
-          }),
-        });
-      });
-    });
-
-    await io.runTask('send-completed-email', async () => {
-      let shouldSendCompletedEmail = sendEmail && !isResealing;
-
-      if (isResealing && documentStatus !== DocumentStatus.COMPLETED) {
-        shouldSendCompletedEmail = sendEmail;
-      }
-
-      if (shouldSendCompletedEmail) {
-        await sendCompletedEmail({ documentId, requestMetadata });
-      }
-    });
-
-    const updatedDocument = await prisma.document.findFirstOrThrow({
-      where: {
-        id: document.id,
-      },
-      include: {
-        documentData: true,
-        documentMeta: true,
-        Recipient: true,
-      },
-    });
-
-    await triggerWebhook({
-      event: WebhookTriggerEvents.DOCUMENT_COMPLETED,
-      data: ZWebhookDocumentSchema.parse(updatedDocument),
-      userId: updatedDocument.userId,
-      teamId: updatedDocument.teamId ?? undefined,
-    });
+    await handler.run({ payload, io });
   },
 } as const satisfies JobDefinition<
   typeof SEAL_DOCUMENT_JOB_DEFINITION_ID,
-  z.infer<typeof SEAL_DOCUMENT_JOB_DEFINITION_SCHEMA>
+  TSealDocumentJobDefinition
 >;

packages/lib/next-auth/auth-options.ts

@@ -121,6 +121,10 @@ export const NEXT_AUTH_OPTIONS: AuthOptions = {
           throw new Error(ErrorCode.UNVERIFIED_EMAIL);
         }
 
+        if (user.disabled) {
+          throw new Error(ErrorCode.ACCOUNT_DISABLED);
+        }
+
         return {
           id: Number(user.id),
           email: user.email,

packages/lib/next-auth/error-codes.ts

@@ -20,4 +20,5 @@ export const ErrorCode = {
   MISSING_ENCRYPTION_KEY: 'MISSING_ENCRYPTION_KEY',
   MISSING_BACKUP_CODE: 'MISSING_BACKUP_CODE',
   UNVERIFIED_EMAIL: 'UNVERIFIED_EMAIL',
+  ACCOUNT_DISABLED: 'ACCOUNT_DISABLED',
 } as const;

packages/lib/package.json

@@ -56,11 +56,11 @@
     "sharp": "0.32.6",
     "stripe": "^12.7.0",
     "ts-pattern": "^5.0.5",
-    "zod": "^3.23.8"
+    "zod": "3.24.1"
   },
   "devDependencies": {
     "@playwright/browser-chromium": "1.43.0",
     "@types/luxon": "^3.3.1",
     "@types/pg": "^8.11.4"
   }
-}
+}

packages/lib/server-only/document/create-document.ts

@@ -3,6 +3,7 @@
 import type { z } from 'zod';
 
 import { AppError, AppErrorCode } from '@documenso/lib/errors/app-error';
+import { normalizePdf as makeNormalizedPdf } from '@documenso/lib/server-only/pdf/normalize-pdf';
 import { DOCUMENT_AUDIT_LOG_TYPE } from '@documenso/lib/types/document-audit-logs';
 import type { RequestMetadata } from '@documenso/lib/universal/extract-request-metadata';
 import { createDocumentAuditLogData } from '@documenso/lib/utils/document-audit-logs';
@@ -13,6 +14,8 @@ import { TeamMemberRole } from '@documenso/prisma/client';
 import { DocumentSchema } from '@documenso/prisma/generated/zod';
 
 import { ZWebhookDocumentSchema } from '../../types/webhook-payload';
+import { getFile } from '../../universal/upload/get-file';
+import { putPdfFile } from '../../universal/upload/put-file';
 import { triggerWebhook } from '../webhooks/trigger/trigger-webhook';
 
 export type CreateDocumentOptions = {
@@ -22,6 +25,7 @@ export type CreateDocumentOptions = {
   teamId?: number;
   documentDataId: string;
   formValues?: Record<string, string | number | boolean>;
+  normalizePdf?: boolean;
   requestMetadata?: RequestMetadata;
 };
 
@@ -35,6 +39,7 @@ export const createDocument = async ({
   externalId,
   documentDataId,
   teamId,
+  normalizePdf,
   formValues,
   requestMetadata,
 }: CreateDocumentOptions): Promise<TCreateDocumentResponse> => {
@@ -89,22 +94,44 @@ export const createDocument = async ({
     globalVisibility: DocumentVisibility | null | undefined,
     userRole: TeamMemberRole,
   ): DocumentVisibility => {
-    const defaultVisibility = globalVisibility ?? DocumentVisibility.EVERYONE;
+    if (globalVisibility) {
+      return globalVisibility;
+    }
 
     if (userRole === TeamMemberRole.ADMIN) {
-      return defaultVisibility;
+      return DocumentVisibility.ADMIN;
     }
 
     if (userRole === TeamMemberRole.MANAGER) {
-      if (defaultVisibility === DocumentVisibility.ADMIN) {
-        return DocumentVisibility.MANAGER_AND_ABOVE;
-      }
-      return defaultVisibility;
+      return DocumentVisibility.MANAGER_AND_ABOVE;
     }
 
     return DocumentVisibility.EVERYONE;
   };
 
+  if (normalizePdf) {
+    const documentData = await prisma.documentData.findFirst({
+      where: {
+        id: documentDataId,
+      },
+    });
+
+    if (documentData) {
+      const buffer = await getFile(documentData);
+
+      const normalizedPdf = await makeNormalizedPdf(Buffer.from(buffer));
+
+      const newDocumentData = await putPdfFile({
+        name: title.endsWith('.pdf') ? title : `${title}.pdf`,
+        type: 'application/pdf',
+        arrayBuffer: async () => Promise.resolve(normalizedPdf),
+      });
+
+      // eslint-disable-next-line require-atomic-updates
+      documentDataId = newDocumentData.id;
+    }
+  }
+
   return await prisma.$transaction(async (tx) => {
     const document = await tx.document.create({
       data: {

packages/lib/server-only/document/update-document-settings.ts

@@ -91,39 +91,43 @@ export const updateDocumentSettings = async ({
 
   if (teamId) {
     const currentUserRole = document.team?.members[0]?.role;
+    const isDocumentOwner = document.userId === userId;
+    const requestedVisibility = data.visibility;
 
-    match(currentUserRole)
-      .with(TeamMemberRole.ADMIN, () => true)
-      .with(TeamMemberRole.MANAGER, () => {
-        const allowedVisibilities: DocumentVisibility[] = [
-          DocumentVisibility.EVERYONE,
-          DocumentVisibility.MANAGER_AND_ABOVE,
-        ];
+    if (!isDocumentOwner) {
+      match(currentUserRole)
+        .with(TeamMemberRole.ADMIN, () => true)
+        .with(TeamMemberRole.MANAGER, () => {
+          const allowedVisibilities: DocumentVisibility[] = [
+            DocumentVisibility.EVERYONE,
+            DocumentVisibility.MANAGER_AND_ABOVE,
+          ];
 
-        if (
-          !allowedVisibilities.includes(document.visibility) ||
-          (data.visibility && !allowedVisibilities.includes(data.visibility))
-        ) {
+          if (
+            !allowedVisibilities.includes(document.visibility) ||
+            (requestedVisibility && !allowedVisibilities.includes(requestedVisibility))
+          ) {
+            throw new AppError(AppErrorCode.UNAUTHORIZED, {
+              message: 'You do not have permission to update the document visibility',
+            });
+          }
+        })
+        .with(TeamMemberRole.MEMBER, () => {
+          if (
+            document.visibility !== DocumentVisibility.EVERYONE ||
+            (requestedVisibility && requestedVisibility !== DocumentVisibility.EVERYONE)
+          ) {
+            throw new AppError(AppErrorCode.UNAUTHORIZED, {
+              message: 'You do not have permission to update the document visibility',
+            });
+          }
+        })
+        .otherwise(() => {
           throw new AppError(AppErrorCode.UNAUTHORIZED, {
-            message: 'You do not have permission to update the document visibility',
+            message: 'You do not have permission to update the document',
           });
-        }
-      })
-      .with(TeamMemberRole.MEMBER, () => {
-        if (
-          document.visibility !== DocumentVisibility.EVERYONE ||
-          (data.visibility && data.visibility !== DocumentVisibility.EVERYONE)
-        ) {
-          throw new AppError(AppErrorCode.UNAUTHORIZED, {
-            message: 'You do not have permission to update the document visibility',
-          });
-        }
-      })
-      .otherwise(() => {
-        throw new AppError(AppErrorCode.UNAUTHORIZED, {
-          message: 'You do not have permission to update the document',
         });
-      });
+    }
   }
 
   const { documentAuthOption } = extractDocumentAuthMethods({

packages/lib/server-only/field/sign-field-with-token.ts

@@ -8,6 +8,7 @@ import { validateDropdownField } from '@documenso/lib/advanced-fields-validation
 import { validateNumberField } from '@documenso/lib/advanced-fields-validation/validate-number';
 import { validateRadioField } from '@documenso/lib/advanced-fields-validation/validate-radio';
 import { validateTextField } from '@documenso/lib/advanced-fields-validation/validate-text';
+import { fromCheckboxValue } from '@documenso/lib/universal/field-checkbox';
 import { prisma } from '@documenso/prisma';
 import { DocumentStatus, FieldType, SigningStatus } from '@documenso/prisma/client';
 
@@ -119,7 +120,8 @@ export const signFieldWithToken = async ({
 
   if (field.type === FieldType.CHECKBOX && field.fieldMeta) {
     const checkboxFieldParsedMeta = ZCheckboxFieldMeta.parse(field.fieldMeta);
-    const checkboxFieldValues = value.split(',');
+    const checkboxFieldValues: string[] = fromCheckboxValue(value);
+
     const errors = validateCheckboxField(checkboxFieldValues, checkboxFieldParsedMeta, true);
 
     if (errors.length > 0) {

packages/lib/server-only/pdf/flatten-form.ts

@@ -16,7 +16,6 @@ import {
 export const removeOptionalContentGroups = (document: PDFDocument) => {
   const context = document.context;
   const catalog = context.lookup(context.trailerInfo.Root);
-
   if (catalog instanceof PDFDict) {
     catalog.delete(PDFName.of('OCProperties'));
   }

packages/lib/server-only/pdf/insert-field-in-pdf.ts

@@ -10,6 +10,7 @@ import {
   MIN_HANDWRITING_FONT_SIZE,
   MIN_STANDARD_FONT_SIZE,
 } from '@documenso/lib/constants/pdf';
+import { fromCheckboxValue } from '@documenso/lib/universal/field-checkbox';
 import { FieldType } from '@documenso/prisma/client';
 import { isSignatureFieldType } from '@documenso/prisma/guards/is-signature-field';
 import type { FieldWithSignature } from '@documenso/prisma/types/field-with-signature';
@@ -194,7 +195,7 @@ export const insertFieldInPDF = async (pdf: PDFDocument, field: FieldWithSignatu
         value: item.value.length > 0 ? item.value : `empty-value-${item.id}`,
       }));
 
-      const selected = field.customText.split(',');
+      const selected: string[] = fromCheckboxValue(field.customText);
 
       for (const [index, item] of (values ?? []).entries()) {
         const offsetY = index * 16;

packages/lib/server-only/pdf/normalize-pdf.ts

@@ -0,0 +1,18 @@
+import { PDFDocument } from 'pdf-lib';
+
+import { flattenAnnotations } from './flatten-annotations';
+import { flattenForm, removeOptionalContentGroups } from './flatten-form';
+
+export const normalizePdf = async (pdf: Buffer) => {
+  const pdfDoc = await PDFDocument.load(pdf).catch(() => null);
+
+  if (!pdfDoc) {
+    return pdf;
+  }
+
+  removeOptionalContentGroups(pdfDoc);
+  flattenForm(pdfDoc);
+  flattenAnnotations(pdfDoc);
+
+  return Buffer.from(await pdfDoc.save());
+};

packages/lib/universal/field-checkbox.ts

@@ -0,0 +1,21 @@
+export const fromCheckboxValue = (customText: string): string[] => {
+  if (!customText) {
+    return [];
+  }
+
+  try {
+    const parsed = JSON.parse(customText);
+
+    if (!Array.isArray(parsed)) {
+      throw new Error('Parsed checkbox values are not an array');
+    }
+
+    return parsed;
+  } catch {
+    return customText.split(',').filter(Boolean);
+  }
+};
+
+export const toCheckboxValue = (values: string[]): string => {
+  return JSON.stringify(values);
+};

packages/lib/universal/upload/put-file.ts

@@ -8,7 +8,6 @@ import { DocumentDataType } from '@documenso/prisma/client';
 
 import { AppError } from '../../errors/app-error';
 import { createDocumentData } from '../../server-only/document-data/create-document-data';
-import { removeOptionalContentGroups } from '../../server-only/pdf/flatten-form';
 
 type File = {
   name: string;
@@ -25,7 +24,9 @@ export const putPdfFile = async (file: File) => {
     () => false,
   );
 
-  const pdf = await PDFDocument.load(await file.arrayBuffer()).catch((e) => {
+  const arrayBuffer = await file.arrayBuffer();
+
+  const pdf = await PDFDocument.load(arrayBuffer).catch((e) => {
     console.error(`PDF upload parse error: ${e.message}`);
 
     throw new AppError('INVALID_DOCUMENT_FILE');
@@ -39,11 +40,7 @@ export const putPdfFile = async (file: File) => {
     file.name = `${file.name}.pdf`;
   }
 
-  removeOptionalContentGroups(pdf);
-
-  const bytes = await pdf.save();
-
-  const { type, data } = await putFile(new File([bytes], file.name, { type: 'application/pdf' }));
+  const { type, data } = await putFile(file);
 
   return await createDocumentData({ type, data });
 };

packages/prisma/migrations/20241217103826_add_disabled_property_user_table/migration.sql

@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "User" ADD COLUMN     "disabled" BOOLEAN NOT NULL DEFAULT false;

packages/prisma/schema.prisma

@@ -42,6 +42,7 @@ model User {
   roles            Role[]           @default([USER])
   identityProvider IdentityProvider @default(DOCUMENSO)
   avatarImageId    String?
+  disabled         Boolean          @default(false)
 
   accounts             Account[]
   sessions             Session[]

packages/prisma/seed/teams.ts

@@ -1,6 +1,7 @@
 import { customAlphabet } from 'nanoid';
 
 import { prisma } from '..';
+import type { Prisma } from '../client';
 import { TeamMemberInviteStatus, TeamMemberRole } from '../client';
 import { seedUser } from './users';
 
@@ -10,11 +11,13 @@ const nanoid = customAlphabet('1234567890abcdef', 10);
 type SeedTeamOptions = {
   createTeamMembers?: number;
   createTeamEmail?: true | string;
+  createTeamOptions?: Partial<Prisma.TeamUncheckedCreateInput>;
 };
 
 export const seedTeam = async ({
   createTeamMembers = 0,
   createTeamEmail,
+  createTeamOptions = {},
 }: SeedTeamOptions = {}) => {
   const teamUrl = `team-${nanoid()}`;
   const teamEmail = createTeamEmail === true ? `${teamUrl}@${EMAIL_DOMAIN}` : createTeamEmail;
@@ -54,6 +57,7 @@ export const seedTeam = async ({
             },
           }
         : undefined,
+      ...createTeamOptions,
     },
   });
 
@@ -69,6 +73,7 @@ export const seedTeam = async ({
         },
       },
       teamEmail: true,
+      teamGlobalSettings: true,
     },
   });
 };

packages/trpc/package.json

@@ -22,6 +22,6 @@
     "luxon": "^3.4.0",
     "superjson": "^1.13.1",
     "ts-pattern": "^5.0.5",
-    "zod": "^3.23.8"
+    "zod": "3.24.1"
   }
-}
+}

packages/trpc/server/document-router/router.ts

@@ -197,6 +197,7 @@ export const documentRouter = router({
         teamId,
         title,
         documentDataId,
+        normalizePdf: true,
         requestMetadata: extractNextApiRequestMetadata(ctx.req),
       });
     }),

packages/ui/components/document/document-visibility-select.tsx

@@ -1,5 +1,6 @@
 import React, { forwardRef } from 'react';
 
+import { TeamMemberRole } from '@prisma/client';
 import type { SelectProps } from '@radix-ui/react-select';
 import { InfoIcon } from 'lucide-react';
 
@@ -15,18 +16,23 @@ import {
 import { Tooltip, TooltipContent, TooltipTrigger } from '@documenso/ui/primitives/tooltip';
 
 export type DocumentVisibilitySelectType = SelectProps & {
-  currentMemberRole?: string;
+  currentTeamMemberRole?: string;
   isTeamSettings?: boolean;
   disabled?: boolean;
+  canUpdateVisibility?: boolean;
 };
 
 export const DocumentVisibilitySelect = forwardRef<HTMLButtonElement, DocumentVisibilitySelectType>(
-  ({ currentMemberRole, isTeamSettings = false, disabled, ...props }, ref) => {
-    const canUpdateVisibility =
-      currentMemberRole === 'ADMIN' || currentMemberRole === 'MANAGER' || isTeamSettings;
+  (
+    { currentTeamMemberRole, isTeamSettings = false, disabled, canUpdateVisibility, ...props },
+    ref,
+  ) => {
+    const isAdmin = currentTeamMemberRole === TeamMemberRole.ADMIN;
+    const isManager = currentTeamMemberRole === TeamMemberRole.MANAGER;
+    const canEdit = isTeamSettings || canUpdateVisibility;
 
     return (
-      <Select {...props} disabled={(!canUpdateVisibility && !isTeamSettings) || disabled}>
+      <Select {...props} disabled={!canEdit || disabled}>
         <SelectTrigger ref={ref} className="bg-background text-muted-foreground">
           <SelectValue data-testid="documentVisibilitySelectValue" placeholder="Everyone" />
         </SelectTrigger>
@@ -35,13 +41,13 @@ export const DocumentVisibilitySelect = forwardRef<HTMLButtonElement, DocumentVi
           <SelectItem value={DocumentVisibility.EVERYONE}>
             {DOCUMENT_VISIBILITY.EVERYONE.value}
           </SelectItem>
-          <SelectItem value={DocumentVisibility.MANAGER_AND_ABOVE} disabled={!canUpdateVisibility}>
+          <SelectItem
+            value={DocumentVisibility.MANAGER_AND_ABOVE}
+            disabled={!isAdmin && !isManager}
+          >
             {DOCUMENT_VISIBILITY.MANAGER_AND_ABOVE.value}
           </SelectItem>
-          <SelectItem
-            value={DocumentVisibility.ADMIN}
-            disabled={currentMemberRole !== 'ADMIN' && !isTeamSettings}
-          >
+          <SelectItem value={DocumentVisibility.ADMIN} disabled={!isAdmin}>
             {DOCUMENT_VISIBILITY.ADMIN.value}
           </SelectItem>
         </SelectContent>

packages/ui/components/field/field-tooltip.tsx

@@ -40,7 +40,7 @@ export function FieldToolTip({ children, color, className = '', field }: FieldTo
 
   return createPortal(
     <div
-      className={cn('absolute')}
+      className={cn('pointer-events-none absolute')}
       style={{
         top: `${coords.y}px`,
         left: `${coords.x}px`,

packages/ui/package.json

@@ -78,6 +78,6 @@
     "tailwind-merge": "^1.12.0",
     "tailwindcss-animate": "^1.0.5",
     "ts-pattern": "^5.0.5",
-    "zod": "^3.23.8"
+    "zod": "3.24.1"
   }
-}
+}

packages/ui/primitives/document-flow/add-fields.tsx

@@ -129,6 +129,7 @@ export const AddFieldsFormPartial = ({
     currentStep === 1 && typeof documentFlow.onBackStep === 'function' && canGoBack;
   const [showAdvancedSettings, setShowAdvancedSettings] = useState(false);
   const [currentField, setCurrentField] = useState<FieldFormType>();
+  const [activeFieldId, setActiveFieldId] = useState<string | null>(null);
 
   const form = useForm<TAddFieldsFormSchema>({
     defaultValues: {
@@ -652,6 +653,9 @@ export const AddFieldsFormPartial = ({
                       }}
                       hideRecipients={hideRecipients}
                       hasErrors={!!hasFieldError}
+                      active={activeFieldId === field.formId}
+                      onFieldActivate={() => setActiveFieldId(field.formId)}
+                      onFieldDeactivate={() => setActiveFieldId(null)}
                     />
                   );
                 })}

packages/ui/primitives/document-flow/add-settings.tsx

@@ -6,12 +6,13 @@ import { zodResolver } from '@hookform/resolvers/zod';
 import { Trans } from '@lingui/macro';
 import { InfoIcon } from 'lucide-react';
 import { useForm } from 'react-hook-form';
+import { match } from 'ts-pattern';
 
 import { DATE_FORMATS, DEFAULT_DOCUMENT_DATE_FORMAT } from '@documenso/lib/constants/date-formats';
 import { SUPPORTED_LANGUAGES } from '@documenso/lib/constants/i18n';
 import { DEFAULT_DOCUMENT_TIME_ZONE, TIME_ZONES } from '@documenso/lib/constants/time-zones';
 import { extractDocumentAuthMethods } from '@documenso/lib/utils/document-auth';
-import type { TeamMemberRole } from '@documenso/prisma/client';
+import { DocumentVisibility, TeamMemberRole } from '@documenso/prisma/client';
 import { DocumentStatus, type Field, type Recipient, SendStatus } from '@documenso/prisma/client';
 import type { DocumentWithData } from '@documenso/prisma/types/document-with-data';
 import {
@@ -110,6 +111,16 @@ export const AddSettingsFormPartial = ({
     (recipient) => recipient.sendStatus === SendStatus.SENT,
   );
 
+  const canUpdateVisibility = match(currentTeamMemberRole)
+    .with(TeamMemberRole.ADMIN, () => true)
+    .with(
+      TeamMemberRole.MANAGER,
+      () =>
+        document.visibility === DocumentVisibility.EVERYONE ||
+        document.visibility === DocumentVisibility.MANAGER_AND_ABOVE,
+    )
+    .otherwise(() => false);
+
   // We almost always want to set the timezone to the user's local timezone to avoid confusion
   // when the document is signed.
   useEffect(() => {
@@ -237,7 +248,8 @@ export const AddSettingsFormPartial = ({
 
                     <FormControl>
                       <DocumentVisibilitySelect
-                        currentMemberRole={currentTeamMemberRole}
+                        canUpdateVisibility={canUpdateVisibility}
+                        currentTeamMemberRole={currentTeamMemberRole}
                         {...field}
                         onValueChange={field.onChange}
                       />
@@ -273,7 +285,7 @@ export const AddSettingsFormPartial = ({
                 </AccordionTrigger>
 
                 <AccordionContent className="text-muted-foreground -mx-1 px-1 pt-2 text-sm leading-relaxed">
-                  <div className="flex flex-col space-y-6 ">
+                  <div className="flex flex-col space-y-6">
                     <FormField
                       control={form.control}
                       name="externalId"

packages/ui/primitives/document-flow/field-item.tsx

@@ -47,6 +47,9 @@ export type FieldItemProps = {
   recipientIndex?: number;
   hideRecipients?: boolean;
   hasErrors?: boolean;
+  active?: boolean;
+  onFieldActivate?: () => void;
+  onFieldDeactivate?: () => void;
 };
 
 export const FieldItem = ({
@@ -67,8 +70,10 @@ export const FieldItem = ({
   recipientIndex = 0,
   hideRecipients = false,
   hasErrors,
+  active,
+  onFieldActivate,
+  onFieldDeactivate,
 }: FieldItemProps) => {
-  const [active, setActive] = useState(false);
   const [coords, setCoords] = useState({
     pageX: 0,
     pageY: 0,
@@ -150,6 +155,8 @@ export const FieldItem = ({
       });
 
       if (isOutsideOfField) {
+        setSettingsActive(false);
+        onFieldDeactivate?.();
         onBlur?.();
       }
     };
@@ -188,10 +195,12 @@ export const FieldItem = ({
   return createPortal(
     <Rnd
       key={coords.pageX + coords.pageY + coords.pageHeight + coords.pageWidth}
-      className={cn('group z-20', {
+      className={cn('group', {
         'pointer-events-none': passive,
         'pointer-events-none cursor-not-allowed opacity-75': disabled,
-        'z-10': !active || disabled,
+        'z-50': active && !disabled,
+        'z-20': !active && !disabled,
+        'z-10': disabled,
       })}
       minHeight={fixedSize ? '' : minHeight || 'auto'}
       minWidth={fixedSize ? '' : minWidth || 'auto'}
@@ -202,15 +211,15 @@ export const FieldItem = ({
         width: fixedSize ? '' : coords.pageWidth,
       }}
       bounds={`${PDF_VIEWER_PAGE_SELECTOR}[data-page-number="${field.pageNumber}"]`}
-      onDragStart={() => setActive(true)}
-      onResizeStart={() => setActive(true)}
+      onDragStart={() => onFieldActivate?.()}
+      onResizeStart={() => onFieldActivate?.()}
       enableResizing={!fixedSize}
       onResizeStop={(_e, _d, ref) => {
-        setActive(false);
+        onFieldDeactivate?.();
         onResize?.(ref);
       }}
       onDragStop={(_e, d) => {
-        setActive(false);
+        onFieldDeactivate?.();
         onMove?.(d.node);
       }}
     >
@@ -226,8 +235,10 @@ export const FieldItem = ({
           !fixedSize && '[container-type:size]',
         )}
         data-error={hasErrors ? 'true' : undefined}
-        onClick={() => {
+        onClick={(e) => {
+          e.stopPropagation();
           setSettingsActive((prev) => !prev);
+          onFieldActivate?.();
           onFocus?.();
         }}
         ref={$el}
@@ -264,7 +275,7 @@ export const FieldItem = ({
       </div>
 
       {!disabled && settingsActive && (
-        <div className="mt-1 flex justify-center">
+        <div className="z-[60] mt-1 flex justify-center">
           <div className="dark:bg-background group flex items-center justify-evenly gap-x-1 rounded-md border bg-gray-900 p-0.5">
             {advancedField && (
               <button

packages/ui/primitives/template-flow/add-template-fields.tsx

@@ -100,6 +100,7 @@ export const AddTemplateFieldsFormPartial = ({
   const { currentStep, totalSteps, previousStep } = useStep();
   const [showAdvancedSettings, setShowAdvancedSettings] = useState(false);
   const [currentField, setCurrentField] = useState<FieldFormType>();
+  const [activeFieldId, setActiveFieldId] = useState<string | null>(null);
 
   const form = useForm<TAddTemplateFieldsFormSchema>({
     defaultValues: {
@@ -475,6 +476,9 @@ export const AddTemplateFieldsFormPartial = ({
                       handleAdvancedSettings();
                     }}
                     hideRecipients={hideRecipients}
+                    active={activeFieldId === field.formId}
+                    onFieldActivate={() => setActiveFieldId(field.formId)}
+                    onFieldDeactivate={() => setActiveFieldId(null)}
                   />
                 );
               })}