feat(team): self-serve member admin UI + admins can change roles#3264
Merged
Conversation
Closes the self-service gap left after #3235. The team page now does the full add/promote/invite flow without anyone filing an escalation, and org admins can manage member ↔ admin roles directly. Backend: - POST /api/organizations/:orgId/members/by-email accepts optional seat_type and persists it via invitation_seat_types for Path 1 (invite) and Path 2 (direct add). Path 2 clears any stale (org, email) staging row before writing, so a prior failed attempt can't leak seat_type to a later invite. Path 3 (role update) blocks self-role-change to mirror the existing PATCH endpoint. - PATCH /:orgId/members/:membershipId and /members/by-email Path 3 allow admins to change member ↔ admin. Admins cannot assign owner or change an existing owner's role; owners and AAO super-admins are unrestricted. - PATCH /:orgId/settings restricts auto_provision_verified_domain to owners (and AAO super-admins) — turning it on widens org membership in a way admins shouldn't be able to do unilaterally given the new role-cap policy. - GET /:orgId/domains returns auto_provision_verified_domain alongside the domain list so the toggle UI renders state in one round trip. UI (server/public/team.html): - Replaces "+ Invite Member" with "+ Add member"; the modal calls the unified by-email endpoint instead of /invitations. - Adds an auto-provision toggle inside the Verified Domains card, visible only to owners and only when at least one domain is verified. Tests: server/tests/integration/member-by-email-policy.test.ts (16 tests) covers role-cap branches, self-role-change blocking, seat_type propagation, and the owner-only toggle. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The overlay intercepts clicks during automated UI tests and isn't relevant for dev-mode users (whose preferences are always null). This keeps it hidden when running against http://localhost (also 127.0.0.1 and ::1) so dev-mode and Playwright runs aren't blocked from interacting with the page underneath. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes the self-service gap left after #3235:
server/public/team.html) — no more escalations for "promote so-and-so to admin."owneror change an existing owner's role.Changes
Backend (
server/src/routes/organizations.ts)POST /:orgId/members/by-emailaccepts optionalseat_typeand persists it viainvitation_seat_typesfor both Path 1 (invite) and Path 2 (direct add). Path 2 clears stale(org, email)staging rows before writing.PATCH /:orgId/members/:membershipIdand Path 3 of/members/by-emailnow allow admins to managemember ↔ admin. Admins capped: noownerassignment, no changing an existing owner's role.PATCH /:orgId/settingsrestrictsauto_provision_verified_domainto owner-only (and AAO super-admin). With admins able to promote member → admin, an admin shouldn't also be able to widen membership unilaterally — that's a single-actor escalation chain.GET /:orgId/domainsreturnsauto_provision_verified_domainso the toggle UI renders state in one round trip.UI (
server/public/team.html)/members/by-emailinstead of/invitations(the unified endpoint subsumes the old one).Tests
server/tests/integration/member-by-email-policy.test.ts— 16 tests covering role-cap branches (admin promote member→admin, admin denied owner-assign, admin denied owner-target, admin demotes another admin, owner unrestricted, member denied with specific message), self-role-change blocking on both endpoints, seat_type propagation including unknown-value rejection, and the owner-only auto-provision toggle.membership-webhook.test.tsstill passes (43/43 across both files).Reviews addressed
Ran code-reviewer and security-reviewer on the draft. Findings closed:
/members/by-emailPath 3 had no self-role-change guard. Owner-self-demote could leave org owner-less. Fixed.invitation_seat_typesrollback.catch(() => {})could leak a stale row that gets consumed by an unrelated future invite at the same(org, email). Now: clear stale rows by(org, email)before staging, and surface rollback failures vialogger.errorinstead of swallowing.Test plan
npm run typecheckclean🤖 Generated with Claude Code