address review

anikdhabal · anikdhabal · commit 95143bb43b31 · 2025-08-18T14:20:13.000Z
diff --git a/packages/features/pbac/services/__tests__/role-management.factory.test.ts b/packages/features/pbac/services/__tests__/role-management.factory.test.ts
@@ -110,13 +110,15 @@ describe("RoleManagementFactory", () => {
       it("should allow role change when user has permission", async () => {
         mockPermissionCheckService.checkPermission.mockResolvedValue(true);
         const manager = await factory.createRoleManager(organizationId);
-        await expect(manager.checkPermissionToChangeRole(userId, organizationId)).resolves.not.toThrow();
+        await expect(
+          manager.checkPermissionToChangeRole(userId, organizationId, "org")
+        ).resolves.not.toThrow();
       });
 
       it("should throw UNAUTHORIZED when user lacks permission", async () => {
         mockPermissionCheckService.checkPermission.mockResolvedValue(false);
         const manager = await factory.createRoleManager(organizationId);
-        await expect(manager.checkPermissionToChangeRole(userId, organizationId)).rejects.toThrow(
+        await expect(manager.checkPermissionToChangeRole(userId, organizationId, "org")).rejects.toThrow(
           new RoleManagementError(
             "You do not have permission to change roles",
             RoleManagementErrorCode.UNAUTHORIZED
@@ -193,13 +195,15 @@ describe("RoleManagementFactory", () => {
           customRoleId: null,
         });
         const manager = await factory.createRoleManager(organizationId);
-        await expect(manager.checkPermissionToChangeRole(userId, organizationId)).resolves.not.toThrow();
+        await expect(
+          manager.checkPermissionToChangeRole(userId, organizationId, "org")
+        ).resolves.not.toThrow();
       });
 
       it("should throw UNAUTHORIZED when user is not owner", async () => {
         vi.mocked(isOrganisationAdmin).mockResolvedValue(false);
         const manager = await factory.createRoleManager(organizationId);
-        await expect(manager.checkPermissionToChangeRole(userId, organizationId)).rejects.toThrow(
+        await expect(manager.checkPermissionToChangeRole(userId, organizationId, "org")).rejects.toThrow(
           new RoleManagementError(
             "Only owners or admin can update roles",
             RoleManagementErrorCode.UNAUTHORIZED
diff --git a/packages/features/pbac/services/role-management.factory.ts b/packages/features/pbac/services/role-management.factory.ts
@@ -11,7 +11,7 @@ import { RoleService } from "./role.service";
 
 interface IRoleManager {
   isPBACEnabled: boolean;
-  checkPermissionToChangeRole(userId: number, targetId: number, checkAtTeamLevel?: boolean): Promise<void>;
+  checkPermissionToChangeRole(userId: number, targetId: number, scope: "org" | "team"): Promise<void>;
   assignRole(
     userId: number,
     organizationId: number,
@@ -30,15 +30,11 @@ class PBACRoleManager implements IRoleManager {
     private readonly permissionCheckService: PermissionCheckService
   ) {}
 
-  async checkPermissionToChangeRole(
-    userId: number,
-    targetId: number,
-    checkAtTeamLevel?: boolean
-  ): Promise<void> {
+  async checkPermissionToChangeRole(userId: number, targetId: number, scope: "org" | "team"): Promise<void> {
     const hasPermission = await this.permissionCheckService.checkPermission({
       userId,
       teamId: targetId,
-      permission: checkAtTeamLevel ? "team.changeMemberRole" : "organization.changeMemberRole",
+      permission: scope === "team" ? "team.changeMemberRole" : "organization.changeMemberRole",
       fallbackRoles: [MembershipRole.OWNER, MembershipRole.ADMIN],
     });
 
@@ -100,14 +96,11 @@ class PBACRoleManager implements IRoleManager {
 
 class LegacyRoleManager implements IRoleManager {
   public isPBACEnabled = false;
-  async checkPermissionToChangeRole(
-    userId: number,
-    targetId: number,
-    checkAtTeamLevel?: boolean
-  ): Promise<void> {
-    const membership = checkAtTeamLevel
-      ? !!(await isTeamAdmin(userId, targetId))
-      : !!(await isOrganisationAdmin(userId, targetId));
+  async checkPermissionToChangeRole(userId: number, targetId: number, scope: "org" | "team"): Promise<void> {
+    const membership =
+      scope === "team"
+        ? !!(await isTeamAdmin(userId, targetId))
+        : !!(await isOrganisationAdmin(userId, targetId));
     // Only OWNER/ADMIN can update role
     if (!membership) {
       throw new RoleManagementError(
diff --git a/packages/trpc/server/routers/viewer/organizations/updateUser.handler.ts b/packages/trpc/server/routers/viewer/organizations/updateUser.handler.ts
@@ -47,7 +47,7 @@ export const updateUserHandler = async ({ ctx, input }: UpdateUserOptions) => {
   const roleManager = await RoleManagementFactory.getInstance().createRoleManager(organizationId);
 
   try {
-    await roleManager.checkPermissionToChangeRole(userId, organizationId);
+    await roleManager.checkPermissionToChangeRole(userId, organizationId, "org");
   } catch (error) {
     if (error instanceof RoleManagementError) {
       throw new TRPCError({ code: "UNAUTHORIZED", message: error.message });
diff --git a/packages/trpc/server/routers/viewer/teams/changeMemberRole.handler.ts b/packages/trpc/server/routers/viewer/teams/changeMemberRole.handler.ts
@@ -32,7 +32,7 @@ export const changeMemberRoleHandler = async ({ ctx, input }: ChangeMemberRoleOp
 
   // Check permission to change roles
   try {
-    await roleManager.checkPermissionToChangeRole(ctx.user.id, input.teamId, true);
+    await roleManager.checkPermissionToChangeRole(ctx.user.id, input.teamId, "team");
   } catch (error) {
     throw new TRPCError({
       code: "UNAUTHORIZED",
