revert: "fix: remove fallback permssions on organization Id. (#22769)"

[sean-brydon]

This reverts commit 30061c0.

Removes the manage permission concept and fallback logic to simplify permission checking back to direct role-based checks.

1. Manage Permission Enum: Removed CrudAction.Manage =
   "manage"
2. Manage Permission Registry Entries: Removed manage
   permissions for roles, event types, teams, and bookings
3. Fallback Logic: Removed the complex manage permission
   fallback logic in permission-check.service.ts
4. Tests: Removed 259 lines of tests related to manage
   permissions
5. Migration: Removed the database migration that added
   manage permissions to default roles
6. UI Logic: Reverted the usePermissions hook to not
   check for manage permissions
7. Localization: Reverted the description changes for
   manage permissions

[github-actions]

Hey there and thank you for opening this pull request! 👋🏼

We require pull request titles to follow the Conventional Commits specification and it looks like your proposed title needs to be adjusted.

Details:

No release type found in pull request title "Revert "fix: remove fallback permssions on organization Id. (#22769)"". Add a prefix to indicate what kind of release this pull request corresponds to. For reference, see https://www.conventionalcommits.org/

Available types:
 - feat: A new feature
 - fix: A bug fix
 - docs: Documentation only changes
 - style: Changes that do not affect the meaning of the code (white-space, formatting, missing semi-colons, etc)
 - refactor: A code change that neither fixes a bug nor adds a feature
 - perf: A code change that improves performance
 - test: Adding missing tests or correcting existing tests
 - build: Changes that affect the build system or external dependencies (example scopes: gulp, broccoli, npm)
 - ci: Changes to our CI configuration files and scripts (example scopes: Travis, Circle, BrowserStack, SauceLabs)
 - chore: Other changes that don't modify src or test files
 - revert: Reverts a previous commit

[coderabbitai]

Walkthrough

This PR removes "manage" as a CRUD action and its permission registry entries, deletes a migration that inserted manage permissions for default roles, and updates PBAC logic to stop treating manage as an implicit "all" permission. Permission-check.service no longer expands or falls back to manage-based checks; client-side getResourcePermissionLevel now requires all explicit actions to grant "all". Tests and i18n strings referencing manage were removed or adjusted, and workflow permission surfaces dropped the canManage field.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• fix: remove fallback permssions on organization Id.  #22769 — Directly overlaps: reverses/adds manage handling in the permission model and service-level checks; high likelihood of merge conflicts.
• fix: (pbac) edit sheet readonly to all to readonly #22672 — Modifies getResourcePermissionLevel in the same client codepath that determines "all"/manage semantics.
• fix: issues found in PBAC creation  #22659 — Changes resource-action filtering and interpretation for "all"/manage in the client-side permission utilities.

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 79215fe and d6d88bc.

📒 Files selected for processing (2)

• packages/features/ee/workflows/components/WorkflowDetailsPage.tsx (1 hunks)
• packages/lib/server/repository/workflow-permissions.ts (1 hunks)

🧰 Additional context used

📓 Path-based instructions (3)

**/*.ts

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

**/*.ts: For Prisma queries, only select data you need; never use include, always use select
Ensure the credential.key field is never returned from tRPC endpoints or APIs

Files:

• packages/lib/server/repository/workflow-permissions.ts

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

Flag excessive Day.js use in performance-critical code; prefer native Date or Day.js .utc() in hot paths like loops

Files:

• packages/lib/server/repository/workflow-permissions.ts
• packages/features/ee/workflows/components/WorkflowDetailsPage.tsx

**/*.tsx

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

Always use t() for text localization in frontend code; direct text embedding should trigger a warning

Files:

• packages/features/ee/workflows/components/WorkflowDetailsPage.tsx

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Install dependencies / Yarn install & cache

🔇 Additional comments (10)

packages/features/ee/workflows/components/WorkflowDetailsPage.tsx (4)

26-31: LGTM: Interface correctly aligned with removed manage permissions.

The WorkflowPermissions interface has been properly updated to remove the canManage field, which aligns with the PR's objective to eliminate the manage permission concept. The remaining fields (canView, canUpdate, canDelete, readOnly) provide adequate granular control.

---

60-65: LGTM: Permission defaults correctly handle the removed canManage field.

The default permissions object properly omits canManage and provides appropriate fallback values for the remaining permission fields. The logic correctly derives permissions based on team membership and readonly status.

---

120-120: LGTM: Minor formatting improvement.

The added trailing comma after agentId: null improves code consistency and makes future additions to this object cleaner.

---

188-197: No remaining canManage references—permission checks are correct.

Ran rg "canManage" packages/features/ee/workflows/ and found no occurrences. The delete button now correctly relies on permissions.canDelete, so no further changes are needed.

packages/lib/server/repository/workflow-permissions.ts (6)

5-10: LGTM: Interface properly updated to remove manage permissions.

The WorkflowPermissions interface correctly removes the canManage field while maintaining the essential permission granularity (canView, canUpdate, canDelete). The readOnly field is appropriately kept for backward compatibility.

---

38-42: LGTM: Permission checks updated to remove manage action.

The parallel permission checks correctly query only the specific actions (workflow.read, workflow.update, workflow.delete) without the previously removed workflow.manage action. This aligns with the PR's objective to eliminate manage-based fallback logic.

---

44-49: LGTM: Permission object construction properly excludes canManage.

The permissions object correctly constructs only the required fields without canManage, and properly derives readOnly from the canUpdate permission.

---

58-66: LGTM: Personal workflow permissions properly simplified.

The personal workflow permissions correctly handle ownership-based access without relying on manage permissions, providing clear boolean values for each specific permission type.

---

74-81: LGTM: Null workflow handling maintains consistency.

The null workflow case correctly returns a permissions object without canManage, maintaining consistency with the updated interface.

---

147-154: No remaining references to canManage in workflow permissions

• Searched across all TypeScript files for “canManage” and found only uses of canManageTeamResources (unrelated to WorkflowPermissions).
• No code is accessing workflow.permissions.canManage, so downstream consumers are already updated.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/pbac-remove-manage

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[graphite-app]

Graphite Automations

"Add consumer team as reviewer" took an action on this PR • (08/11/25)

1 reviewer was added to this PR based on Keith Williams's automation.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts (1)

54-61: Correctly aligns "all" with all non-internal actions (manage removed).

The refactor to compute allResourcePerms from all non-internal actions and require all of them for "all" is consistent with removing manage-based escalation. Looks good.

One minor UX safeguard: consider deduping permissions in outputs from toggleResourcePermissionLevel/toggleSinglePermission to avoid accumulating duplicates during multiple toggles.

Example tweak (outside this hunk): return a unique array.

// at Line 114
return Array.from(new Set(newPermissions));
// at Line 167
return Array.from(new Set(newPermissions));

packages/features/pbac/services/permission-check.service.ts (1)

205-206: Explicit-permission checks (no manage fallback) — good simplification.

Team-level first, then org-level, with no manage-based escalation is correct for this revert. Reads cleanly.

Optional follow-ups:

• Consider standardizing membership lookups via the injected repository rather than using MembershipRepository static in checkPermission/checkPermissions for consistency and easier testing.
• Minor perf nit (non-blocking): when the caller already has membership (found earlier), passing the org customRoleId (if any) into hasPermission(s) could avoid one repository roundtrip.

Also applies to: 228-229

packages/features/pbac/services/__tests__/permission-check.service.test.ts (1)

270-289: Empty permissions semantics are now explicit — confirm intent.

The test asserts false for an empty permissions array and verifies a repository call with []. If the intended contract is “empty set = false”, consider short-circuiting earlier to avoid a repository call. If not, keeping this test is fine; just confirm this is the desired behavior across callers.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ebeb008 and 4db6430.

📒 Files selected for processing (7)

• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/__tests__/usePermissions.test.ts (0 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts (1 hunks)
• apps/web/public/static/locales/en/common.json (2 hunks)
• packages/features/pbac/domain/types/permission-registry.ts (0 hunks)
• packages/features/pbac/services/__tests__/permission-check.service.test.ts (2 hunks)
• packages/features/pbac/services/permission-check.service.ts (2 hunks)
• packages/prisma/migrations/20250728091301_add_manage_permissions_to_default_roles/migration.sql (0 hunks)

💤 Files with no reviewable changes (3)

• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/tests/usePermissions.test.ts
• packages/prisma/migrations/20250728091301_add_manage_permissions_to_default_roles/migration.sql
• packages/features/pbac/domain/types/permission-registry.ts

🧰 Additional context used

📓 Path-based instructions (3)

**/*.ts

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

**/*.ts: For Prisma queries, only select data you need; never use include, always use select
Ensure the credential.key field is never returned from tRPC endpoints or APIs

Files:

• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts
• packages/features/pbac/services/permission-check.service.ts
• packages/features/pbac/services/__tests__/permission-check.service.test.ts

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

Flag excessive Day.js use in performance-critical code; prefer native Date or Day.js .utc() in hot paths like loops

Files:

• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts
• packages/features/pbac/services/permission-check.service.ts
• packages/features/pbac/services/__tests__/permission-check.service.test.ts

**/*.{service,repository}.ts

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

Avoid dot-suffixes like .service.ts or .repository.ts for new files; reserve .test.ts, .spec.ts, .types.ts for their specific purposes

Files:

• packages/features/pbac/services/permission-check.service.ts

🔇 Additional comments (1)

apps/web/public/static/locales/en/common.json (1)

3332-3332: String updates match revert (remove “across organization teams”).

These wording changes are consistent with removing manage as a special capability. Please ensure other locale files reflect the same updates to avoid inconsistent translations.

Also applies to: 3340-3340, 3355-3355

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (5)

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts (1)

112-115: Avoid duplicate permission entries when toggling

toggleResourcePermissionLevel and toggleSinglePermission can push duplicates. Before returning, normalize with a Set for idempotency.

-    return newPermissions;
+    // De-duplicate
+    return Array.from(new Set(newPermissions));

Also applies to: 162-166

packages/features/pbac/services/permission-check.service.ts (2)

111-132: Minor: Avoid double membership fetch on PBAC paths

checkPermission/checkPermissions fetch membership via MembershipRepository and then hasPermission/hasPermissions fetch it again via repository. Pass the membership (and orgMembership) down to avoid an extra query.

Also applies to: 234-249

---

214-223: Optional: short-circuit empty permissions

Currently, hasPermissions can hit the repo with an empty array. Consider returning false early to avoid unnecessary calls and to keep semantics explicit, then adjust tests accordingly.

packages/features/pbac/services/__tests__/permission-check.service.test.ts (2)

270-289: Test over-coupled to implementation (asserts repo call with [])

Asserting that checkRolePermissions is called with [] couples the test to an internal detail. Prefer asserting just the boolean result. This gives leeway to short-circuit on empty arrays later.

-  expect(mockRepository.checkRolePermissions).toHaveBeenCalledWith("admin_role", []);
+  // No need to assert internal calls; only outcome matters

---

591-619: Test name vs. behavior mismatch: it’s union, not precedence

The test named “org permissions should take precedence” asserts union of team and org actions. Consider renaming to reflect union behavior to avoid confusion.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ebeb008 and 4db6430.

📒 Files selected for processing (7)

• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/__tests__/usePermissions.test.ts (0 hunks)
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts (1 hunks)
• apps/web/public/static/locales/en/common.json (2 hunks)
• packages/features/pbac/domain/types/permission-registry.ts (0 hunks)
• packages/features/pbac/services/__tests__/permission-check.service.test.ts (2 hunks)
• packages/features/pbac/services/permission-check.service.ts (2 hunks)
• packages/prisma/migrations/20250728091301_add_manage_permissions_to_default_roles/migration.sql (0 hunks)

💤 Files with no reviewable changes (3)

• packages/prisma/migrations/20250728091301_add_manage_permissions_to_default_roles/migration.sql
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/tests/usePermissions.test.ts
• packages/features/pbac/domain/types/permission-registry.ts

🧰 Additional context used

📓 Path-based instructions (3)

**/*.{service,repository}.ts

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

Avoid dot-suffixes like .service.ts or .repository.ts for new files; reserve .test.ts, .spec.ts, .types.ts for their specific purposes

Files:

• packages/features/pbac/services/permission-check.service.ts

**/*.ts

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

**/*.ts: For Prisma queries, only select data you need; never use include, always use select
Ensure the credential.key field is never returned from tRPC endpoints or APIs

Files:

• packages/features/pbac/services/permission-check.service.ts
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts
• packages/features/pbac/services/__tests__/permission-check.service.test.ts

**/*.{ts,tsx}

📄 CodeRabbit Inference Engine (.cursor/rules/review.mdc)

Flag excessive Day.js use in performance-critical code; prefer native Date or Day.js .utc() in hot paths like loops

Files:

• packages/features/pbac/services/permission-check.service.ts
• apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts
• packages/features/pbac/services/__tests__/permission-check.service.test.ts

🔇 Additional comments (5)

apps/web/public/static/locales/en/common.json (2)

3332-3332: Copy update aligns with removal of manage fallback

The simplified phrasing (“All actions on …”) matches the PR’s removal of cross-team “manage” semantics. No issues.

Also applies to: 3340-3340, 3355-3355

---

3296-3300: No removal needed for pbac_action_manage
The i18n key is actively used in your permission registry (packages/features/pbac/domain/types/permission-registry.ts at lines ~362 and ~427) under [CrudAction.Manage]. Since CrudAction.Manage is still present, you should keep this key.

Likely an incorrect or invalid review comment.

apps/web/app/(use-page-wrapper)/settings/(settings-layout)/organizations/roles/_components/usePermissions.ts (1)

54-62: “All” now requires every explicit action (not just CRUD) — verify UX intent

Filtering out only internal “_” keys means “all” includes custom actions (invite/remove/etc.). This matches the PR (no manage), but changes semantics: CRUD-only roles won’t show as “all.” Confirm this is the intended UX and that tests reflect the broader set.

packages/features/pbac/services/permission-check.service.ts (2)

203-206: Org-level check now uses exact permission (no manage fallback) — LGTM

Directly checking the requested permission on the org role is consistent with dropping manage-based expansion.

---

226-229: Org-level multi-permission check mirrors single-permission path — LGTM

Union semantics (team first, then org) remain; no manage fallback. Good.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Preview	Comments	Updated (UTC)
cal	Ignored			Aug 20, 2025 11:08am
cal-eu	Ignored			Aug 20, 2025 11:08am

[CarinaWolli]

works great, @sean-brydon can you fix the type error 🙏

[github-actions]

E2E results are ready!

• Workflow #72759.1 latest results

[CarinaWolli]

Do we really want to remove the migration file? cc @calcom/dba

[keithwillcode]

This didn't run yet on prod. Let's revert