[EC-850] ProviderUser permissions should prevail over member permissions (#5162)

* Apply provider permissions even if also member * Add org.isMember * Refactor: extract syncProfileOrganizations method * Change isNotProvider logic to isMember * Fix cascading org permissions * Add memberOrganizations$ observable
2025-12-11 22:03:36 +00:00 · 2023-04-17 13:09:53 +10:00
parent fbbaf10488
commit ad0c460687
16 changed files with 99 additions and 59 deletions
--- a/libs/common/src/admin-console/models/domain/organization.ts
+++ b/libs/common/src/admin-console/models/domain/organization.ts
@@ -9,7 +9,14 @@ export class Organization {
  id: string;
  name: string;
  status: OrganizationUserStatusType;
+
+  /**
+   * The member's role in the organization.
+   * Avoid using this for permission checks - use the getters instead (e.g. isOwner, isAdmin, canManageX), because they
+   * properly handle permission inheritance and relationships.
+   */
  type: OrganizationUserType;
+
  enabled: boolean;
  usePolicies: boolean;
  useGroups: boolean;
@@ -39,7 +46,14 @@ export class Organization {
  providerId: string;
  providerName: string;
  providerType?: ProviderType;
+  /**
+   * Indicates that a user is a ProviderUser for the organization
+   */
  isProviderUser: boolean;
+  /**
+   * Indicates that a user is a member for the organization (may be `false` if they have access via a Provider only)
+   */
+  isMember: boolean;
  familySponsorshipFriendlyName: string;
  familySponsorshipAvailable: boolean;
  planProductType: ProductType;
@@ -89,6 +103,7 @@ export class Organization {
    this.providerName = obj.providerName;
    this.providerType = obj.providerType;
    this.isProviderUser = obj.isProviderUser;
+    this.isMember = obj.isMember;
    this.familySponsorshipFriendlyName = obj.familySponsorshipFriendlyName;
    this.familySponsorshipAvailable = obj.familySponsorshipAvailable;
    this.planProductType = obj.planProductType;
@@ -101,24 +116,29 @@ export class Organization {
  }

  get canAccess() {
-    if (this.type === OrganizationUserType.Owner) {
+    if (this.isOwner) {
      return true;
    }
    return this.enabled && this.status === OrganizationUserStatusType.Confirmed;
  }

+  /**
+   * Whether a user has Manager permissions or greater
+   */
  get isManager() {
-    return (
-      this.type === OrganizationUserType.Manager ||
-      this.type === OrganizationUserType.Owner ||
-      this.type === OrganizationUserType.Admin
-    );
+    return this.type === OrganizationUserType.Manager || this.isAdmin;
  }

+  /**
+   * Whether a user has Admin permissions or greater
+   */
  get isAdmin() {
-    return this.type === OrganizationUserType.Owner || this.type === OrganizationUserType.Admin;
+    return this.type === OrganizationUserType.Admin || this.isOwner;
  }

+  /**
+   * Whether a user has Owner permissions (including ProviderUsers)
+   */
  get isOwner() {
    return this.type === OrganizationUserType.Owner || this.isProviderUser;
  }