feat: add ability for org billing leader and org admin to delete meet…

…ing templates
ParabolInc · Feb 20, 2025 · 2d64bb6 · 2d64bb6
1 parent 8da96fd
commit 2d64bb6
Show file tree

Hide file tree

Showing 4 changed files with 256 additions and 13 deletions.
diff --git a/package.json b/package.json
@@ -114,6 +114,7 @@
     "mini-css-extract-plugin": "^2.7.2",
     "minimist": "^1.2.5",
     "node-loader": "^2.0.0",
+    "nx": "^20.4.5",
     "pm2": "^5.4.2",
     "postcss": "^8.5.1",
     "postcss-loader": "^7.0.2",

diff --git a/packages/server/graphql/mutations/removeReflectTemplate.ts b/packages/server/graphql/mutations/removeReflectTemplate.ts
@@ -2,7 +2,12 @@ import {GraphQLID, GraphQLNonNull} from 'graphql'
 import {sql} from 'kysely'
 import {SubscriptionChannel} from 'parabol-client/types/constEnums'
 import getKysely from '../../postgres/getKysely'
-import {getUserId, isTeamMember} from '../../utils/authorization'
+import {
+  getUserId,
+  isTeamMember,
+  isUserBillingLeader,
+  isUserOrgAdmin
+} from '../../utils/authorization'
 import publish from '../../utils/publish'
 import standardError from '../../utils/standardError'
 import {GQLContext} from '../graphql'
@@ -31,8 +36,14 @@ const removeReflectTemplate = {
     if (!template || !template.isActive) {
       return standardError(new Error('Template not found'), {userId: viewerId})
     }
-    if (!isTeamMember(authToken, template.teamId)) {
-      return standardError(new Error('Team not found'), {userId: viewerId})
+    const [isBillingLeader, isOrgAdmin] = await Promise.all([
+      isUserBillingLeader(viewerId, template.orgId, dataLoader),
+      isUserOrgAdmin(viewerId, template.orgId, dataLoader)
+    ])
+    if (!isTeamMember(authToken, template.teamId) && !isBillingLeader && !isOrgAdmin) {
+      return standardError(new Error('You are not authorized to remove this template'), {
+        userId: viewerId
+      })
     }
 
     // VALIDATION

diff --git a/packages/server/graphql/public/mutations/removePokerTemplate.ts b/packages/server/graphql/public/mutations/removePokerTemplate.ts
@@ -1,6 +1,11 @@
 import {SprintPokerDefaults, SubscriptionChannel} from 'parabol-client/types/constEnums'
 import getKysely from '../../../postgres/getKysely'
-import {getUserId, isTeamMember} from '../../../utils/authorization'
+import {
+  getUserId,
+  isTeamMember,
+  isUserBillingLeader,
+  isUserOrgAdmin
+} from '../../../utils/authorization'
 import publish from '../../../utils/publish'
 import standardError from '../../../utils/standardError'
 import {MutationResolvers} from '../resolverTypes'
@@ -21,8 +26,14 @@ const removePokerTemplate: MutationResolvers['removePokerTemplate'] = async (
   if (!template || !template.isActive) {
     return standardError(new Error('Template not found'), {userId: viewerId})
   }
-  if (!isTeamMember(authToken, template.teamId)) {
-    return standardError(new Error('Team not found'), {userId: viewerId})
+  const [isBillingLeader, isOrgAdmin] = await Promise.all([
+    isUserBillingLeader(viewerId, template.orgId, dataLoader),
+    isUserOrgAdmin(viewerId, template.orgId, dataLoader)
+  ])
+  if (!isTeamMember(authToken, template.teamId) && !isBillingLeader && !isOrgAdmin) {
+    return standardError(new Error('You are not authorized to remove this template'), {
+      userId: viewerId
+    })
   }
 
   // VALIDATION