edge case improvements

Author: icecrasher321

apps/sim/app/api/organizations/[id]/members/[memberId]/route.ts

@@ -342,6 +342,8 @@ export const DELETE = withRouteHandler(
           removedBy: session.user.id,
           workspaceAccessRevoked: externalResult.workspaceAccessRevoked,
           permissionGroupsRevoked: externalResult.permissionGroupsRevoked,
+          credentialMembershipsRevoked: externalResult.credentialMembershipsRevoked,
+          pendingInvitationsCancelled: externalResult.pendingInvitationsCancelled,
         })
 
         recordAudit({
@@ -360,6 +362,8 @@ export const DELETE = withRouteHandler(
             membershipType: 'external',
             workspaceAccessRevoked: externalResult.workspaceAccessRevoked,
             permissionGroupsRevoked: externalResult.permissionGroupsRevoked,
+            credentialMembershipsRevoked: externalResult.credentialMembershipsRevoked,
+            pendingInvitationsCancelled: externalResult.pendingInvitationsCancelled,
           },
           request,
         })
@@ -374,6 +378,8 @@ export const DELETE = withRouteHandler(
             membershipType: 'external',
             workspaceAccessRevoked: externalResult.workspaceAccessRevoked,
             permissionGroupsRevoked: externalResult.permissionGroupsRevoked,
+            credentialMembershipsRevoked: externalResult.credentialMembershipsRevoked,
+            pendingInvitationsCancelled: externalResult.pendingInvitationsCancelled,
           },
         })
       }

apps/sim/app/api/organizations/[id]/roster/route.ts

@@ -8,7 +8,7 @@ import {
   workspace,
 } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
-import { and, eq, inArray, isNull, ne, sql } from 'drizzle-orm'
+import { and, eq, inArray, isNull, sql } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { getSession } from '@/lib/auth'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
@@ -57,7 +57,7 @@ export const GET = withRouteHandler(
       const orgWorkspaces = await db
         .select({ id: workspace.id, name: workspace.name })
         .from(workspace)
-        .where(eq(workspace.organizationId, organizationId))
+        .where(and(eq(workspace.organizationId, organizationId), isNull(workspace.archivedAt)))
 
       const orgWorkspaceIds = orgWorkspaces.map((ws) => ws.id)
       const workspaceNameById = new Map(orgWorkspaces.map((ws) => [ws.id, ws.name]))
@@ -201,13 +201,7 @@ export const GET = withRouteHandler(
         })
         .from(invitation)
         .leftJoin(user, sql`lower(${user.email}) = lower(${invitation.email})`)
-        .where(
-          and(
-            eq(invitation.organizationId, organizationId),
-            eq(invitation.status, 'pending'),
-            ne(invitation.membershipIntent, 'external')
-          )
-        )
+        .where(and(eq(invitation.organizationId, organizationId), eq(invitation.status, 'pending')))
 
       const pendingInvitationIds = pendingInvitationRows.map((row) => row.id)
       const pendingGrants =
@@ -236,7 +230,7 @@ export const GET = withRouteHandler(
       const pendingInvitations = pendingInvitationRows.map((row) => ({
         id: row.id,
         email: row.email,
-        role: row.role,
+        role: row.membershipIntent === 'external' ? 'external' : row.role,
         kind: row.kind,
         membershipIntent: row.membershipIntent,
         createdAt: row.createdAt,

apps/sim/app/api/workspaces/members/[id]/route.ts

@@ -1,13 +1,14 @@
 import { AuditAction, AuditResourceType, recordAudit } from '@sim/audit'
 import { db } from '@sim/db'
-import { permissions, workspace } from '@sim/db/schema'
+import { permissionGroupMember, permissions, workspace } from '@sim/db/schema'
 import { createLogger } from '@sim/logger'
+import { generateId } from '@sim/utils/id'
 import { and, eq } from 'drizzle-orm'
 import { type NextRequest, NextResponse } from 'next/server'
 import { z } from 'zod'
 import { getSession } from '@/lib/auth'
 import { withRouteHandler } from '@/lib/core/utils/with-route-handler'
-import { revokeWorkspaceCredentialMemberships } from '@/lib/credentials/access'
+import { revokeWorkspaceCredentialMembershipsTx } from '@/lib/credentials/access'
 import { captureServerEvent } from '@/lib/posthog/server'
 import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
 
@@ -32,7 +33,10 @@ export const DELETE = withRouteHandler(
       const { workspaceId } = body
 
       const workspaceRow = await db
-        .select({ billedAccountUserId: workspace.billedAccountUserId })
+        .select({
+          ownerId: workspace.ownerId,
+          billedAccountUserId: workspace.billedAccountUserId,
+        })
         .from(workspace)
         .where(eq(workspace.id, workspaceId))
         .limit(1)
@@ -61,7 +65,10 @@ export const DELETE = withRouteHandler(
         )
         .then((rows) => rows[0])
 
-      if (!userPermission) {
+      const isRemovingWorkspaceOwner = workspaceRow[0].ownerId === userId
+      const isOwnerOnlyRemoval = isRemovingWorkspaceOwner && !userPermission
+
+      if (!userPermission && !isOwnerOnlyRemoval) {
         return NextResponse.json({ error: 'User not found in workspace' }, { status: 404 })
       }
 
@@ -73,8 +80,19 @@ export const DELETE = withRouteHandler(
         return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 })
       }
 
+      if (
+        isRemovingWorkspaceOwner &&
+        !isSelf &&
+        session.user.id !== workspaceRow[0].billedAccountUserId
+      ) {
+        return NextResponse.json(
+          { error: 'Only the workspace owner or billing account can remove the workspace owner' },
+          { status: 403 }
+        )
+      }
+
       // Prevent removing yourself if you're the last admin
-      if (isSelf && userPermission.permissionType === 'admin') {
+      if (isSelf && userPermission?.permissionType === 'admin' && !isRemovingWorkspaceOwner) {
         const otherAdmins = await db
           .select()
           .from(permissions)
@@ -95,18 +113,73 @@ export const DELETE = withRouteHandler(
         }
       }
 
-      // Delete the user's permissions for this workspace
-      await db
-        .delete(permissions)
-        .where(
-          and(
-            eq(permissions.userId, userId),
-            eq(permissions.entityType, 'workspace'),
-            eq(permissions.entityId, workspaceId)
+      const ownershipTransferred = await db.transaction(async (tx) => {
+        let didTransferOwnership = false
+
+        if (isRemovingWorkspaceOwner) {
+          const newOwnerId = workspaceRow[0].billedAccountUserId
+
+          await tx
+            .update(workspace)
+            .set({ ownerId: newOwnerId, updatedAt: new Date() })
+            .where(eq(workspace.id, workspaceId))
+
+          const [existingNewOwnerPermission] = await tx
+            .select({ id: permissions.id })
+            .from(permissions)
+            .where(
+              and(
+                eq(permissions.userId, newOwnerId),
+                eq(permissions.entityType, 'workspace'),
+                eq(permissions.entityId, workspaceId)
+              )
+            )
+            .limit(1)
+
+          if (existingNewOwnerPermission) {
+            await tx
+              .update(permissions)
+              .set({ permissionType: 'admin', updatedAt: new Date() })
+              .where(eq(permissions.id, existingNewOwnerPermission.id))
+          } else {
+            const now = new Date()
+            await tx.insert(permissions).values({
+              id: generateId(),
+              userId: newOwnerId,
+              entityType: 'workspace',
+              entityId: workspaceId,
+              permissionType: 'admin',
+              createdAt: now,
+              updatedAt: now,
+            })
+          }
+
+          didTransferOwnership = true
+        }
+
+        await tx
+          .delete(permissions)
+          .where(
+            and(
+              eq(permissions.userId, userId),
+              eq(permissions.entityType, 'workspace'),
+              eq(permissions.entityId, workspaceId)
+            )
           )
-        )
 
-      await revokeWorkspaceCredentialMemberships(workspaceId, userId)
+        await revokeWorkspaceCredentialMembershipsTx(tx, workspaceId, userId)
+
+        await tx
+          .delete(permissionGroupMember)
+          .where(
+            and(
+              eq(permissionGroupMember.userId, userId),
+              eq(permissionGroupMember.workspaceId, workspaceId)
+            )
+          )
+
+        return didTransferOwnership
+      })
 
       captureServerEvent(
         session.user.id,
@@ -126,8 +199,9 @@ export const DELETE = withRouteHandler(
         description: isSelf ? 'Left the workspace' : `Removed member ${userId} from the workspace`,
         metadata: {
           removedUserId: userId,
-          removedUserRole: userPermission.permissionType,
+          removedUserRole: userPermission?.permissionType ?? 'owner',
           selfRemoval: isSelf,
+          ownershipTransferred,
         },
         request: req,
       })

apps/sim/app/workspace/[workspaceId]/settings/components/team-management/components/organization-roster/organization-roster.tsx

@@ -75,11 +75,11 @@ function apportionCredits(
   return result
 }
 
-function RoleBadge({ role }: { role: string }) {
-  const variant = role === 'owner' ? 'blue-secondary' : 'gray-secondary'
+function RoleBadge({ memberRole }: { memberRole: string }) {
+  const variant = memberRole === 'owner' ? 'blue-secondary' : 'gray-secondary'
   return (
     <Badge variant={variant} size='sm'>
-      {role.charAt(0).toUpperCase() + role.slice(1)}
+      {memberRole.charAt(0).toUpperCase() + memberRole.slice(1)}
     </Badge>
   )
 }
@@ -550,7 +550,7 @@ export function OrganizationRoster({
                         isExternal ||
                         !canEditRoles ||
                         m.userId === currentUserId ? (
-                          <RoleBadge role={m.role} />
+                          <RoleBadge memberRole={m.role} />
                         ) : (
                           <OrgRoleSelector
                             value={(m.role === 'admin' ? 'admin' : 'member') as OrgRole}
@@ -634,6 +634,7 @@ export function OrganizationRoster({
               {filteredInvitations.map((inv) => {
                 const rowKey = `invite-${inv.id}`
                 const expanded = expandedRows.has(rowKey)
+                const isExternal = inv.membershipIntent === 'external'
                 const isResending = resendingIds.has(inv.id)
                 const isCancelling = cancellingIds.has(inv.id)
                 const cooldown = resendCooldowns[inv.id] ?? 0
@@ -664,7 +665,9 @@ export function OrganizationRoster({
                         </button>
                       </TableCell>
                       <TableCell>
-                        {isAdminOrOwner ? (
+                        {isExternal ? (
+                          <RoleBadge memberRole='external' />
+                        ) : isAdminOrOwner ? (
                           <OrgRoleSelector
                             value={(inv.role === 'admin' ? 'admin' : 'member') as OrgRole}
                             onChange={(next) =>
@@ -681,7 +684,7 @@ export function OrganizationRoster({
                             disabled={updateInvitation.isPending}
                           />
                         ) : (
-                          <RoleBadge role={inv.role} />
+                          <RoleBadge memberRole={inv.role} />
                         )}
                       </TableCell>
                       <TableCell className='text-right'>

apps/sim/app/workspace/[workspaceId]/settings/components/team-management/components/remove-member-dialog/remove-member-dialog.tsx

@@ -14,6 +14,7 @@ interface RemoveMemberDialogProps {
   shouldReduceSeats: boolean
   isSelfRemoval?: boolean
   isExternalRemoval?: boolean
+  isSubmitting?: boolean
   error?: Error | null
   onOpenChange: (open: boolean) => void
   onShouldReduceSeatsChange: (shouldReduce: boolean) => void
@@ -32,6 +33,7 @@ export function RemoveMemberDialog({
   onCancel,
   isSelfRemoval = false,
   isExternalRemoval = false,
+  isSubmitting = false,
 }: RemoveMemberDialogProps) {
   const title = isSelfRemoval
     ? 'Leave Organization'
@@ -92,11 +94,12 @@ export function RemoveMemberDialog({
           )}
         </ModalBody>
         <ModalFooter>
-          <Button variant='default' onClick={onCancel}>
+          <Button variant='default' disabled={isSubmitting} onClick={onCancel}>
             Cancel
           </Button>
           <Button
             variant='destructive'
+            disabled={isSubmitting}
             onClick={() => onConfirmRemove(isExternalRemoval ? false : shouldReduceSeats)}
           >
             {isSelfRemoval ? 'Leave Organization' : 'Remove'}

apps/sim/app/workspace/[workspaceId]/settings/components/team-management/components/transfer-ownership-dialog/transfer-ownership-dialog.tsx

@@ -53,7 +53,9 @@ export function TransferOwnershipDialog({
   const [selectedUserId, setSelectedUserId] = useState<string | null>(null)
 
   const candidates = useMemo(() => {
-    const others = members.filter((m) => m.userId !== currentUserId && m.role !== 'owner')
+    const others = members.filter(
+      (m) => m.userId !== currentUserId && m.role !== 'owner' && m.role !== 'external'
+    )
     others.sort((a, b) => {
       if (a.role === 'admin' && b.role !== 'admin') return -1
       if (a.role !== 'admin' && b.role === 'admin') return 1
@@ -66,7 +68,9 @@ export function TransferOwnershipDialog({
     )
   }, [members, currentUserId, search])
 
-  const hasCandidates = members.some((m) => m.userId !== currentUserId && m.role !== 'owner')
+  const hasCandidates = members.some(
+    (m) => m.userId !== currentUserId && m.role !== 'owner' && m.role !== 'external'
+  )
 
   const handleClose = (next: boolean) => {
     if (!next) {

apps/sim/app/workspace/[workspaceId]/settings/components/team-management/team-management.tsx

@@ -222,6 +222,18 @@ export function TeamManagement() {
           orgId: activeOrganization?.id,
           shouldReduceSeats,
         })
+
+        if (shouldReduceSeats && totalSeats > 1) {
+          try {
+            await updateSeatsMutation.mutateAsync({
+              orgId: activeOrganization.id,
+              seats: totalSeats - 1,
+            })
+          } catch (seatError) {
+            logger.error('Failed to reduce seats after removing member', seatError)
+          }
+        }
+
         setRemoveMemberDialog({
           open: false,
           memberId: '',
@@ -243,6 +255,8 @@ export function TeamManagement() {
       session?.user?.id,
       activeOrganization?.id,
       removeMemberMutation,
+      totalSeats,
+      updateSeatsMutation,
     ]
   )
 
@@ -504,6 +518,7 @@ export function TeamManagement() {
         shouldReduceSeats={removeMemberDialog.shouldReduceSeats}
         isSelfRemoval={removeMemberDialog.isSelfRemoval}
         isExternalRemoval={removeMemberDialog.isExternalRemoval}
+        isSubmitting={removeMemberMutation.isPending}
         error={removeMemberMutation.error}
         onOpenChange={(open: boolean) => {
           if (!open) setRemoveMemberDialog({ ...removeMemberDialog, open: false })