From 72d34f36786d8643f8530cebcdfb86784aa95fce Mon Sep 17 00:00:00 2001 From: Dhruwang Date: Mon, 16 Mar 2026 18:15:15 +0530 Subject: [PATCH] refactor: remove organizationId from various actions and components - Removed organizationId from ZResetSurveyAction, ZUpdateSegmentAction, ZDeleteQuotaAction, ZUpdateInviteAction, and ZDeleteInviteAction schemas. - Updated corresponding action calls in SurveyAnalysisCTA, SegmentSettings, TargetingCard, and MemberActions components to eliminate organizationId parameter, enhancing security by preventing IDOR vulnerabilities. --- .../surveys/[surveyId]/(analysis)/summary/actions.ts | 1 - .../(analysis)/summary/components/SurveyAnalysisCTA.tsx | 3 +-- apps/web/modules/ee/contacts/segments/actions.ts | 1 - .../ee/contacts/segments/components/segment-settings.tsx | 1 - .../ee/contacts/segments/components/targeting-card.tsx | 4 ++-- apps/web/modules/ee/quotas/actions.ts | 1 - apps/web/modules/ee/quotas/components/quotas-card.tsx | 1 - apps/web/modules/ee/role-management/actions.ts | 1 - .../ee/role-management/components/edit-membership-role.tsx | 2 +- apps/web/modules/organization/settings/teams/actions.ts | 1 - .../teams/components/edit-memberships/member-actions.tsx | 2 +- 11 files changed, 5 insertions(+), 13 deletions(-) diff --git a/apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/actions.ts b/apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/actions.ts index 55029cd305..191d077249 100644 --- a/apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/actions.ts +++ b/apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/actions.ts @@ -64,7 +64,6 @@ export const sendEmbedSurveyPreviewEmailAction = authenticatedActionClient const ZResetSurveyAction = z.object({ surveyId: ZId, - organizationId: ZId, projectId: ZId, }); diff --git a/apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SurveyAnalysisCTA.tsx b/apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SurveyAnalysisCTA.tsx index d39f23c300..0554188b69 100644 --- a/apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SurveyAnalysisCTA.tsx +++ b/apps/web/app/(app)/environments/[environmentId]/surveys/[surveyId]/(analysis)/summary/components/SurveyAnalysisCTA.tsx @@ -64,7 +64,7 @@ export const SurveyAnalysisCTA = ({ const [isResetModalOpen, setIsResetModalOpen] = useState(false); const [isResetting, setIsResetting] = useState(false); - const { organizationId, project } = useEnvironment(); + const { project } = useEnvironment(); const { refreshSingleUseId } = useSingleUseId(survey, isReadOnly); const appSetupCompleted = survey.type === "app" && environment.appSetupCompleted; @@ -128,7 +128,6 @@ export const SurveyAnalysisCTA = ({ setIsResetting(true); const result = await resetSurveyAction({ surveyId: survey.id, - organizationId: organizationId, projectId: project.id, }); if (result?.data) { diff --git a/apps/web/modules/ee/contacts/segments/actions.ts b/apps/web/modules/ee/contacts/segments/actions.ts index b138b5bd30..d319b3d88b 100644 --- a/apps/web/modules/ee/contacts/segments/actions.ts +++ b/apps/web/modules/ee/contacts/segments/actions.ts @@ -97,7 +97,6 @@ export const createSegmentAction = authenticatedActionClient.inputSchema(ZSegmen ); const ZUpdateSegmentAction = z.object({ - environmentId: ZId, segmentId: ZId, data: ZSegmentUpdateInput, }); diff --git a/apps/web/modules/ee/contacts/segments/components/segment-settings.tsx b/apps/web/modules/ee/contacts/segments/components/segment-settings.tsx index 664e2c0fb9..fb01fa17f5 100644 --- a/apps/web/modules/ee/contacts/segments/components/segment-settings.tsx +++ b/apps/web/modules/ee/contacts/segments/components/segment-settings.tsx @@ -75,7 +75,6 @@ export function SegmentSettings({ try { setIsUpdatingSegment(true); const data = await updateSegmentAction({ - environmentId, segmentId: segment.id, data: { title: segment.title, diff --git a/apps/web/modules/ee/contacts/segments/components/targeting-card.tsx b/apps/web/modules/ee/contacts/segments/components/targeting-card.tsx index c0207abc4b..dfceca2aac 100644 --- a/apps/web/modules/ee/contacts/segments/components/targeting-card.tsx +++ b/apps/web/modules/ee/contacts/segments/components/targeting-card.tsx @@ -124,7 +124,7 @@ export function TargetingCard({ }; const handleSaveAsNewSegmentUpdate = async (segmentId: string, data: TSegmentUpdateInput) => { - const updatedSegment = await updateSegmentAction({ segmentId, environmentId, data }); + const updatedSegment = await updateSegmentAction({ segmentId, data }); return updatedSegment?.data as TSegment; }; @@ -136,7 +136,7 @@ export function TargetingCard({ const handleSaveSegment = async (data: TSegmentUpdateInput) => { try { if (!segment) throw new Error(t("environments.segments.invalid_segment")); - const result = await updateSegmentAction({ segmentId: segment.id, environmentId, data }); + const result = await updateSegmentAction({ segmentId: segment.id, data }); if (result?.serverError) { toast.error(getFormattedErrorMessage(result)); return; diff --git a/apps/web/modules/ee/quotas/actions.ts b/apps/web/modules/ee/quotas/actions.ts index 89b33f45af..3defedc435 100644 --- a/apps/web/modules/ee/quotas/actions.ts +++ b/apps/web/modules/ee/quotas/actions.ts @@ -21,7 +21,6 @@ import { getOrganizationBilling } from "@/modules/survey/lib/survey"; const ZDeleteQuotaAction = z.object({ quotaId: ZId, - surveyId: ZId, }); const checkQuotasEnabled = async (organizationId: string) => { diff --git a/apps/web/modules/ee/quotas/components/quotas-card.tsx b/apps/web/modules/ee/quotas/components/quotas-card.tsx index 53571abc7b..e725677c9b 100644 --- a/apps/web/modules/ee/quotas/components/quotas-card.tsx +++ b/apps/web/modules/ee/quotas/components/quotas-card.tsx @@ -85,7 +85,6 @@ export const QuotasCard = ({ setIsDeletingQuota(true); const deleteQuotaActionResult = await deleteQuotaAction({ quotaId: quotaId, - surveyId: localSurvey.id, }); if (deleteQuotaActionResult?.data) { toast.success(t("environments.surveys.edit.quotas.quota_deleted_successfull_toast")); diff --git a/apps/web/modules/ee/role-management/actions.ts b/apps/web/modules/ee/role-management/actions.ts index 377fa8c8cf..8b450b8cb4 100644 --- a/apps/web/modules/ee/role-management/actions.ts +++ b/apps/web/modules/ee/role-management/actions.ts @@ -32,7 +32,6 @@ export const checkRoleManagementPermission = async (organizationId: string) => { const ZUpdateInviteAction = z.object({ inviteId: ZUuid, - organizationId: ZId, data: ZInviteUpdateInput, }); diff --git a/apps/web/modules/ee/role-management/components/edit-membership-role.tsx b/apps/web/modules/ee/role-management/components/edit-membership-role.tsx index 94ebd227af..f03f0dcb9c 100644 --- a/apps/web/modules/ee/role-management/components/edit-membership-role.tsx +++ b/apps/web/modules/ee/role-management/components/edit-membership-role.tsx @@ -65,7 +65,7 @@ export function EditMembershipRole({ } if (inviteId) { - await updateInviteAction({ inviteId: inviteId, organizationId, data: { role } }); + await updateInviteAction({ inviteId: inviteId, data: { role } }); } } catch (error) { toast.error(t("common.something_went_wrong_please_try_again")); diff --git a/apps/web/modules/organization/settings/teams/actions.ts b/apps/web/modules/organization/settings/teams/actions.ts index 0e31fae9f8..2b835d8af7 100644 --- a/apps/web/modules/organization/settings/teams/actions.ts +++ b/apps/web/modules/organization/settings/teams/actions.ts @@ -27,7 +27,6 @@ import { deleteInvite, getInvite, inviteUser, refreshInviteExpiration, resendInv const ZDeleteInviteAction = z.object({ inviteId: ZUuid, - organizationId: ZId, }); export const deleteInviteAction = authenticatedActionClient.inputSchema(ZDeleteInviteAction).action( diff --git a/apps/web/modules/organization/settings/teams/components/edit-memberships/member-actions.tsx b/apps/web/modules/organization/settings/teams/components/edit-memberships/member-actions.tsx index e240f7a62f..ab5d4a7e10 100644 --- a/apps/web/modules/organization/settings/teams/components/edit-memberships/member-actions.tsx +++ b/apps/web/modules/organization/settings/teams/components/edit-memberships/member-actions.tsx @@ -41,7 +41,7 @@ export const MemberActions = ({ organization, member, invite, showDeleteButton } if (!member && invite) { // This is an invite - const result = await deleteInviteAction({ inviteId: invite?.id, organizationId: organization.id }); + const result = await deleteInviteAction({ inviteId: invite?.id }); if (result?.serverError) { toast.error(getFormattedErrorMessage(result)); setIsDeleting(false);