fix pricing desc in billing, add plan to user session, add permissions check to Invite API

apps/web/app/environments/[environmentId]/settings/billing/PricingTable.tsx

@@ -10,7 +10,7 @@ export default function PricingTable() {
             <div className="p-8">
               <h2 className="inline-flex text-3xl font-bold text-slate-700">Free</h2>
               <p className="  mt-4 whitespace-pre-wrap text-sm text-slate-600">
-                Limited to 25 responses per survey.
+                Limited to 30 responses per survey.
               </p>
               <p className="mt-8">
                 <span className="text-slate-80 text-4xl font-light">free</span>

apps/web/lib/api/apiHelper.ts

@@ -55,6 +55,21 @@ export const hasEnvironmentAccess = async (user, environmentId) => {
   return false;
 };
 
+export const hasTeamAccess = async (user, teamId) => {
+  const membership = await prisma.membership.findUnique({
+    where: {
+      userId_teamId: {
+        userId: user.id,
+        teamId: teamId,
+      },
+    },
+  });
+  if (membership) {
+    return true;
+  }
+  return false;
+};
+
 export const getSessionOrUser = async (req: NextApiRequest, res: NextApiResponse) => {
   // check for session (browser usage)
   let session: any = await getServerSession(req, res, authOptions);

apps/web/pages/api/auth/[...nextauth].ts

@@ -134,6 +134,11 @@ export const authOptions: NextAuthOptions = {
           memberships: {
             select: {
               teamId: true,
+              team: {
+                select: {
+                  plan: true,
+                },
+              },
             },
           },
           name: true,
@@ -147,6 +152,10 @@ export const authOptions: NextAuthOptions = {
       const additionalAttributs = {
         id: existingUser.id,
         teamId: existingUser.memberships.length > 0 ? existingUser.memberships[0].teamId : undefined,
+        plan:
+          existingUser.memberships.length > 0 && existingUser.memberships[0].team
+            ? existingUser.memberships[0].team.plan
+            : undefined,
         name: existingUser.name,
       };
 
@@ -160,6 +169,8 @@ export const authOptions: NextAuthOptions = {
       session.user.id = token?.id;
       // @ts-ignore
       session.user.teamId = token?.teamId;
+      // @ts-ignore
+      session.user.plan = token?.plan;
       session.user.name = token.name || "";
 
       return session;

apps/web/pages/api/v1/teams/[teamId]/invite/[inviteId]/index.ts

@@ -1,4 +1,4 @@
-import { getSessionOrUser } from "@/lib/api/apiHelper";
+import { getSessionOrUser, hasTeamAccess } from "@/lib/api/apiHelper";
 import { sendInviteMemberEmail } from "@/lib/email";
 import { prisma } from "@formbricks/database";
 import type { NextApiRequest, NextApiResponse } from "next";
@@ -32,7 +32,7 @@ export default async function handle(req: NextApiRequest, res: NextApiResponse)
         },
       },
     });
-    if (membership?.role !== "owner") {
+    if (membership?.role !== "owner" || membership?.role !== "owner") {
       return res.status(403).json({ message: "You are not allowed to delete members from this team" });
     }
 

apps/web/pages/api/v1/teams/[teamId]/invite/index.ts

@@ -1,4 +1,4 @@
-import { getSessionOrUser } from "@/lib/api/apiHelper";
+import { getSessionOrUser, hasTeamAccess } from "@/lib/api/apiHelper";
 import { sendInviteMemberEmail } from "@/lib/email";
 import { prisma } from "@formbricks/database";
 import type { NextApiRequest, NextApiResponse } from "next";
@@ -15,9 +15,14 @@ export default async function handle(req: NextApiRequest, res: NextApiResponse)
     return res.status(400).json({ message: "Missing teamId" });
   }
 
+  const hasAccess = await hasTeamAccess(currentUser, teamId);
+  if (hasAccess === false) {
+    return res.status(403).json({ message: "Not authorized" });
+  }
+  // TODO check if User is ADMIN or OWNER
+
   // POST /api/v1/teams/[teamId]/invite
   if (req.method === "POST") {
-    //TODO: Check if user is admin of team
     let { email, name } = req.body;
     email = email.toLowerCase();
 

apps/web/pages/api/v1/teams/[teamId]/members/[userId]/index.ts

@@ -1,4 +1,4 @@
-import { getSessionOrUser } from "@/lib/api/apiHelper";
+import { getSessionOrUser, hasTeamAccess } from "@/lib/api/apiHelper";
 import { prisma } from "@formbricks/database";
 import type { NextApiRequest, NextApiResponse } from "next";
 
@@ -14,6 +14,11 @@ export default async function handle(req: NextApiRequest, res: NextApiResponse)
     return res.status(400).json({ message: "Missing teamId" });
   }
 
+  const hasAccess = await hasTeamAccess(currentUser, teamId);
+  if (hasAccess === false) {
+    return res.status(403).json({ message: "Not authorized" });
+  }
+
   const userId = req.query.userId?.toString();
   if (userId === undefined) {
     return res.status(400).json({ message: "Missing userId" });

packages/types/next-auth.d.ts

@@ -9,6 +9,7 @@ declare module "next-auth" {
       /** The user's postal address. */
       id: string;
       teamId?: string;
+      plan?: string;
       email: string;
       name: string;
       finishedOnboarding: boolean;