feat: add ability for org billing leader and org admin to delete meet…

…ing templates (#10902)
ParabolInc · Feb 20, 2025 · f32c0aa · f32c0aa
1 parent e73fcf9
commit f32c0aa
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 6 deletions.
diff --git a/packages/server/graphql/mutations/removeReflectTemplate.ts b/packages/server/graphql/mutations/removeReflectTemplate.ts
@@ -2,7 +2,12 @@ import {GraphQLID, GraphQLNonNull} from 'graphql'
 import {sql} from 'kysely'
 import {SubscriptionChannel} from 'parabol-client/types/constEnums'
 import getKysely from '../../postgres/getKysely'
-import {getUserId, isTeamMember} from '../../utils/authorization'
+import {
+  getUserId,
+  isTeamMember,
+  isUserBillingLeader,
+  isUserOrgAdmin
+} from '../../utils/authorization'
 import publish from '../../utils/publish'
 import standardError from '../../utils/standardError'
 import {GQLContext} from '../graphql'
@@ -31,8 +36,14 @@ const removeReflectTemplate = {
     if (!template || !template.isActive) {
       return standardError(new Error('Template not found'), {userId: viewerId})
     }
-    if (!isTeamMember(authToken, template.teamId)) {
-      return standardError(new Error('Team not found'), {userId: viewerId})
+    const [isBillingLeader, isOrgAdmin] = await Promise.all([
+      isUserBillingLeader(viewerId, template.orgId, dataLoader),
+      isUserOrgAdmin(viewerId, template.orgId, dataLoader)
+    ])
+    if (!isTeamMember(authToken, template.teamId) && !isBillingLeader && !isOrgAdmin) {
+      return standardError(new Error('You are not authorized to remove this template'), {
+        userId: viewerId
+      })
     }
 
     // VALIDATION

diff --git a/packages/server/graphql/public/mutations/removePokerTemplate.ts b/packages/server/graphql/public/mutations/removePokerTemplate.ts
@@ -1,6 +1,11 @@
 import {SprintPokerDefaults, SubscriptionChannel} from 'parabol-client/types/constEnums'
 import getKysely from '../../../postgres/getKysely'
-import {getUserId, isTeamMember} from '../../../utils/authorization'
+import {
+  getUserId,
+  isTeamMember,
+  isUserBillingLeader,
+  isUserOrgAdmin
+} from '../../../utils/authorization'
 import publish from '../../../utils/publish'
 import standardError from '../../../utils/standardError'
 import {MutationResolvers} from '../resolverTypes'
@@ -21,8 +26,14 @@ const removePokerTemplate: MutationResolvers['removePokerTemplate'] = async (
   if (!template || !template.isActive) {
     return standardError(new Error('Template not found'), {userId: viewerId})
   }
-  if (!isTeamMember(authToken, template.teamId)) {
-    return standardError(new Error('Team not found'), {userId: viewerId})
+  const [isBillingLeader, isOrgAdmin] = await Promise.all([
+    isUserBillingLeader(viewerId, template.orgId, dataLoader),
+    isUserOrgAdmin(viewerId, template.orgId, dataLoader)
+  ])
+  if (!isTeamMember(authToken, template.teamId) && !isBillingLeader && !isOrgAdmin) {
+    return standardError(new Error('You are not authorized to remove this template'), {
+      userId: viewerId
+    })
   }
 
   // VALIDATION