fix: Remove team members as org admin (#24020)

* Fallback to org admin

* Prevent accidental privilege escalation as code changes in the future

* When org admin, we don't actually need to do the db query

* Use findMany and Map to drill down permission adjustments

* Exclude .MEMBER from overriding role, we likely don't want to demote

* refactor logic

* Add tests for services/factories + removeHandler

* fix type check

---------

Co-authored-by: Alex van Andel <[email protected]>
Co-authored-by: Sean Brydon <[email protected]>

Author: 3 people

packages/trpc/server/routers/viewer/teams/removeMember.handler.ts

@@ -1,121 +1,72 @@
-import { FeaturesRepository } from "@calcom/features/flags/features.repository";
-import { Resource, CustomAction } from "@calcom/features/pbac/domain/types/permission-registry";
-import { getSpecificPermissions } from "@calcom/features/pbac/lib/resource-permissions";
 import { checkRateLimitAndThrowError } from "@calcom/lib/checkRateLimitAndThrowError";
-import { isTeamOwner } from "@calcom/features/ee/teams/lib/queries";
-import { TeamService } from "@calcom/lib/server/service/teamService";
-import { prisma } from "@calcom/prisma";
-import { MembershipRole } from "@calcom/prisma/enums";
-import type { TrpcSessionUser } from "@calcom/trpc/server/types";
 
 import { TRPCError } from "@trpc/server";
 
 import type { TRemoveMemberInputSchema } from "./removeMember.schema";
+import { RemoveMemberServiceFactory } from "./removeMember/RemoveMemberServiceFactory";
 
 type RemoveMemberOptions = {
   ctx: {
-    user: NonNullable<TrpcSessionUser>;
-    sourceIp?: string;
+    user: {
+      id: number;
+      organization?: {
+        isOrgAdmin: boolean;
+      };
+    };
   };
   input: TRemoveMemberInputSchema;
 };
 
-export const removeMemberHandler = async ({ ctx, input }: RemoveMemberOptions) => {
+export const removeMemberHandler = async ({
+  ctx: {
+    user: { id: userId, organization },
+  },
+  input,
+}: RemoveMemberOptions) => {
   await checkRateLimitAndThrowError({
-    identifier: `removeMember.${ctx.user.id}`,
+    identifier: `removeMember.${userId}`,
   });
 
   const { memberIds, teamIds, isOrg } = input;
+  const isOrgAdmin = organization?.isOrgAdmin ?? false;
+
+  // Note: This assumes that all teams in the request have the same PBAC setting 9999% chance they do.
+  const primaryTeamId = teamIds[0];
+  if (!primaryTeamId) {
+    throw new TRPCError({
+      code: "BAD_REQUEST",
+      message: "At least one team ID must be provided",
+    });
+  }
 
-  // Check PBAC permissions for each team
-  const hasRemovePermission = await Promise.all(
-    teamIds.map(async (teamId) => {
-      // Get user's membership role in this team
-      const membership = await prisma.membership.findFirst({
-        where: {
-          userId: ctx.user.id,
-          teamId: teamId,
-        },
-        select: {
-          role: true,
-        },
-      });
-
-      if (!membership) return false;
-
-      // Check PBAC permissions for removing team members
-      const permissions = await getSpecificPermissions({
-        userId: ctx.user.id,
-        teamId: teamId,
-        resource: isOrg ? Resource.Organization : Resource.Team,
-        userRole: membership.role,
-        actions: [CustomAction.Remove],
-        fallbackRoles: {
-          [CustomAction.Remove]: {
-            roles: [MembershipRole.ADMIN, MembershipRole.OWNER],
-          },
-        },
-      });
-
-      return permissions[CustomAction.Remove];
-    })
-  ).then((results) => results.every((result) => result));
+  // Get the appropriate service based on feature flag
+  const service = await RemoveMemberServiceFactory.create(primaryTeamId);
 
-  // Check if user is trying to remove themselves (allowed for non-owners)
-  const isRemovingSelf = memberIds.length === 1 && memberIds[0] === ctx.user.id;
+  const { hasPermission } = await service.checkRemovePermissions({
+    userId,
+    isOrgAdmin,
+    memberIds,
+    teamIds,
+    isOrg,
+  });
 
-  // Allow if user has remove permission OR if they're removing themselves
-  if (!hasRemovePermission && !isRemovingSelf) {
+  if (!hasPermission) {
     throw new TRPCError({ code: "UNAUTHORIZED" });
   }
 
-  // TODO(SEAN): Remove this after PBAC is rolled out.
-  // Check if any team has PBAC enabled
-  const featuresRepository = new FeaturesRepository(prisma);
-  const pbacEnabledForTeams = await Promise.all(
-    teamIds.map(async (teamId) => await featuresRepository.checkIfTeamHasFeature(teamId, "pbac"))
+  await service.validateRemoval(
+    {
+      userId,
+      isOrgAdmin,
+      memberIds,
+      teamIds,
+      isOrg,
+    },
+    hasPermission
   );
-  const isAnyTeamPBACEnabled = pbacEnabledForTeams.some((enabled) => enabled);
-
-  // Only apply traditional owner-based logic if PBAC is not enabled for any teams
-  if (!isAnyTeamPBACEnabled) {
-    // Only a team owner can remove another team owner.
-    const isAnyMemberOwnerAndCurrentUserNotOwner = await Promise.all(
-      memberIds.map(async (memberId) => {
-        const isAnyTeamOwnerAndCurrentUserNotOwner = await Promise.all(
-          teamIds.map(async (teamId) => {
-            return (await isTeamOwner(memberId, teamId)) && !(await isTeamOwner(ctx.user.id, teamId));
-          })
-        ).then((results) => results.some((result) => result));
-
-        return isAnyTeamOwnerAndCurrentUserNotOwner;
-      })
-    ).then((results) => results.some((result) => result));
-
-    if (isAnyMemberOwnerAndCurrentUserNotOwner) {
-      throw new TRPCError({
-        code: "UNAUTHORIZED",
-        message: "Only a team owner can remove another team owner.",
-      });
-    }
-
-    // Check if user is trying to remove themselves from a team they own (prevent this)
-    if (isRemovingSelf && hasRemovePermission) {
-      // Additional check: ensure they're not an owner trying to remove themselves
-      const isOwnerOfAnyTeam = await Promise.all(
-        teamIds.map(async (teamId) => await isTeamOwner(ctx.user.id, teamId))
-      ).then((results) => results.some((result) => result));
-
-      if (isOwnerOfAnyTeam) {
-        throw new TRPCError({
-          code: "FORBIDDEN",
-          message: "You can not remove yourself from a team you own.",
-        });
-      }
-    }
-  }
 
-  await TeamService.removeMembers({ teamIds, userIds: memberIds, isOrg });
+  // Perform the removal
+  await service.removeMembers(memberIds, teamIds, isOrg);
 };
 
 export default removeMemberHandler;

packages/trpc/server/routers/viewer/teams/removeMember/BaseRemoveMemberService.ts

@@ -0,0 +1,21 @@
+import { TeamService } from "@calcom/lib/server/service/teamService";
+
+import type {
+  IRemoveMemberService,
+  RemoveMemberContext,
+  RemoveMemberPermissionResult,
+} from "./IRemoveMemberService";
+
+/**
+ * Base abstract class for remove member services
+ * Provides common functionality and defines abstract methods for specific implementations
+ */
+export abstract class BaseRemoveMemberService implements IRemoveMemberService {
+  abstract checkRemovePermissions(context: RemoveMemberContext): Promise<RemoveMemberPermissionResult>;
+
+  abstract validateRemoval(context: RemoveMemberContext, hasPermission: boolean): Promise<void>;
+
+  async removeMembers(memberIds: number[], teamIds: number[], isOrg: boolean): Promise<void> {
+    await TeamService.removeMembers({ teamIds, userIds: memberIds, isOrg });
+  }
+}

packages/trpc/server/routers/viewer/teams/removeMember/IRemoveMemberService.ts

@@ -0,0 +1,31 @@
+import type { MembershipRole } from "@calcom/prisma/enums";
+
+export interface RemoveMemberContext {
+  userId: number;
+  isOrgAdmin: boolean;
+  memberIds: number[];
+  teamIds: number[];
+  isOrg: boolean;
+}
+
+export interface RemoveMemberPermissionResult {
+  hasPermission: boolean;
+  userRoles?: Map<number, MembershipRole | null>;
+}
+
+export interface IRemoveMemberService {
+  /**
+   * Checks if the user has permission to remove members from teams
+   */
+  checkRemovePermissions(context: RemoveMemberContext): Promise<RemoveMemberPermissionResult>;
+
+  /**
+   * Validates that the removal can proceed (e.g., owner checks)
+   */
+  validateRemoval(context: RemoveMemberContext, hasPermission: boolean): Promise<void>;
+
+  /**
+   * Performs the actual removal of members from teams
+   */
+  removeMembers(memberIds: number[], teamIds: number[], isOrg: boolean): Promise<void>;
+}

packages/trpc/server/routers/viewer/teams/removeMember/LegacyRemoveMemberService.ts

@@ -0,0 +1,108 @@
+import * as teamQueries from "@calcom/features/ee/teams/lib/queries";
+import { prisma } from "@calcom/prisma";
+import { MembershipRole } from "@calcom/prisma/enums";
+
+import { TRPCError } from "@trpc/server";
+
+import { BaseRemoveMemberService } from "./BaseRemoveMemberService";
+import type { RemoveMemberContext, RemoveMemberPermissionResult } from "./IRemoveMemberService";
+
+export class LegacyRemoveMemberService extends BaseRemoveMemberService {
+  async checkRemovePermissions(context: RemoveMemberContext): Promise<RemoveMemberPermissionResult> {
+    const { userId, isOrgAdmin, teamIds } = context;
+
+    // Org admins have full permission
+    if (isOrgAdmin) {
+      // Return admin role for all teams
+      const userRoles = new Map<number, MembershipRole | null>();
+      teamIds.forEach((teamId) => {
+        userRoles.set(teamId, MembershipRole.ADMIN);
+      });
+      return {
+        hasPermission: true,
+        userRoles,
+      };
+    }
+
+    // Get all memberships in a single query
+    const membershipRoles = await prisma.membership.findMany({
+      where: {
+        userId,
+        teamId: {
+          in: teamIds,
+        },
+      },
+      select: {
+        role: true,
+        teamId: true,
+      },
+    });
+
+    // Create a map for O(1) lookup
+    const userRoles = new Map<number, MembershipRole | null>();
+    membershipRoles.forEach((m) => {
+      userRoles.set(m.teamId, m.role);
+    });
+
+    // Check if user has admin or owner role in all teams
+    const allowedRoles: MembershipRole[] = [MembershipRole.ADMIN, MembershipRole.OWNER];
+    let hasPermission = true;
+
+    for (const teamId of teamIds) {
+      const userRole = userRoles.get(teamId);
+      if (!userRole || !allowedRoles.includes(userRole)) {
+        hasPermission = false;
+        break;
+      }
+    }
+
+    return {
+      hasPermission,
+      userRoles,
+    };
+  }
+
+  async validateRemoval(context: RemoveMemberContext, hasPermission: boolean): Promise<void> {
+    const { userId, memberIds, teamIds, isOrgAdmin } = context;
+    const isRemovingSelf = memberIds.length === 1 && memberIds[0] === userId;
+
+    // Only a team owner can remove another team owner (org admins are exempt)
+    if (!isOrgAdmin) {
+      const isAnyMemberOwnerAndCurrentUserNotOwner = await Promise.all(
+        memberIds.map(async (memberId) => {
+          const isAnyTeamOwnerAndCurrentUserNotOwner = await Promise.all(
+            teamIds.map(async (teamId) => {
+              return (
+                (await teamQueries.isTeamOwner(memberId, teamId)) &&
+                !(await teamQueries.isTeamOwner(userId, teamId))
+              );
+            })
+          ).then((results) => results.some((result) => result));
+
+          return isAnyTeamOwnerAndCurrentUserNotOwner;
+        })
+      ).then((results) => results.some((result) => result));
+
+      if (isAnyMemberOwnerAndCurrentUserNotOwner) {
+        throw new TRPCError({
+          code: "UNAUTHORIZED",
+          message: "Only a team owner can remove another team owner.",
+        });
+      }
+    }
+
+    // Check if user is trying to remove themselves from a team they own (prevent this)
+    if (isRemovingSelf && hasPermission) {
+      const isOwnerOfAnyTeam = await Promise.all(
+        teamIds.map(async (teamId) => await teamQueries.isTeamOwner(userId, teamId))
+      ).then((results) => results.some((result) => result));
+
+      if (isOwnerOfAnyTeam) {
+        throw new TRPCError({
+          code: "FORBIDDEN",
+          message: "You can not remove yourself from a team you own.",
+        });
+      }
+    }
+  }
+}

packages/trpc/server/routers/viewer/teams/removeMember/PBACRemoveMemberService.ts

@@ -0,0 +1,60 @@
+import * as teamQueries from "@calcom/features/ee/teams/lib/queries";
+import { PermissionMapper } from "@calcom/features/pbac/domain/mappers/PermissionMapper";
+import { Resource, CustomAction } from "@calcom/features/pbac/domain/types/permission-registry";
+import { PermissionCheckService } from "@calcom/features/pbac/services/permission-check.service";
+
+import { TRPCError } from "@trpc/server";
+
+import { BaseRemoveMemberService } from "./BaseRemoveMemberService";
+import type { RemoveMemberContext, RemoveMemberPermissionResult } from "./IRemoveMemberService";
+
+export class PBACRemoveMemberService extends BaseRemoveMemberService {
+  private permissionService = new PermissionCheckService();
+
+  async checkRemovePermissions(context: RemoveMemberContext): Promise<RemoveMemberPermissionResult> {
+    const { userId, teamIds, isOrg } = context;
+
+    const resource = isOrg ? Resource.Organization : Resource.Team;
+    const removePermission = PermissionMapper.toPermissionString({
+      resource,
+      action: CustomAction.Remove,
+    });
+
+    const teamsWithPermission = await this.permissionService.getTeamIdsWithPermission(
+      userId,
+      removePermission
+    );
+
+    // Convert to Set for O(1) lookup
+    const teamsWithPermissionSet = new Set(teamsWithPermission);
+
+    // Check if user has permission for ALL requested teams
+    const hasPermission = teamIds.every((teamId) => teamsWithPermissionSet.has(teamId));
+
+    return {
+      hasPermission,
+    };
+  }
+
+  async validateRemoval(context: RemoveMemberContext, hasPermission: boolean): Promise<void> {
+    const { userId, memberIds, teamIds } = context;
+    const isRemovingSelf = memberIds.length === 1 && memberIds[0] === userId;
+
+    /**
+     * TODO: Figure out the best way to prevent someone bricking a team
+     *       by removing all people with updateRole permissions
+     */
+    if (isRemovingSelf && hasPermission) {
+      const isOwnerOfAnyTeam = await Promise.all(
+        teamIds.map(async (teamId) => await teamQueries.isTeamOwner(userId, teamId))
+      ).then((results) => results.some((result) => result));
+
+      if (isOwnerOfAnyTeam) {
+        throw new TRPCError({
+          code: "FORBIDDEN",
+          message: "You can not remove yourself from a team you own.",
+        });
+      }
+    }
+  }
+}