refactor(auth): add isPlatformAdmin support in authentication and guards

Marfuen · Marfuen · commit 435eab7d4261 · 2026-02-05T14:36:47.000-05:00
diff --git a/apps/api/src/auth/auth-context.decorator.ts b/apps/api/src/auth/auth-context.decorator.ts
@@ -13,6 +13,7 @@ export const AuthContext = createParamDecorator(
       organizationId,
       authType,
       isApiKey,
+      isPlatformAdmin,
       userId,
       userEmail,
       userRoles,
@@ -30,6 +31,7 @@ export const AuthContext = createParamDecorator(
       organizationId,
       authType,
       isApiKey,
+      isPlatformAdmin,
       userId,
       userEmail,
       userRoles,
diff --git a/apps/api/src/auth/hybrid-auth.guard.ts b/apps/api/src/auth/hybrid-auth.guard.ts
@@ -45,6 +45,7 @@ export class HybridAuthGuard implements CanActivate {
     request.organizationId = organizationId;
     request.authType = 'api-key';
     request.isApiKey = true;
+    request.isPlatformAdmin = false;
     // API keys are organization-scoped and are not tied to a specific user/member.
     request.userRoles = null;
 
@@ -107,6 +108,11 @@ export class HybridAuthGuard implements CanActivate {
           id: true,
           role: true,
           department: true,
+          user: {
+            select: {
+              isPlatformAdmin: true,
+            },
+          },
         },
       });
 
@@ -124,6 +130,7 @@ export class HybridAuthGuard implements CanActivate {
       request.userRoles = userRoles;
       request.memberId = member.id;
       request.memberDepartment = member.department;
+      request.isPlatformAdmin = member.user?.isPlatformAdmin ?? false;
       request.organizationId = organizationId;
       request.authType = 'session';
       request.isApiKey = false;
diff --git a/apps/api/src/auth/permission.guard.ts b/apps/api/src/auth/permission.guard.ts
@@ -77,6 +77,11 @@ export class PermissionGuard implements CanActivate {
       return true;
     }
 
+    // Platform admins bypass permission checks (full access)
+    if (request.isPlatformAdmin) {
+      return true;
+    }
+
     // Build required permissions map
     const permissionBody: Record<string, string[]> = {};
     for (const perm of requiredPermissions) {
diff --git a/apps/api/src/auth/types.ts b/apps/api/src/auth/types.ts
@@ -6,6 +6,7 @@ export interface AuthenticatedRequest extends Request {
   organizationId: string;
   authType: 'api-key' | 'session';
   isApiKey: boolean;
+  isPlatformAdmin: boolean;
   userId?: string;
   userEmail?: string;
   userRoles: string[] | null;
@@ -17,6 +18,7 @@ export interface AuthContext {
   organizationId: string;
   authType: 'api-key' | 'session';
   isApiKey: boolean;
+  isPlatformAdmin: boolean;
   userId?: string; // Only available for session auth
   userEmail?: string; // Only available for session auth
   userRoles: string[] | null;
diff --git a/apps/api/src/findings/finding-notifier.service.ts b/apps/api/src/findings/finding-notifier.service.ts
@@ -543,7 +543,10 @@ export class FindingNotifierService {
           where: {
             organizationId,
             deactivated: false,
-            user: { isPlatformAdmin: false },
+            OR: [
+              { user: { isPlatformAdmin: false } },
+              { role: { contains: 'owner' } },
+            ],
           },
           select: {
             user: { select: { id: true, email: true, name: true } },
diff --git a/apps/api/src/roles/roles.controller.spec.ts b/apps/api/src/roles/roles.controller.spec.ts
@@ -34,6 +34,7 @@ describe('RolesController', () => {
     organizationId: 'org_123',
     authType: 'session',
     isApiKey: false,
+    isPlatformAdmin: false,
     userId: 'usr_123',
     userEmail: 'test@example.com',
     userRoles: ['owner'],
diff --git a/apps/api/src/tasks/task-notifier.service.ts b/apps/api/src/tasks/task-notifier.service.ts
@@ -64,7 +64,10 @@ export class TaskNotifierService {
             where: {
               organizationId,
               deactivated: false,
-              user: { isPlatformAdmin: false },
+              OR: [
+                { user: { isPlatformAdmin: false } },
+                { role: { contains: 'owner' } },
+              ],
             },
             select: {
               id: true,
@@ -233,7 +236,10 @@ export class TaskNotifierService {
             where: {
               organizationId,
               deactivated: false,
-              user: { isPlatformAdmin: false },
+              OR: [
+                { user: { isPlatformAdmin: false } },
+                { role: { contains: 'owner' } },
+              ],
             },
             select: {
               id: true,
@@ -435,7 +441,10 @@ export class TaskNotifierService {
             where: {
               organizationId,
               deactivated: false,
-              user: { isPlatformAdmin: false },
+              OR: [
+                { user: { isPlatformAdmin: false } },
+                { role: { contains: 'owner' } },
+              ],
             },
             select: {
               id: true,
@@ -638,7 +647,10 @@ export class TaskNotifierService {
           where: {
             organizationId,
             deactivated: false,
-            user: { isPlatformAdmin: false },
+            OR: [
+              { user: { isPlatformAdmin: false } },
+              { role: { contains: 'owner' } },
+            ],
           },
           select: {
             id: true,
diff --git a/apps/app/src/app/(app)/[orgId]/components/AppShellWrapper.tsx b/apps/app/src/app/(app)/[orgId]/components/AppShellWrapper.tsx
@@ -218,7 +218,7 @@ function AppShellWrapperContent({
               label="Compliance"
             />
           </Link>
-          {isTrustNdaEnabled && (
+          {isTrustNdaEnabled && canAccessRoute(permissions, 'trust') && (
             <Link href={`/${organization.id}/trust`}>
               <AppShellRailItem
                 isActive={isTrustActive}
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/actions/updateMemberRole.ts b/apps/app/src/app/(app)/[orgId]/people/all/actions/updateMemberRole.ts
@@ -95,14 +95,6 @@ export const updateMemberRole = authActionClient
         };
       }
 
-      // Prevent modifying platform admin members (CX team)
-      if (targetMember.user.isPlatformAdmin) {
-        return {
-          success: false,
-          error: 'This member is managed by Comp AI and cannot be modified.',
-        };
-      }
-
       // Parse the target member's current roles from the string
       const currentRoles = parseRolesString(targetMember.role);
 
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/MemberRow.tsx
@@ -236,7 +236,7 @@ export function MemberRow({
             })}
           </div>
 
-          {!isDeactivated && !isPlatformAdmin && (
+          {!isDeactivated && (
             <DropdownMenu open={dropdownOpen} onOpenChange={setDropdownOpen}>
               <DropdownMenuTrigger asChild>
                 <Button variant="ghost" size="sm" className="h-8 w-8 p-0" disabled={!canEdit}>
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/SingleTask.tsx
@@ -61,6 +61,7 @@ interface SingleTaskProps {
 
 export function SingleTask({
   initialTask,
+  initialMembers,
   initialAutomations,
   isWebAutomationsEnabled,
   isPlatformAdmin,
@@ -308,7 +309,7 @@ export function SingleTask({
         {/* Right Column - Properties */}
         <div className="lg:col-span-1">
           <div className="pl-6 border-l border-border space-y-6">
-            <TaskPropertiesSidebar handleUpdateTask={handleUpdateTask} />
+            <TaskPropertiesSidebar handleUpdateTask={handleUpdateTask} initialMembers={initialMembers} />
 
             {/* Finding History Panel */}
             {selectedFindingIdForHistory && (
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskPropertiesSidebar.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/components/TaskPropertiesSidebar.tsx
@@ -17,14 +17,13 @@ interface TaskPropertiesSidebarProps {
   handleUpdateTask: (
     data: Partial<Pick<Task, 'status' | 'assigneeId' | 'frequency' | 'department' | 'reviewDate'>>,
   ) => void;
+  initialMembers?: (Member & { user: User })[];
 }
 
-export function TaskPropertiesSidebar({ handleUpdateTask }: TaskPropertiesSidebarProps) {
+export function TaskPropertiesSidebar({ handleUpdateTask, initialMembers }: TaskPropertiesSidebarProps) {
   const { orgId } = useParams<{ orgId: string }>();
   const { task, isLoading } = useTask();
-  const { members } = useAssignableMembers();
-
-  console.log('members', members);
+  const { members } = useAssignableMembers({ initialData: initialMembers });
 
   const assignedMember =
     !task?.assigneeId || !members ? null : members.find((m) => m.id === task.assigneeId);
diff --git a/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/page.tsx b/apps/app/src/app/(app)/[orgId]/tasks/[taskId]/page.tsx
@@ -17,7 +17,10 @@ export default async function TaskPage({
     redirect(`/${orgId}/tasks`);
   }
 
-  const automations = await getAutomations(taskId);
+  const [automations, members] = await Promise.all([
+    getAutomations(taskId),
+    getMembers(task.organizationId),
+  ]);
 
   const session = await auth.api.getSession({
     headers: await headers(),
@@ -43,6 +46,7 @@ export default async function TaskPage({
   return (
     <SingleTask
       initialTask={task}
+      initialMembers={members}
       initialAutomations={automations}
       isWebAutomationsEnabled={isWebAutomationsEnabled}
       isPlatformAdmin={isPlatformAdmin}
@@ -73,6 +77,21 @@ const getTask = async (taskId: string) => {
   }
 };
 
+const getMembers = async (organizationId: string) => {
+  try {
+    return await db.member.findMany({
+      where: { organizationId, deactivated: false },
+      include: {
+        user: true,
+      },
+      orderBy: { createdAt: 'desc' },
+    });
+  } catch (error) {
+    console.error('[getMembers] Database query failed:', error);
+    return [];
+  }
+};
+
 const getAutomations = async (taskId: string) => {
   if (!taskId) {
     console.warn('Could not determine task ID in getAutomations');
diff --git a/apps/app/src/hooks/use-organization-members.ts b/apps/app/src/hooks/use-organization-members.ts
@@ -63,16 +63,11 @@ export function useOrganizationMembers({
 }
 
 /**
- * Like useOrganizationMembers but excludes platform admin (CX team) members.
- * Use this for assignee dropdowns and anywhere users should not be able to
- * select platform admin members.
+ * Like useOrganizationMembers but returns only active organization members.
+ * Use this for assignee dropdowns and anywhere users should select a member.
  */
 export function useAssignableMembers(
   options: UseOrganizationMembersOptions = {},
 ): UseOrganizationMembersReturn {
-  const result = useOrganizationMembers(options);
-  return {
-    ...result,
-    members: result.members?.filter((m) => !m.user?.isPlatformAdmin),
-  };
+  return useOrganizationMembers(options);
 }
diff --git a/apps/app/src/trigger/tasks/task/policy-schedule.ts b/apps/app/src/trigger/tasks/task/policy-schedule.ts
@@ -33,7 +33,10 @@ export const policySchedule = schedules.task({
             members: {
               where: {
                 deactivated: false,
-                user: { isPlatformAdmin: false },
+                OR: [
+                  { user: { isPlatformAdmin: false } },
+                  { role: { contains: 'owner' } },
+                ],
               },
               select: {
                 user: {
diff --git a/apps/app/src/trigger/tasks/task/task-schedule.ts b/apps/app/src/trigger/tasks/task/task-schedule.ts
@@ -35,7 +35,10 @@ export const taskSchedule = schedules.task({
             members: {
               where: {
                 deactivated: false,
-                user: { isPlatformAdmin: false },
+                OR: [
+                  { user: { isPlatformAdmin: false } },
+                  { role: { contains: 'owner' } },
+                ],
               },
               select: {
                 user: {
diff --git a/apps/app/src/trigger/tasks/task/weekly-task-reminder.ts b/apps/app/src/trigger/tasks/task/weekly-task-reminder.ts
@@ -17,7 +17,10 @@ export const weeklyTaskReminder = schedules.task({
         members: {
           where: {
             deactivated: false,
-            user: { isPlatformAdmin: false },
+            OR: [
+              { user: { isPlatformAdmin: false } },
+              { role: { contains: 'owner' } },
+            ],
           },
           select: {
             id: true,
diff --git a/packages/email/lib/check-unsubscribe.ts b/packages/email/lib/check-unsubscribe.ts
@@ -104,9 +104,26 @@ export async function isUserUnsubscribed(
       return false;
     }
 
-    // Platform admins (CX team) never receive notifications in customer orgs
+    // Platform admins only receive notifications for organizations they own
     if (user.isPlatformAdmin) {
-      return true;
+      if (!organizationId || !db.member) {
+        return true; // No org context — block notifications
+      }
+      const adminMemberRecords = await db.member.findMany({
+        where: {
+          organizationId,
+          user: { email },
+          deactivated: false,
+        },
+        select: { role: true },
+      });
+      const adminRoles = adminMemberRecords.flatMap((m) =>
+        m.role.split(',').map((r) => r.trim()),
+      );
+      if (!adminRoles.includes('owner')) {
+        return true; // Not an owner in this org — block notifications
+      }
+      // Platform admin IS an owner — fall through to normal notification logic
     }
 
     // If legacy all-or-nothing flag is set, user is unsubscribed from everything
