From 67278d87839a3a649aa4537fdba3bbccc235231f Mon Sep 17 00:00:00 2001 From: Mauricio Siu Date: Wed, 13 May 2026 00:42:29 -0600 Subject: [PATCH] feat(organization): prevent inviting users with owner role - Added validation to prevent users from being invited with the owner role in the organization and user routers. - Implemented TRPCError responses to ensure proper error handling when attempting to assign the owner role. This change enhances role management and security within the organization structure. https://github.com/Dokploy/dokploy/security/advisories/GHSA-fm9p-wmpw-gxjh --- apps/dokploy/server/api/routers/organization.ts | 8 ++++++++ apps/dokploy/server/api/routers/user.ts | 7 +++++++ 2 files changed, 15 insertions(+) diff --git a/apps/dokploy/server/api/routers/organization.ts b/apps/dokploy/server/api/routers/organization.ts index 51c1fec5d..6af018ed8 100644 --- a/apps/dokploy/server/api/routers/organization.ts +++ b/apps/dokploy/server/api/routers/organization.ts @@ -295,6 +295,14 @@ export const organizationRouter = createTRPCRouter({ }); } + // Owner role is non-delegable — no one can invite as owner + if (input.role === "owner") { + throw new TRPCError({ + code: "FORBIDDEN", + message: "Cannot invite a user with the owner role", + }); + } + // If assigning a custom role, verify it exists if (!["owner", "admin", "member"].includes(input.role)) { const customRole = await db.query.organizationRole.findFirst({ diff --git a/apps/dokploy/server/api/routers/user.ts b/apps/dokploy/server/api/routers/user.ts index 93b7e6cf6..538cbe7f5 100644 --- a/apps/dokploy/server/api/routers/user.ts +++ b/apps/dokploy/server/api/routers/user.ts @@ -594,6 +594,13 @@ export const userRouter = createTRPCRouter({ }); } + if (input.role === "owner") { + throw new TRPCError({ + code: "FORBIDDEN", + message: "Cannot create a user with the owner role", + }); + } + return await createOrganizationUserWithCredentials({ organizationId: ctx.session.activeOrganizationId, email: input.email,