Organization role source-of-truth mismatch: incorrect role display and owner invite authorization

[DaveMiscampbell]

Description

Organization ownership is currently derived from two different fields in different parts of the app:

• organizations.ownerId
• organization_members.role (owner / member)

When those values drift (common in self-hosted/manual DB edits or migrations), behavior becomes inconsistent:

• Some UI surfaces show a user as Member while others treat them as Owner
• Invite permissions are checked against organizations.ownerId, so users with membership role owner can still be blocked from inviting

Expected behavior:

• Role display should come from membership role (organization_members.role)
• Invite authorization should allow users whose membership role is owner for that organization

This issue tracks the fix to make role display and invite permissions consistent with membership role ownership.

Reproduction

1. Create an organization with user A as organizations.ownerId.
2. Set organization membership rows so ownership data is inconsistent, for example:
   • Case 1: user A has organization_members.role = member
   • Case 2: user B has organization_members.role = owner but organizations.ownerId = user A
3. Sign in as the affected user(s).
4. Open organization-related UI pages (members views / org indicators) and try to send invites.

Actual:

• Role labels can differ across UI surfaces.
• Invite permission is tied to organizations.ownerId and may reject a membership owner.

Expected:

• UI role labels consistently reflect organization_members.role.
• Membership owner users can send invites.

Additional Context

• Cap version: current main (self-hosted)
• Operating system, version: Linux server (Docker), browser client
• Device (optional): N/A

[linear]

CAP-651

[tembo]

Thanks for the detailed issue report. I've traced through the codebase and can confirm the dual source-of-truth problem you've identified.

Key files to modify:

1. Invite authorization - apps/web/actions/organization/send-invites.ts:38 currently checks organization.ownerId !== user.id. This should instead query organization_members for the user's role.

2. UI role display - apps/web/app/(org)/dashboard/settings/organization/billing/page.tsx:14 computes isOwner using user?.id === activeOrganization?.organization.ownerId. Same issue.

3. Member owner badge - apps/web/app/(org)/dashboard/settings/organization/components/MembersCard.tsx:142-144 has a isMemberOwner function that checks against organization.ownerId to display the "Owner" label.

Existing pattern to follow:

The OrganisationsPolicy.isOwner method in packages/web-backend/src/Organisations/OrganisationsPolicy.ts:19-29 already correctly checks organization_members.role === "owner". This is used by Effect-based services like Organisations.update and Organisations.softDelete, so those operations are consistent.

The fix would be to align the Server Actions and UI components with this existing pattern by checking membership role rather than organizations.ownerId.

Note: PR #1640 (merged today) touched much of this code for the Pro seat management feature, so the send-invites.ts and billing page components are fresh and would be easy to update.