fix(billing): require org owner role for Stripe checkout URL creation (#1092)

Author: jeanduplessis

src/routers/organizations/organization-subscription-router.test.ts

@@ -57,6 +57,32 @@ describe('organizations subscription trpc router', () => {
     });
   });
 
+  describe('getSubscriptionStripeUrl procedure', () => {
+    it('should throw UNAUTHORIZED error for non-owner members', async () => {
+      const caller = await createCallerForUser(memberUser.id);
+
+      await expect(
+        caller.organizations.subscription.getSubscriptionStripeUrl({
+          organizationId: testOrganization.id,
+          seats: 1,
+          cancelUrl: 'https://example.com',
+        })
+      ).rejects.toThrow('You do not have the required organizational role to access this feature');
+    });
+
+    it('should throw UNAUTHORIZED error for non-member users', async () => {
+      const caller = await createCallerForUser(_nonMemberUser.id);
+
+      await expect(
+        caller.organizations.subscription.getSubscriptionStripeUrl({
+          organizationId: testOrganization.id,
+          seats: 1,
+          cancelUrl: 'https://example.com',
+        })
+      ).rejects.toThrow('You do not have access to this organization');
+    });
+  });
+
   describe('cancel procedure', () => {
     it('should throw UNAUTHORIZED error for non-owner users', async () => {
       const caller = await createCallerForUser(memberUser.id);

src/routers/organizations/organization-subscription-router.ts

@@ -15,7 +15,6 @@ import { baseProcedure, createTRPCRouter } from '@/lib/trpc/init';
 import {
   OrganizationIdInputSchema,
   organizationOwnerProcedure,
-  ensureOrganizationAccess,
   organizationMemberProcedure,
 } from '@/routers/organizations/utils';
 import { TRPCError } from '@trpc/server';
@@ -117,7 +116,7 @@ export const organizationsSubscriptionRouter = createTRPCRouter({
       return { status: paymentStatus };
     }),
 
-  getSubscriptionStripeUrl: baseProcedure
+  getSubscriptionStripeUrl: organizationOwnerProcedure
     .input(SubscriptionRequestSchema)
     .mutation(async ({ input, ctx }) => {
       const { user } = ctx;
@@ -132,20 +131,13 @@ export const organizationsSubscriptionRouter = createTRPCRouter({
       const customerId = await getOrCreateStripeCustomerIdForOrganization(org.id);
       const subscriptions = await getSubscriptionsForStripeCustomerId(customerId);
 
-      // if any subscriptions are not ended, throw bad request error
       if (subscriptions.find(sub => sub.ended_at == null)) {
         throw new TRPCError({
           code: 'BAD_REQUEST',
           message: 'Organization has active subscription(s)',
         });
       }
 
-      // if any subscriptions exist we need to enforce security
-      // otherwise, we can't enforce ownership as the org is still not finished being set up
-      if (subscriptions.length) {
-        await ensureOrganizationAccess(ctx, organizationId, ['owner', 'billing_manager']);
-      }
-
       const result = await getStripeSeatsCheckoutUrl({
         kiloUserId: user.id,
         stripeCustomerId: customerId,