fix(auth): grant billing_manager same UI and backend permissions as owner (#1084)

alexkgold · web-flow · commit 4bea3f82ae1a · 2026-03-13T13:29:54.000-04:00
<img width="1243" height="776" alt="image" src="https://github.com/user-attachments/assets/2e5b557b-ffc2-403e-bde5-996ba12e582a" /> <img width="1397" height="541" alt="image" src="https://github.com/user-attachments/assets/f76c83ff-7c2b-4529-99aa-81ad1503ddbe" /> ## Summary - The backend `organizationOwnerProcedure` (in `src/routers/organizations/utils.ts:127`) already grants `billing_manager` the same access as `owner`, but multiple frontend permission checks and one backend route only checked for `currentUserRole === 'owner'`, effectively hiding actions from billing managers that the API would allow. - This PR aligns all frontend permission gates and one backend access check with the intended `organizationOwnerProcedure` behavior. **Frontend fixes (4 files):** - `OrganizationMembersCard.tsx`: `canRemoveMember`, `canEditRole`, `canEditLimit`, `canDelete` (invitations), `canCopy` (invite URL) now include `billing_manager` via a shared `isPrivilegedRole` helper - `SeatUsageCard.tsx`: "Manage" subscription link now visible to `billing_manager` - `OrganizationDataCollectionCard.tsx`: `canEdit` now includes `billing_manager`; corrected help text from "admins" to "billing managers" - `InviteMemberDialog.tsx`: removed stale `admin` entry from `ROLE_LABELS` (not a valid `OrganizationRole`) **Backend fix (1 file):** - `organization-subscription-router.ts`: `getSubscriptionStripeUrl` now allows `['owner', 'billing_manager']` when prior subscriptions exist, aligning with all other subscription routes that use `organizationOwnerProcedure` ## Verification - [x] `pnpm typecheck` — all 29 workspace projects pass with zero errors - [x] Manual review of every `organizationOwnerProcedure` usage to confirm backend already allows `billing_manager` - [x] Verified no other frontend `currentUserRole === 'owner'` checks exist that should include `billing_manager` (remaining owner-only checks are for SSO config and admin-only routes, which are intentionally restricted) ## Visual Changes N/A ## Reviewer Notes - The `isPrivilegedRole` helper in `OrganizationMembersCard.tsx` centralizes the `owner || billing_manager` check to avoid repeating the pattern. It's intentionally scoped to that file since other files only have 1-2 checks. - SSO routes (`organization-sso-router.ts`) and admin-gated routes (`organization-router.ts` `updateSeatsRequired`/`seatPurchases`) remain `['owner']`-only, as they also require `adminProcedure` and are Kilo-admin operations. - The `cloudflare-ai-attribution/src/schemas.ts` zod enum still omits `billing_manager` — this is a separate service and was left out of scope, but is a known inconsistency worth tracking.
diff --git a/src/components/organizations/OrganizationDataCollectionCard.tsx b/src/components/organizations/OrganizationDataCollectionCard.tsx
@@ -73,7 +73,8 @@ export function OrganizationDataCollectionCard({
   const currentDataCollection = organizationData.settings?.data_collection ?? null;
   const displayValue = currentDataCollection === null ? 'extension' : currentDataCollection;
 
-  const canEdit = currentUserRole === 'owner' && !isReadOnly;
+  const canEdit =
+    (currentUserRole === 'owner' || currentUserRole === 'billing_manager') && !isReadOnly;
 
   return (
     <Card>
@@ -134,7 +135,7 @@ export function OrganizationDataCollectionCard({
 
         {!canEdit && (
           <p className="text-muted-foreground text-xs">
-            Only organization owners and admins can modify data collection settings.
+            Only organization owners and billing managers can modify data collection settings.
           </p>
         )}
       </CardContent>
diff --git a/src/components/organizations/OrganizationMembersCard.tsx b/src/components/organizations/OrganizationMembersCard.tsx
@@ -70,9 +70,12 @@ function DailyUsageLimitDisplay({ member }: DailyUsageLimitDisplayProps) {
   return null;
 }
 
+const isPrivilegedRole = (role: OrganizationRole): boolean =>
+  role === 'owner' || role === 'billing_manager';
+
 // Business rules for member removal:
 // - Kilo admins can remove anyone
-// - Owners can remove anyone except themselves
+// - Owners and billing managers can remove anyone except themselves
 // - Members cannot remove anyone
 const canRemoveMember = (
   currentUserRole: OrganizationRole,
@@ -86,8 +89,8 @@ const canRemoveMember = (
   // Cannot remove yourself
   if (isCurrentUser) return false;
 
-  // Owners can remove anyone (except themselves)
-  if (currentUserRole === 'owner') return true;
+  // Owners and billing managers can remove anyone (except themselves)
+  if (isPrivilegedRole(currentUserRole)) return true;
 
   // Members cannot remove anyone
   return false;
@@ -150,9 +153,9 @@ function DeleteInvitationButton({ organizationId, member }: DeleteInvitationButt
   }
 
   // Apply same role restrictions as invitation creation
-  // - Owners can delete any invitation
+  // - Owners and billing managers can delete any invitation
   // - Members cannot delete invitations
-  const canDelete = isKiloAdmin || currentUserRole === 'owner';
+  const canDelete = isKiloAdmin || isPrivilegedRole(currentUserRole);
 
   if (!canDelete) {
     return null;
@@ -189,7 +192,7 @@ function InvitedBadge({ member }: InvitedBadgeProps) {
     return null;
   }
 
-  const canCopy = isKiloAdmin || currentUserRole === 'owner';
+  const canCopy = isKiloAdmin || isPrivilegedRole(currentUserRole);
 
   const handleCopy = async (e: React.MouseEvent) => {
     e.preventDefault();
@@ -242,8 +245,9 @@ function EditLimitButton({ organization, member }: EditLimitButtonProps) {
     return null;
   }
 
-  // Only show edit limit button for active members and if user has permission (admin/owner only)
-  const canEditLimit = member.status === 'active' && (isKiloAdmin || currentUserRole === 'owner');
+  // Only show edit limit button for active members and if user has permission (admin/owner/billing_manager)
+  const canEditLimit =
+    member.status === 'active' && (isKiloAdmin || isPrivilegedRole(currentUserRole));
 
   if (!canEditLimit) {
     return null;
@@ -412,16 +416,16 @@ export function OrganizationAdminMembers({
                   // Determine what actions are available for this member
                   const canEditRole =
                     member.status === 'active' &&
-                    (isKiloAdmin || currentUserRole === 'owner') &&
+                    (isKiloAdmin || isPrivilegedRole(currentUserRole)) &&
                     (!isCurrentUser || isKiloAdmin);
                   const canEditLimit =
                     organizationData.plan === 'enterprise' &&
                     member.status === 'active' &&
-                    (isKiloAdmin || currentUserRole === 'owner');
+                    (isKiloAdmin || isPrivilegedRole(currentUserRole));
                   const canDelete =
                     member.status === 'active'
                       ? canRemoveMember(currentUserRole, isKiloAdmin, member.role, isCurrentUser)
-                      : isKiloAdmin || currentUserRole === 'owner';
+                      : isKiloAdmin || isPrivilegedRole(currentUserRole);
 
                   const hasAnyEditableActions = canEditRole || canEditLimit || canDelete;
 
diff --git a/src/components/organizations/SeatUsageCard.tsx b/src/components/organizations/SeatUsageCard.tsx
@@ -82,7 +82,7 @@ export function SeatUsageCard({ organizationId }: Props) {
             <Users className="h-4 w-4" />
             <CardTitle>Seat Usage</CardTitle>
           </div>
-          {currentUserRole === 'owner' && (
+          {(currentUserRole === 'owner' || currentUserRole === 'billing_manager') && (
             <LinkButton
               href={`/organizations/${organizationId}/subscription`}
               className="text-muted-foreground hover:text-foreground flex items-center gap-1 text-sm transition-colors"
diff --git a/src/components/organizations/members/InviteMemberDialog.tsx b/src/components/organizations/members/InviteMemberDialog.tsx
@@ -40,7 +40,6 @@ const emailSchema = z.email();
 
 const ROLE_LABELS = {
   owner: 'Owner',
-  admin: 'Admin',
   member: 'Member',
   billing_manager: 'Billing Manager',
 } as const;
diff --git a/src/routers/organizations/organization-subscription-router.ts b/src/routers/organizations/organization-subscription-router.ts
@@ -143,7 +143,7 @@ export const organizationsSubscriptionRouter = createTRPCRouter({
       // if any subscriptions exist we need to enforce security
       // otherwise, we can't enforce ownership as the org is still not finished being set up
       if (subscriptions.length) {
-        await ensureOrganizationAccess(ctx, organizationId, ['owner']);
+        await ensureOrganizationAccess(ctx, organizationId, ['owner', 'billing_manager']);
       }
 
       const result = await getStripeSeatsCheckoutUrl({

Original file line number	Diff line number	Diff line change
`@@ -143,7 +143,7 @@ export const organizationsSubscriptionRouter = createTRPCRouter({`
`143`	`143`	`// if any subscriptions exist we need to enforce security`
`144`	`144`	`// otherwise, we can't enforce ownership as the org is still not finished being set up`
`145`	`145`	`if (subscriptions.length) {`
`146`		`- await ensureOrganizationAccess(ctx, organizationId, ['owner']);`
	`146`	`+ await ensureOrganizationAccess(ctx, organizationId, ['owner', 'billing_manager']);`
`147`	`147`	`}`
`148`	`148`
`149`	`149`	`const result = await getStripeSeatsCheckoutUrl({`