fix(organizations,users): harden plan assignment, remove domain auto-set, fix N+1 admin query

- Hardcode plan to 'free' on org creation (prevents self-assigned enterprise)
- Remove auto-set domain from creator email (domain squatting mitigation, see #3232)
- Replace per-user membership loop with batch listByUsers query in admin user list

Author: PierreBrisorgueil

modules/organizations/repositories/organizations.membership.repository.js

@@ -101,6 +101,15 @@ const aggregateCountByOrganizations = (orgIds) =>
     { $group: { _id: '$organizationId', count: { $sum: 1 } } },
   ]);
 
+/**
+ * @function listByUsers
+ * @description Batch-fetch active memberships for multiple user IDs in a single query.
+ * @param {Array} userIds - Array of user IDs.
+ * @returns {Promise<Array>} An array of memberships.
+ */
+const listByUsers = (userIds) =>
+  Membership.find({ userId: { $in: userIds }, status: 'active' }).populate(defaultPopulate).sort('-createdAt').exec();
+
 export default {
   list,
   create,
@@ -111,4 +120,5 @@ export default {
   count,
   deleteMany,
   aggregateCountByOrganizations,
+  listByUsers,
 };

modules/organizations/services/organizations.crud.service.js

@@ -73,22 +73,14 @@ const create = async (body, user) => {
     counter += 1;
   }
 
-  // Auto-set domain from creator's email if not provided and not a public domain
-  let domain = normalizeDomain(body.domain);
-  if (!domain && user.email) {
-    const emailDomain = user.email.split('@')[1]?.toLowerCase();
-    const publicDomains = config.organizations?.publicDomains || [];
-    if (emailDomain && !publicDomains.includes(emailDomain)) {
-      domain = emailDomain;
-    }
-  }
+  const domain = normalizeDomain(body.domain);
 
   const organization = {
     name: body.name,
     description: body.description || '',
     slug,
     domain,
-    plan: body.plan || 'free',
+    plan: 'free',
     createdBy: user.id || user._id,
   };
 

modules/organizations/services/organizations.membership.service.js

@@ -397,9 +397,18 @@ const aggregateCountByOrganizations = (orgIds) => MembershipRepository.aggregate
  */
 const deleteMany = (filter) => MembershipRepository.deleteMany(filter);
 
+/**
+ * @function listByUsers
+ * @description Service to batch-fetch active memberships for multiple users in a single query.
+ * @param {Array} userIds - Array of user IDs.
+ * @returns {Promise<Array>} A promise that resolves to all matching memberships.
+ */
+const listByUsers = (userIds) => MembershipRepository.listByUsers(userIds);
+
 export default {
   list,
   listByUser,
+  listByUsers,
   get,
   findByUserAndOrganization,
   create,

modules/users/controllers/users.admin.controller.js

@@ -14,12 +14,20 @@ import MembershipService from '../../organizations/services/organizations.member
 const list = async (req, res) => {
   try {
     const users = await UserService.list(req.search, req.page, req.perPage);
-    const enriched = await Promise.all(users.map(async (u) => {
+    const userIds = users.map((u) => u._id || u.id);
+    const allMemberships = await MembershipService.listByUsers(userIds);
+    const membershipsByUser = {};
+    for (const m of allMemberships) {
+      const uid = String(m.userId?._id || m.userId);
+      if (!membershipsByUser[uid]) membershipsByUser[uid] = [];
+      membershipsByUser[uid].push(m.toJSON ? m.toJSON() : { ...m });
+    }
+    const enriched = users.map((u) => {
       const user = u.toJSON ? u.toJSON() : { ...u };
-      const memberships = await MembershipService.listByUser(user._id || user.id);
-      user.memberships = memberships.map((m) => (m.toJSON ? m.toJSON() : { ...m }));
+      const uid = String(user._id || user.id);
+      user.memberships = membershipsByUser[uid] || [];
       return user;
-    }));
+    });
     responses.success(res, 'user list')(enriched);
   } catch (err) {
     responses.error(res, 422, 'Unprocessable Entity', errors.getMessage(err))(err);