feedback

brendan-kellam · brendan-kellam · commit 0d7d423ae977 · 2026-03-09T19:32:37.000-07:00
diff --git a/docs/docs/configuration/auth/roles-and-permissions.mdx b/docs/docs/configuration/auth/roles-and-permissions.mdx
@@ -35,7 +35,7 @@ To promote a member, click the action menu (three dots) next to their name in th
 
 ### Demoting an owner to member
 
-To demote an owner, click the action menu next to their name and select **Demote to member**. Owners can also demote themselves to step down from the role. The last remaining owner of an organization cannot be demoted — at least one owner must exist at all times.
+To demote an owner, click the action menu next to their name and select **Demote to member**. Owners can also demote themselves to step down from the role. The last remaining owner of an organization cannot be demoted - at least one owner must exist at all times.
 
 <Frame>
   <img src="/images/demote_to_member.png" alt="Dropdown menu showing Demote to member option for an owner" />
diff --git a/packages/web/src/ee/features/userManagement/actions.ts b/packages/web/src/ee/features/userManagement/actions.ts
@@ -6,7 +6,7 @@ import { ErrorCode } from "@/lib/errorCodes";
 import { notFound, ServiceError } from "@/lib/serviceError";
 import { prisma } from "@/prisma";
 import { withAuthV2, withMinimumOrgRole } from "@/withAuthV2";
-import { OrgRole } from "@sourcebot/db";
+import { OrgRole, Prisma } from "@sourcebot/db";
 import { hasEntitlement } from "@sourcebot/shared";
 import { StatusCodes } from "http-status-codes";
 
@@ -87,54 +87,62 @@ export const demoteToMember = async (memberId: string): Promise<{ success: boole
                 return orgManagementNotAvailable();
             }
 
-            const targetMember = await prisma.userToOrg.findUnique({
-                where: {
-                    orgId_userId: {
+            const guardError = await prisma.$transaction(async (tx) => {
+                const targetMember = await tx.userToOrg.findUnique({
+                    where: {
+                        orgId_userId: {
+                            orgId: org.id,
+                            userId: memberId,
+                        },
+                    },
+                });
+
+                if (!targetMember) {
+                    return notFound("Member not found in this organization");
+                }
+
+                if (targetMember.role !== OrgRole.OWNER) {
+                    return {
+                        statusCode: StatusCodes.BAD_REQUEST,
+                        errorCode: ErrorCode.INVALID_REQUEST_BODY,
+                        message: "This member is not an owner.",
+                    } satisfies ServiceError;
+                }
+
+                const ownerCount = await tx.userToOrg.count({
+                    where: {
                         orgId: org.id,
-                        userId: memberId,
+                        role: OrgRole.OWNER,
                     },
-                },
-            });
-
-            if (!targetMember) {
-                return notFound("Member not found in this organization");
-            }
-
-            if (targetMember.role !== OrgRole.OWNER) {
-                return {
-                    statusCode: StatusCodes.BAD_REQUEST,
-                    errorCode: ErrorCode.INVALID_REQUEST_BODY,
-                    message: "This member is not an owner.",
-                } satisfies ServiceError;
-            }
+                });
+
+                if (ownerCount <= 1) {
+                    return {
+                        statusCode: StatusCodes.FORBIDDEN,
+                        errorCode: ErrorCode.LAST_OWNER_CANNOT_BE_DEMOTED,
+                        message: "Cannot demote the last owner. Promote another member to owner first.",
+                    } satisfies ServiceError;
+                }
+
+                await tx.userToOrg.update({
+                    where: {
+                        orgId_userId: {
+                            orgId: org.id,
+                            userId: memberId,
+                        },
+                    },
+                    data: {
+                        role: "MEMBER",
+                    },
+                });
 
-            const ownerCount = await prisma.userToOrg.count({
-                where: {
-                    orgId: org.id,
-                    role: OrgRole.OWNER,
-                },
-            });
+                return null;
+            }, { isolationLevel: Prisma.TransactionIsolationLevel.Serializable });
 
-            if (ownerCount <= 1) {
-                return {
-                    statusCode: StatusCodes.FORBIDDEN,
-                    errorCode: ErrorCode.LAST_OWNER_CANNOT_BE_DEMOTED,
-                    message: "Cannot demote the last owner. Promote another member to owner first.",
-                } satisfies ServiceError;
+            if (guardError) {
+                return guardError;
             }
 
-            await prisma.userToOrg.update({
-                where: {
-                    orgId_userId: {
-                        orgId: org.id,
-                        userId: memberId,
-                    },
-                },
-                data: {
-                    role: "MEMBER",
-                },
-            });
-
             await auditService.createAudit({
                 action: "org.owner_demoted_to_member",
                 actor: { id: user.id, type: "user" },
diff --git a/packages/web/src/features/userManagement/actions.ts b/packages/web/src/features/userManagement/actions.ts
@@ -6,28 +6,45 @@ import { notFound, ServiceError } from "@/lib/serviceError";
 import { isServiceError } from "@/lib/utils";
 import { prisma } from "@/prisma";
 import { withAuthV2, withMinimumOrgRole } from "@/withAuthV2";
-import { OrgRole } from "@sourcebot/db";
+import { OrgRole, Prisma } from "@sourcebot/db";
 import { IS_BILLING_ENABLED } from "@/ee/features/billing/stripe";
 import { decrementOrgSeatCount } from "@/ee/features/billing/serverUtils";
 import { StatusCodes } from "http-status-codes";
 
 export const removeMemberFromOrg = async (memberId: string): Promise<{ success: boolean } | ServiceError> => sew(() =>
     withAuthV2(async ({ org, role }) =>
         withMinimumOrgRole(role, OrgRole.OWNER, async () => {
-            const targetMember = await prisma.userToOrg.findUnique({
-                where: {
-                    orgId_userId: {
-                        orgId: org.id,
-                        userId: memberId,
+            const guardError = await prisma.$transaction(async (tx) => {
+                const targetMember = await tx.userToOrg.findUnique({
+                    where: {
+                        orgId_userId: {
+                            orgId: org.id,
+                            userId: memberId,
+                        }
                     }
+                });
+
+                if (!targetMember) {
+                    return notFound("Member not found in this organization");
                 }
-            });
 
-            if (!targetMember) {
-                return notFound("Member not found in this organization");
-            }
+                if (targetMember.role === OrgRole.OWNER) {
+                    const ownerCount = await tx.userToOrg.count({
+                        where: {
+                            orgId: org.id,
+                            role: OrgRole.OWNER,
+                        },
+                    });
+
+                    if (ownerCount <= 1) {
+                        return {
+                            statusCode: StatusCodes.FORBIDDEN,
+                            errorCode: ErrorCode.LAST_OWNER_CANNOT_BE_REMOVED,
+                            message: "Cannot remove the last owner of the organization.",
+                        } satisfies ServiceError;
+                    }
+                }
 
-            await prisma.$transaction(async (tx) => {
                 await tx.userToOrg.delete({
                     where: {
                         orgId_userId: {
@@ -43,32 +60,38 @@ export const removeMemberFromOrg = async (memberId: string): Promise<{ success:
                         throw result;
                     }
                 }
-            });
+
+                return null;
+            }, { isolationLevel: Prisma.TransactionIsolationLevel.Serializable });
+
+            if (guardError) {
+                return guardError;
+            }
 
             return { success: true };
         }))
 );
 
 export const leaveOrg = async (): Promise<{ success: boolean } | ServiceError> => sew(() =>
     withAuthV2(async ({ user, org, role }) => {
-        if (role === OrgRole.OWNER) {
-            const ownerCount = await prisma.userToOrg.count({
-                where: {
-                    orgId: org.id,
-                    role: OrgRole.OWNER,
-                },
-            });
+        const guardError = await prisma.$transaction(async (tx) => {
+            if (role === OrgRole.OWNER) {
+                const ownerCount = await tx.userToOrg.count({
+                    where: {
+                        orgId: org.id,
+                        role: OrgRole.OWNER,
+                    },
+                });
 
-            if (ownerCount <= 1) {
-                return {
-                    statusCode: StatusCodes.FORBIDDEN,
-                    errorCode: ErrorCode.OWNER_CANNOT_LEAVE_ORG,
-                    message: "You are the last owner of this organization. Promote another member to owner before leaving.",
-                } satisfies ServiceError;
+                if (ownerCount <= 1) {
+                    return {
+                        statusCode: StatusCodes.FORBIDDEN,
+                        errorCode: ErrorCode.LAST_OWNER_CANNOT_BE_REMOVED,
+                        message: "You are the last owner of this organization. Promote another member to owner before leaving.",
+                    } satisfies ServiceError;
+                }
             }
-        }
 
-        await prisma.$transaction(async (tx) => {
             await tx.userToOrg.delete({
                 where: {
                     orgId_userId: {
@@ -84,7 +107,13 @@ export const leaveOrg = async (): Promise<{ success: boolean } | ServiceError> =
                     throw result;
                 }
             }
-        });
+
+            return null;
+        }, { isolationLevel: Prisma.TransactionIsolationLevel.Serializable });
+
+        if (guardError) {
+            return guardError;
+        }
 
         return {
             success: true,
diff --git a/packages/web/src/lib/errorCodes.ts b/packages/web/src/lib/errorCodes.ts
@@ -17,7 +17,6 @@ export enum ErrorCode {
     INSUFFICIENT_PERMISSIONS = 'INSUFFICIENT_PERMISSIONS',
     CONNECTION_NOT_FAILED = 'CONNECTION_NOT_FAILED',
     CONNECTION_ALREADY_EXISTS = 'CONNECTION_ALREADY_EXISTS',
-    OWNER_CANNOT_LEAVE_ORG = 'OWNER_CANNOT_LEAVE_ORG',
     INVALID_INVITE = 'INVALID_INVITE',
     INVALID_INVITE_LINK = 'INVALID_INVITE_LINK',
     INVITE_LINK_NOT_ENABLED = 'INVITE_LINK_NOT_ENABLED',
@@ -37,4 +36,5 @@ export enum ErrorCode {
     FAILED_TO_PARSE_QUERY = 'FAILED_TO_PARSE_QUERY',
     INVALID_GIT_REF = 'INVALID_GIT_REF',
     LAST_OWNER_CANNOT_BE_DEMOTED = 'LAST_OWNER_CANNOT_BE_DEMOTED',
+    LAST_OWNER_CANNOT_BE_REMOVED = 'LAST_OWNER_CANNOT_BE_REMOVED',
 }
