move analytics and license pages into owner only visibility

brendan-kellam · brendan-kellam · commit 8f82509e10a6 · 2026-03-31T19:11:13.000-07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,14 +8,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
-- Added `GET /api/diff` endpoint for retrieving structured diffs between two git refs ([#1063](https://github.com/sourcebot-dev/sourcebot/pull/1063))
+- Added `GET /api/diff` endpoint for retrieving structured diffs between two git refs [#1063](https://github.com/sourcebot-dev/sourcebot/pull/1063)
 
 ### Fixed
-- Fixed `GET /api/mcp` hanging with zero bytes by returning `405 Method Not Allowed` per the MCP Streamable HTTP spec ([#1064](https://github.com/sourcebot-dev/sourcebot/pull/1064))
+- Fixed `GET /api/mcp` hanging with zero bytes by returning `405 Method Not Allowed` per the MCP Streamable HTTP spec [#1064](https://github.com/sourcebot-dev/sourcebot/pull/1064)
 
 ### Removed
 - Removed "general" settings page with options to change organization name and domain. [#1065](https://github.com/sourcebot-dev/sourcebot/pull/1065)
 
+### Changed
+- Changed the analytics and license settings pages to only be viewable by organization owners. [#1065](https://github.com/sourcebot-dev/sourcebot/pull/1065)
+
 ## [4.16.3] - 2026-03-27
 
 ### Added
diff --git a/packages/web/src/app/[domain]/settings/analytics/page.tsx b/packages/web/src/app/[domain]/settings/analytics/page.tsx
@@ -1,19 +1,50 @@
-"use client"
-
+import { getMe } from "@/actions";
+import { getOrgFromDomain } from "@/data/org";
 import { AnalyticsContent } from "@/ee/features/analytics/analyticsContent";
 import { AnalyticsEntitlementMessage } from "@/ee/features/analytics/analyticsEntitlementMessage";
-import { useHasEntitlement } from "@/features/entitlements/useHasEntitlement";
+import { ServiceErrorException } from "@/lib/serviceError";
+import { isServiceError } from "@/lib/utils";
+import { OrgRole } from "@sourcebot/db";
+import { hasEntitlement } from "@sourcebot/shared";
+import { redirect } from "next/navigation";
 
-export default function AnalyticsPage() {
-  return <AnalyticsPageContent />;
+interface Props {
+  params: Promise<{
+      domain: string;
+  }>
 }
 
-function AnalyticsPageContent() {
-  const hasAnalyticsEntitlement = useHasEntitlement("analytics");
+export default async function AnalyticsPage(props: Props) {
+  const params = await props.params;
+
+    const {
+        domain
+    } = params;
+
+    const org = await getOrgFromDomain(domain);
+    if (!org) {
+        throw new Error("Organization not found");
+    }
+
+    const me = await getMe();
+    if (isServiceError(me)) {
+        throw new ServiceErrorException(me);
+    }
+
+    const userRoleInOrg = me.memberships.find((membership) => membership.id === org.id)?.role;
+    if (!userRoleInOrg) {
+        throw new Error("User role not found");
+    }
+
+    if (userRoleInOrg !== OrgRole.OWNER) {
+        redirect(`/${domain}/settings`);
+    }
+
+  const hasAnalyticsEntitlement = hasEntitlement("analytics");
 
   if (!hasAnalyticsEntitlement) {
     return <AnalyticsEntitlementMessage />;
   }
 
   return <AnalyticsContent />;
-} 
+}
diff --git a/packages/web/src/app/[domain]/settings/layout.tsx b/packages/web/src/app/[domain]/settings/layout.tsx
@@ -115,19 +115,23 @@ export const getSidebarNavItems = async () =>
                     href: `/${SINGLE_TENANT_ORG_DOMAIN}/settings/apiKeys`,
                 }
             ] : []),
-            {
-                title: "Analytics",
-                href: `/${SINGLE_TENANT_ORG_DOMAIN}/settings/analytics`,
-            },
+            ...(role === OrgRole.OWNER ? [
+                {
+                    title: "Analytics",
+                    href: `/${SINGLE_TENANT_ORG_DOMAIN}/settings/analytics`,
+                },
+            ] : []),
             ...(hasEntitlement("sso") ? [
                 {
                     title: "Linked Accounts",
                     href: `/${SINGLE_TENANT_ORG_DOMAIN}/settings/linked-accounts`,
                 }
             ] : []),
-            {
-                title: "License",
-                href: `/${SINGLE_TENANT_ORG_DOMAIN}/settings/license`,
-            }
+            ...(role === OrgRole.OWNER ? [
+                {
+                    title: "License",
+                    href: `/${SINGLE_TENANT_ORG_DOMAIN}/settings/license`,
+                }
+            ] : []),
         ]
     });
diff --git a/packages/web/src/app/[domain]/settings/license/page.tsx b/packages/web/src/app/[domain]/settings/license/page.tsx
@@ -1,9 +1,12 @@
 import { getLicenseKey, getEntitlements, getPlan, SOURCEBOT_UNLIMITED_SEATS } from "@sourcebot/shared";
 import { Button } from "@/components/ui/button";
 import { Info, Mail } from "lucide-react";
-import { getOrgMembers } from "@/actions";
+import { getMe, getOrgMembers } from "@/actions";
 import { isServiceError } from "@/lib/utils";
 import { ServiceErrorException } from "@/lib/serviceError";
+import { getOrgFromDomain } from "@/data/org";
+import { OrgRole } from "@sourcebot/db";
+import { redirect } from "next/navigation";
 
 interface LicensePageProps {
     params: Promise<{
@@ -18,6 +21,25 @@ export default async function LicensePage(props: LicensePageProps) {
         domain
     } = params;
 
+    const org = await getOrgFromDomain(domain);
+    if (!org) {
+        throw new Error("Organization not found");
+    }
+
+    const me = await getMe();
+    if (isServiceError(me)) {
+        throw new ServiceErrorException(me);
+    }
+
+    const userRoleInOrg = me.memberships.find((membership) => membership.id === org.id)?.role;
+    if (!userRoleInOrg) {
+        throw new Error("User role not found");
+    }
+
+    if (userRoleInOrg !== OrgRole.OWNER) {
+        redirect(`/${domain}/settings`);
+    }
+
     const licenseKey = getLicenseKey();
     const entitlements = getEntitlements();
     const plan = getPlan();
