fix(people): default portal email checkbox to checked, respect user choice (#2806)

Marfuen · claude · web-flow · commit c413a9a2f717 · 2026-05-08T14:29:39.000+01:00
* fix(people): default portal email checkbox to checked and respect user choice

Remove auto-send override based on published policies so the checkbox
reflects actual behavior. Guard resend endpoint to employee/contractor only.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;

* refactor(people): use RBAC obligations instead of hardcoded role checks

Check BUILT_IN_ROLE_OBLIGATIONS and custom role obligations from the DB
to determine compliance obligation, rather than hardcoding role name
lists. Also uses RESTRICTED_ROLES for the employee routing check.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/apps/api/src/people/people-invite.service.ts b/apps/api/src/people/people-invite.service.ts
@@ -8,6 +8,10 @@ import { db } from '@db';
 import { triggerEmail } from '../email/trigger-email';
 import { InviteEmail } from '../email/templates/invite-member';
 import { InvitePortalEmail } from '@trycompai/email';
+import {
+  BUILT_IN_ROLE_OBLIGATIONS,
+  RESTRICTED_ROLES,
+} from '@trycompai/auth';
 import type { InviteItemDto } from './dto/invite-people.dto';
 import { checkAutoCompletePhases } from '../frameworks/frameworks-timeline.helper';
 import { TimelinesService } from '../timelines/timelines.service';
@@ -45,16 +49,6 @@ export class PeopleInviteService {
 
     const results: InviteResult[] = [];
 
-    const hasPublishedPolicies = await db.policy.findFirst({
-      where: {
-        organizationId,
-        status: 'published',
-        isArchived: false,
-        archivedAt: null,
-      },
-      select: { id: true },
-    });
-
     for (const invite of invites) {
       try {
         // Auditors can only invite auditors
@@ -72,17 +66,16 @@ export class PeopleInviteService {
         }
 
         const email = invite.email.toLowerCase();
-        const isPrivileged = invite.roles.some((role) =>
-          ['admin', 'owner', 'auditor'].includes(role),
-        );
-        const isEmployee = invite.roles.some((role) =>
-          ['employee', 'contractor'].includes(role),
-        );
-        const isStrictlyEmployee = isEmployee && !isPrivileged;
+        const restrictedRoles: readonly string[] = RESTRICTED_ROLES;
+        const isStrictlyEmployee =
+          invite.roles.every((role) => restrictedRoles.includes(role));
 
+        const hasCompliance = await this.rolesHaveComplianceObligation(
+          invite.roles,
+          organizationId,
+        );
         const shouldSendPortalEmail =
-          (invite.sendPortalEmail || !!hasPublishedPolicies) &&
-          isStrictlyEmployee;
+          !!invite.sendPortalEmail && hasCompliance;
 
         if (isStrictlyEmployee) {
           const result = await this.addEmployeeWithoutInvite(
@@ -372,6 +365,17 @@ export class PeopleInviteService {
       throw new BadRequestException('Member not found.');
     }
 
+    const roles = member.role.split(',').map((r) => r.trim());
+    const hasCompliance = await this.rolesHaveComplianceObligation(
+      roles,
+      organizationId,
+    );
+    if (!hasCompliance) {
+      throw new BadRequestException(
+        'Portal invites can only be sent to members with compliance obligations.',
+      );
+    }
+
     const email = member.user.email;
     const inviteLink = this.buildPortalUrl(organizationId);
 
@@ -413,6 +417,34 @@ export class PeopleInviteService {
     });
   }
 
+  private async rolesHaveComplianceObligation(
+    roles: string[],
+    organizationId: string,
+  ): Promise<boolean> {
+    for (const role of roles) {
+      if (BUILT_IN_ROLE_OBLIGATIONS[role]?.compliance) return true;
+    }
+
+    const customRoleNames = roles.filter((r) => !BUILT_IN_ROLE_OBLIGATIONS[r]);
+    if (customRoleNames.length === 0) return false;
+
+    const customRoles = await db.organizationRole.findMany({
+      where: {
+        organizationId,
+        name: { in: customRoleNames },
+      },
+      select: { obligations: true },
+    });
+
+    return customRoles.some((role) => {
+      const obligations =
+        typeof role.obligations === 'string'
+          ? JSON.parse(role.obligations)
+          : role.obligations || {};
+      return !!obligations.compliance;
+    });
+  }
+
   private buildPortalUrl(organizationId: string): string {
     const portalUrl =
       process.env.NEXT_PUBLIC_PORTAL_URL ?? 'https://portal.trycomp.ai';
diff --git a/apps/app/src/app/(app)/[orgId]/people/all/components/InviteMembersModal.tsx b/apps/app/src/app/(app)/[orgId]/people/all/components/InviteMembersModal.tsx
@@ -122,7 +122,7 @@ export function InviteMembersModal({
           roles: DEFAULT_ROLES,
         },
       ],
-      sendPortalEmail: false,
+      sendPortalEmail: true,
       csvFile: undefined,
     },
     mode: 'onChange',
