fix: Use project owner plan limits when project is shared via workspace (#5751)

Author: kof

apps/builder/app/builder/features/publish/publish.tsx

@@ -784,8 +784,10 @@ const useCanAddDomain = () => {
     (domain) => domain.status === "ACTIVE" && domain.verified
   ).length;
   useEffect(() => {
-    load();
-  }, [load, activeDomainsCount]);
+    if (project?.id !== undefined) {
+      load({ projectId: project.id });
+    }
+  }, [load, activeDomainsCount, project?.id]);
   const canAddDomain = data
     ? data.success && data.data < maxDomainsAllowedPerUser
     : true;
@@ -795,9 +797,12 @@ const useCanAddDomain = () => {
 const useUserPublishCount = () => {
   const { load, data } = trpcClient.project.userPublishCount.useQuery();
   const { maxDailyPublishesPerUser } = useStore($permissions);
+  const project = useStore($project);
   useEffect(() => {
-    load();
-  }, [load]);
+    if (project?.id !== undefined) {
+      load({ projectId: project.id });
+    }
+  }, [load, project?.id]);
   return {
     userPublishCount: data?.success ? data.data : 0,
     maxDailyPublishesPerUser,

apps/builder/app/routes/rest.assets.tsx

@@ -52,7 +52,6 @@ export const action = async (props: ActionFunctionArgs) => {
           projectId,
           type,
           filename,
-          maxAssetsPerProject: context.planFeatures.maxAssetsPerProject,
         },
         context
       );

apps/builder/app/services/workspace-router.server.test.ts

@@ -32,7 +32,11 @@ const teamPlan: PlanFeatures = {
 };
 
 const createContext = (
-  overrides?: Partial<{ planFeatures: PlanFeatures; userId: string }>
+  overrides?: Partial<{
+    planFeatures: PlanFeatures;
+    ownerPlanFeatures: PlanFeatures;
+    userId: string;
+  }>
 ): AppContext =>
   ({
     ...testContext,
@@ -43,7 +47,8 @@ const createContext = (
     planFeatures: overrides?.planFeatures ?? teamPlan,
     purchases: [],
     trpcCache: { setMaxAge: () => {} },
-    getOwnerPlanFeatures: async () => overrides?.planFeatures ?? teamPlan,
+    getOwnerPlanFeatures: async () =>
+      overrides?.ownerPlanFeatures ?? overrides?.planFeatures ?? teamPlan,
   }) as unknown as AppContext;
 
 // ---------------------------------------------------------------------------
@@ -134,7 +139,11 @@ const setupAddMemberMocks = (opts?: {
 
 describe("addMember", () => {
   test("rejects when maxWorkspaces <= 1 (free/pro plan)", async () => {
-    // No DB mocks needed — the check happens before any queries.
+    server.use(
+      db.get("Workspace", () =>
+        json({ id: "ws-1", userId: "owner-1", isDeleted: false })
+      )
+    );
     const ctx = createContext({ planFeatures: defaultPlanFeatures });
     const caller = createCaller(ctx);
 
@@ -150,6 +159,35 @@ describe("addMember", () => {
     }
   });
 
+  test("rejects non-owners before billing sync", async () => {
+    let paymentWorkerCalled = false;
+
+    server.use(
+      db.get("Workspace", () =>
+        json({ id: "ws-1", userId: "owner-1", isDeleted: false })
+      ),
+      http.post(`${env.PAYMENT_WORKER_URL}/seats/sync`, () => {
+        paymentWorkerCalled = true;
+        return HttpResponse.json({ type: "success", seats: 1 });
+      })
+    );
+
+    const ctx = createContext({ userId: "member-1" });
+    const caller = createCaller(ctx);
+
+    const result = await caller.addMember({
+      workspaceId: "ws-1",
+      email: "invitee@test.com",
+      relation: "editors",
+    });
+
+    expect(result.success).toBe(false);
+    if (!result.success) {
+      expect(result.error).toContain("Only the workspace owner");
+    }
+    expect(paymentWorkerCalled).toBe(false);
+  });
+
   test("rejects when workspace seat limit reached", async () => {
     const plan: PlanFeatures = { ...teamPlan, maxSeatsPerWorkspace: 2 };
     const ctx = createContext({ planFeatures: plan });
@@ -320,6 +358,11 @@ describe("removeMember", () => {
 
 describe("syncSeats", () => {
   test("rejects when maxWorkspaces <= 1", async () => {
+    server.use(
+      db.get("Workspace", () =>
+        json({ id: "ws-1", userId: "owner-1", isDeleted: false })
+      )
+    );
     const ctx = createContext({ planFeatures: defaultPlanFeatures });
     const caller = createCaller(ctx);
 
@@ -335,6 +378,9 @@ describe("syncSeats", () => {
     let capturedBody: { workspaceId: string; delta?: number } | undefined;
 
     server.use(
+      db.get("Workspace", () =>
+        json({ id: "ws-1", userId: "owner-1", isDeleted: false })
+      ),
       http.post(`${env.PAYMENT_WORKER_URL}/seats/sync`, async ({ request }) => {
         capturedBody = (await request.json()) as typeof capturedBody;
         return HttpResponse.json({ type: "success", seats: 3 });
@@ -376,7 +422,13 @@ describe("listMembers", () => {
         json({ id: "ws-1", userId: "owner-1", isDeleted: false })
       ),
       // listMembers: WorkspaceMember SELECT (members list + access check)
-      db.get("WorkspaceMember", () => json(members)),
+      db.get("WorkspaceMember", ({ request }) => {
+        const url = new URL(request.url);
+        if (url.searchParams.has("userId")) {
+          return json({ userId: url.searchParams.get("userId") });
+        }
+        return json(members);
+      }),
       // listMembers: Notification GET (pending invites for this workspace)
       db.get("Notification", () => json([])),
       // listMembers: User batch lookup
@@ -449,6 +501,23 @@ describe("listMembers", () => {
     }
   });
 
+  test("maxSeats uses workspace owner's seats for member callers", async () => {
+    setupListMembersMocks({ transactionLog: null });
+
+    const ctx = createContext({
+      userId: "m-1",
+      planFeatures: defaultPlanFeatures,
+      ownerPlanFeatures: teamPlan,
+    });
+    const caller = createCaller(ctx);
+    const result = await caller.listMembers({ workspaceId: "ws-1" });
+
+    expect(result.success).toBe(true);
+    if (result.success) {
+      expect(result.data.maxSeats).toBe(4);
+    }
+  });
+
   test("returns owner, members, and pendingInvites", async () => {
     setupListMembersMocks({ memberCount: 2, transactionLog: null });
 

apps/builder/app/services/workspace-router.server.ts

@@ -3,6 +3,7 @@ import {
   router,
   procedure,
   createErrorResponse,
+  getPlanFeaturesByOwnerId,
 } from "@webstudio-is/trpc-interface/index.server";
 import { workspace as workspaceApi } from "@webstudio-is/project/index.server";
 import { roles } from "@webstudio-is/trpc-interface/authorize";
@@ -118,7 +119,12 @@ export const workspaceRouter = router({
     )
     .mutation(async ({ input, ctx }) => {
       try {
-        if (ctx.planFeatures.maxWorkspaces <= 1) {
+        const { plan } = await workspaceApi.assertWorkspaceOwnerPlan(
+          input.workspaceId,
+          ctx
+        );
+
+        if (plan.maxWorkspaces <= 1) {
           throw new Error("Upgrade your plan to invite members to workspaces.");
         }
 
@@ -132,7 +138,7 @@ export const workspaceRouter = router({
           );
         }
 
-        const { maxSeatsPerWorkspace } = ctx.planFeatures;
+        const { maxSeatsPerWorkspace } = plan;
         if (maxSeatsPerWorkspace > 0) {
           const [membersResult, pendingResult] = await Promise.all([
             ctx.postgrest.client
@@ -229,7 +235,12 @@ export const workspaceRouter = router({
     )
     .mutation(async ({ input, ctx }) => {
       try {
-        if (ctx.planFeatures.maxWorkspaces <= 1) {
+        const { plan } = await workspaceApi.assertWorkspaceOwnerPlan(
+          input.workspaceId,
+          ctx
+        );
+
+        if (plan.maxWorkspaces <= 1) {
           throw new Error(
             "Upgrade your plan to manage workspace member roles."
           );
@@ -258,7 +269,12 @@ export const workspaceRouter = router({
     .input(z.object({ workspaceId: z.string() }))
     .mutation(async ({ input, ctx }) => {
       try {
-        if (ctx.planFeatures.maxWorkspaces <= 1) {
+        const { plan } = await workspaceApi.assertWorkspaceOwnerPlan(
+          input.workspaceId,
+          ctx
+        );
+
+        if (plan.maxWorkspaces <= 1) {
           throw new Error("Upgrade your plan to manage workspace seats.");
         }
         await syncSeats(input.workspaceId);
@@ -273,18 +289,18 @@ export const workspaceRouter = router({
     .query(async ({ input, ctx }) => {
       try {
         const members = await workspaceApi.listMembers(input, ctx);
-        const extraPaidSeats = await getExtraPaidSeats(
-          members.owner.userId,
-          ctx
-        );
+        const [ownerPlan, extraPaidSeats] = await Promise.all([
+          getPlanFeaturesByOwnerId(members.owner.userId, ctx),
+          getExtraPaidSeats(members.owner.userId, ctx),
+        ]);
         return {
           success: true as const,
           data: {
             ...members,
             // seatsIncluded = seats covered by the Team plan.
             // extraPaidSeats = extra seats from the Seats subscription.
             // Total capacity = included + extras.
-            maxSeats: ctx.planFeatures.seatsIncluded + (extraPaidSeats ?? 0),
+            maxSeats: ownerPlan.seatsIncluded + (extraPaidSeats ?? 0),
           },
         };
       } catch (error) {
@@ -316,8 +332,9 @@ export const workspaceRouter = router({
           throw new Error("Target workspace not found");
         }
 
-        const ownerPlan = await ctx.getOwnerPlanFeatures(
-          targetWorkspace.data.userId
+        const ownerPlan = await getPlanFeaturesByOwnerId(
+          targetWorkspace.data.userId,
+          ctx
         );
 
         if (ownerPlan.maxWorkspaces <= 1) {

packages/asset-uploader/src/upload.test.ts

@@ -11,19 +11,31 @@ import { createUploadName } from "./upload";
 
 const server = createTestServer();
 
-const createContext = (): AppContext =>
+const createContext = ({
+  maxAssetsPerProject = 350,
+  maxWorkspaces = 20,
+  ownerPlanCalls,
+}: {
+  maxAssetsPerProject?: number;
+  maxWorkspaces?: number;
+  ownerPlanCalls?: string[];
+} = {}): AppContext =>
   ({
     ...testContext,
     authorization: { type: "user", userId: "user-1" },
-    getOwnerPlanFeatures: () => Promise.resolve({}),
+    planFeatures: { maxAssetsPerProject: 100 },
+    getOwnerPlanFeatures: (userId: string) => {
+      ownerPlanCalls?.push(userId);
+      return Promise.resolve({ maxAssetsPerProject, maxWorkspaces });
+    },
   }) as unknown as AppContext;
 
 const ownershipHandler = db.get("Project", ({ request }) => {
   const url = new URL(request.url);
   if (url.searchParams.has("userId")) {
     return json({ id: url.searchParams.get("id")?.replace("eq.", "") });
   }
-  return json(null);
+  return json({ userId: "owner-1", workspaceId: null });
 });
 
 describe("createUploadName", () => {
@@ -64,7 +76,6 @@ describe("createUploadName", () => {
         projectId: "project-1",
         type: "image/png",
         filename: "photo.png",
-        maxAssetsPerProject: 350,
       },
       createContext()
     );
@@ -91,10 +102,49 @@ describe("createUploadName", () => {
           projectId: "project-2",
           type: "image/png",
           filename: "photo.png",
-          maxAssetsPerProject: 350,
         },
         createContext()
       )
     ).rejects.toThrow("The maximum number of assets per project is 350.");
   });
+
+  test("uses project owner's asset limit for shared workspace projects", async () => {
+    let insertedFile = false;
+    const ownerPlanCalls: string[] = [];
+
+    server.use(
+      db.get("Project", ({ request }) => {
+        const url = new URL(request.url);
+        if (url.searchParams.has("userId")) {
+          return json(null);
+        }
+        return json({ userId: "team-owner" });
+      }),
+      db.get("WorkspaceProjectAuthorization", () =>
+        json([{ relation: "editors" }])
+      ),
+      db.head("Asset", () => empty({ headers: { "Content-Range": "*/100" } })),
+      db.head("File", () => empty({ headers: { "Content-Range": "*/0" } })),
+      db.post("File", () => {
+        insertedFile = true;
+        return empty({ status: 201 });
+      }),
+      db.post("Asset", () => empty({ status: 201 }))
+    );
+
+    await expect(
+      createUploadName(
+        {
+          assetId: "asset-3",
+          projectId: "workspace-project",
+          type: "image/png",
+          filename: "photo.png",
+        },
+        createContext({ maxAssetsPerProject: 350, ownerPlanCalls })
+      )
+    ).resolves.toMatch(/^photo_.+\.png$/);
+
+    expect(insertedFile).toBe(true);
+    expect(ownerPlanCalls).toEqual(["team-owner"]);
+  });
 });

packages/asset-uploader/src/upload.ts

@@ -2,6 +2,7 @@ import {
   type AppContext,
   authorizeProject,
   AuthorizationError,
+  getProjectPlanFeatures,
 } from "@webstudio-is/trpc-interface/index.server";
 import type { Asset } from "@webstudio-is/sdk";
 import type { AssetClient } from "./client";
@@ -14,7 +15,6 @@ type UploadData = {
   projectId: string;
   type: string;
   filename: string;
-  maxAssetsPerProject: number;
 };
 
 const UPLOADING_STALE_TIMEOUT = 1000 * 60 * 30; // 30 minutes
@@ -23,7 +23,7 @@ export const createUploadName = async (
   data: UploadData,
   context: AppContext
 ): Promise<string> => {
-  const { assetId, projectId, maxAssetsPerProject, type, filename } = data;
+  const { assetId, projectId, type, filename } = data;
   const canEdit = await authorizeProject.hasProjectPermit(
     { projectId, permit: "edit" },
     context
@@ -34,6 +34,11 @@ export const createUploadName = async (
     );
   }
 
+  const { maxAssetsPerProject } = await getProjectPlanFeatures(
+    projectId,
+    context
+  );
+
   /**
    * sometimes for example on request timeout we don't know what happened to the "UPLOADING" asset,
    * so we don't take into account assets with the "UPLOADING" status that were created more