ack PR comments

Author: waleedlatif1

apps/sim/app/api/billing/route.ts

@@ -46,8 +46,22 @@ export async function GET(request: NextRequest) {
       // Get user billing (may include organization if they're part of one)
       billingData = await getSimplifiedBillingSummary(session.user.id, contextId || undefined)
     } else {
+      // Get user role in organization for permission checks first
+      const memberRecord = await db
+        .select({ role: member.role })
+        .from(member)
+        .where(and(eq(member.organizationId, contextId), eq(member.userId, session.user.id)))
+        .limit(1)
+
+      if (memberRecord.length === 0) {
+        return NextResponse.json(
+          { error: 'Access denied - not a member of this organization' },
+          { status: 403 }
+        )
+      }
+
       // Get organization-specific billing
-      const rawBillingData = await getOrganizationBillingData(contextId!)
+      const rawBillingData = await getOrganizationBillingData(contextId)
 
       if (!rawBillingData) {
         return NextResponse.json(
@@ -76,14 +90,7 @@ export async function GET(request: NextRequest) {
         })),
       }
 
-      // Get user role in organization for permission checks
-      const memberRecord = await db
-        .select({ role: member.role })
-        .from(member)
-        .where(and(eq(member.organizationId, contextId!), eq(member.userId, session.user.id)))
-        .limit(1)
-
-      const userRole = memberRecord.length > 0 ? memberRecord[0].role : 'member'
+      const userRole = memberRecord[0].role
 
       return NextResponse.json({
         success: true,

apps/sim/app/api/billing/webhooks/stripe/route.ts

@@ -57,8 +57,14 @@ export async function POST(request: NextRequest) {
       eventType: event.type,
     })
 
-    // Handle invoice events
-    if (event.type.startsWith('invoice.')) {
+    // Handle specific invoice events
+    const supportedEvents = [
+      'invoice.payment_succeeded',
+      'invoice.payment_failed',
+      'invoice.finalized',
+    ]
+
+    if (supportedEvents.includes(event.type)) {
       try {
         await handleInvoiceWebhook(event)
 
@@ -79,10 +85,11 @@ export async function POST(request: NextRequest) {
         return NextResponse.json({ error: 'Failed to process webhook' }, { status: 500 })
       }
     } else {
-      // Not an invoice event, ignore
-      logger.info('Ignoring non-invoice webhook event', {
+      // Not a supported invoice event, ignore
+      logger.info('Ignoring unsupported webhook event', {
         eventId: event.id,
         eventType: event.type,
+        supportedEvents,
       })
 
       return NextResponse.json({ received: true })

apps/sim/app/api/organizations/invitations/accept/route.ts

@@ -131,7 +131,10 @@ export async function GET(req: NextRequest) {
 
       for (const wsInvitation of workspaceInvitations) {
         // Check if invitation hasn't expired
-        if (wsInvitation.expiresAt && new Date() <= wsInvitation.expiresAt) {
+        if (
+          wsInvitation.expiresAt &&
+          new Date().toISOString() <= wsInvitation.expiresAt.toISOString()
+        ) {
           // Check if user isn't already a member of the workspace
           const existingWorkspaceMember = await tx
             .select()
@@ -304,7 +307,10 @@ export async function POST(req: NextRequest) {
         )
 
       for (const wsInvitation of workspaceInvitations) {
-        if (wsInvitation.expiresAt && new Date() <= wsInvitation.expiresAt) {
+        if (
+          wsInvitation.expiresAt &&
+          new Date().toISOString() <= wsInvitation.expiresAt.toISOString()
+        ) {
           const existingWorkspaceMember = await tx
             .select()
             .from(workspaceMember)

apps/sim/app/api/usage-limits/route.ts

@@ -3,16 +3,14 @@ import { getSession } from '@/lib/auth'
 import { getUserUsageLimitInfo, updateUserUsageLimit } from '@/lib/billing'
 import { updateMemberUsageLimit } from '@/lib/billing/core/organization-billing'
 import { createLogger } from '@/lib/logs/console-logger'
+import { isOrganizationOwnerOrAdmin } from '@/lib/permissions/utils'
 
 const logger = createLogger('UnifiedUsageLimitsAPI')
 
 /**
  * Unified Usage Limits Endpoint
  * GET/PUT /api/usage-limits?context=user|member&userId=<id>&organizationId=<id>
  *
- * Replaces:
- * - /api/users/me/usage-limit
- * - /api/organizations/[id]/members/[memberId]/usage-limit
  */
 export async function GET(request: NextRequest) {
   const session = await getSession()
@@ -35,15 +33,42 @@ export async function GET(request: NextRequest) {
       )
     }
 
-    // For member context, require organizationId
-    if (context === 'member' && !organizationId) {
+    // For member context, require organizationId and check permissions
+    if (context === 'member') {
+      if (!organizationId) {
+        return NextResponse.json(
+          { error: 'Organization ID is required when context=member' },
+          { status: 400 }
+        )
+      }
+
+      // Check if the current user has permission to view member usage info
+      const hasPermission = await isOrganizationOwnerOrAdmin(session.user.id, organizationId)
+      if (!hasPermission) {
+        logger.warn('Unauthorized attempt to view member usage info', {
+          requesterId: session.user.id,
+          targetUserId: userId,
+          organizationId,
+        })
+        return NextResponse.json(
+          {
+            error:
+              'Permission denied. Only organization owners and admins can view member usage information',
+          },
+          { status: 403 }
+        )
+      }
+    }
+
+    // For user context, ensure they can only view their own info
+    if (context === 'user' && userId !== session.user.id) {
       return NextResponse.json(
-        { error: 'Organization ID is required when context=member' },
-        { status: 400 }
+        { error: "Cannot view other users' usage information" },
+        { status: 403 }
       )
     }
 
-    // Get usage limit info (same for both contexts)
+    // Get usage limit info
     const usageLimitInfo = await getUserUsageLimitInfo(userId)
 
     return NextResponse.json({
@@ -101,6 +126,30 @@ export async function PUT(request: NextRequest) {
         )
       }
 
+      // Check if the current user has permission to update member limits
+      const hasPermission = await isOrganizationOwnerOrAdmin(session.user.id, organizationId)
+      if (!hasPermission) {
+        logger.warn('Unauthorized attempt to update member usage limit', {
+          adminUserId: session.user.id,
+          targetUserId: userId,
+          organizationId,
+        })
+        return NextResponse.json(
+          {
+            error:
+              'Permission denied. Only organization owners and admins can update member usage limits',
+          },
+          { status: 403 }
+        )
+      }
+
+      logger.info('Authorized member usage limit update', {
+        adminUserId: session.user.id,
+        targetUserId: userId,
+        organizationId,
+        newLimit: limit,
+      })
+
       await updateMemberUsageLimit(organizationId, userId, limit, session.user.id)
     } else {
       return NextResponse.json(
@@ -125,9 +174,6 @@ export async function PUT(request: NextRequest) {
       error,
     })
 
-    return NextResponse.json(
-      { error: error instanceof Error ? error.message : 'Internal server error' },
-      { status: 500 }
-    )
+    return NextResponse.json({ error: 'Internal server error' }, { status: 500 })
   }
 }

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/settings-navigation/settings-navigation.tsx

@@ -25,7 +25,7 @@ interface SettingsNavigationProps {
       | 'team'
       | 'privacy'
   ) => void
-  hasOrganization?: boolean
+  hasOrganization: boolean
 }
 
 type NavigationItem = {
@@ -42,7 +42,6 @@ type NavigationItem = {
   icon: React.ComponentType<{ className?: string }>
   hideInDev?: boolean
   requiresTeam?: boolean
-  requiresOrganization?: boolean
 }
 
 const allNavigationItems: NavigationItem[] = [
@@ -94,7 +93,7 @@ const allNavigationItems: NavigationItem[] = [
 export function SettingsNavigation({
   activeSection,
   onSectionChange,
-  hasOrganization = false,
+  hasOrganization,
 }: SettingsNavigationProps) {
   const { getSubscriptionStatus } = useSubscriptionStore()
   const subscription = getSubscriptionStatus()
@@ -109,11 +108,6 @@ export function SettingsNavigation({
       return false
     }
 
-    // Hide organization tab if user is not part of an organization
-    if (item.requiresOrganization && !hasOrganization) {
-      return false
-    }
-
     return true
   })
 

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/components/edit-member-limit-dialog.tsx

@@ -163,6 +163,7 @@ export function EditMemberLimitDialog({
                 onChange={(e) => setLimitValue(e.target.value)}
                 className='pl-9'
                 min={planMinimum}
+                max={10000}
                 step='1'
                 placeholder={planMinimum.toString()}
               />

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/subscription/components/team-usage-overview.tsx

@@ -42,19 +42,38 @@ export function TeamUsageOverview({ hasAdminAccess }: TeamUsageOverviewProps) {
     setEditDialogOpen(true)
   }
 
-  const handleSaveLimit = async (userId: string, newLimit: number) => {
-    if (!activeOrg?.id) return
+  const handleSaveLimit = async (
+    userId: string,
+    newLimit: number
+  ): Promise<{ success: boolean; error?: string }> => {
+    if (!activeOrg?.id) {
+      return { success: false, error: 'No active organization found' }
+    }
 
     try {
       setIsUpdating(true)
       const result = await updateMemberUsageLimit(userId, activeOrg.id, newLimit)
 
       if (!result.success) {
-        throw new Error(result.error || 'Failed to update usage limit')
+        logger.error('Failed to update usage limit', { error: result.error, userId, newLimit })
+        return { success: false, error: result.error || 'Failed to update usage limit' }
       }
+
+      logger.info('Successfully updated member usage limit', {
+        userId,
+        newLimit,
+        organizationId: activeOrg.id,
+      })
+      return { success: true }
     } catch (error) {
-      logger.error('Failed to update usage limit', { error })
-      throw error
+      const errorMessage = error instanceof Error ? error.message : 'Failed to update usage limit'
+      logger.error('Failed to update usage limit', {
+        error,
+        userId,
+        newLimit,
+        organizationId: activeOrg.id,
+      })
+      return { success: false, error: errorMessage }
     } finally {
       setIsUpdating(false)
     }

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/team-management/components/member-invitation-card.tsx

@@ -220,7 +220,11 @@ export function MemberInvitationCard({
                       {isSelected && (
                         <div className='flex items-center gap-2'>
                           <PermissionSelector
-                            value={(selectedWorkspace?.permission || 'read') as PermissionType}
+                            value={
+                              (['read', 'write', 'admin'].includes(selectedWorkspace?.permission)
+                                ? selectedWorkspace.permission
+                                : 'read') as PermissionType
+                            }
                             onChange={(permission) => onWorkspaceToggle(workspace.id, permission)}
                             disabled={isInviting}
                             className='h-8'

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/team-management/components/no-organization-view.tsx

@@ -50,7 +50,12 @@ export function NoOrganizationView({
                 <label htmlFor='orgName' className='font-medium text-sm'>
                   Team Name
                 </label>
-                <Input value={orgName} onChange={onOrgNameChange} placeholder='My Team' />
+                <Input
+                  id='orgName'
+                  value={orgName}
+                  onChange={onOrgNameChange}
+                  placeholder='My Team'
+                />
               </div>
 
               <div className='space-y-2'>
@@ -62,6 +67,7 @@ export function NoOrganizationView({
                     simstudio.ai/team/
                   </div>
                   <Input
+                    id='orgSlug'
                     value={orgSlug}
                     onChange={(e) => setOrgSlug(e.target.value)}
                     className='rounded-l-none'

apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/settings-modal/components/team-management/components/organization-creation-dialog.tsx

@@ -49,7 +49,7 @@ export function OrganizationCreationDialog({
             <label htmlFor='orgName' className='font-medium text-sm'>
               Team Name
             </label>
-            <Input value={orgName} onChange={onOrgNameChange} placeholder='My Team' />
+            <Input id='orgName' value={orgName} onChange={onOrgNameChange} placeholder='My Team' />
           </div>
 
           <div className='space-y-2'>