fix(permissions): remove permissions granted by org membership

[waleedlatif1]

Summary

remove cross-functional permissions granted by org membership. previously, we coupled org membership with permissions access, but we've decoupled them to keep all permissions at the workspace-level. this ensures that users only have access to workspaces and workplaces they own or have been invited to, irregardless of their organization membership

patches #995

Type of Change

• Bug fix

Testing

unit tests, tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
sim	Building	Preview	Comment	Aug 31, 2025 1:11am

1 Skipped Deployment

Project	Deployment	Preview	Comments	Updated (UTC)
docs	Skipped			Aug 31, 2025 1:11am

[greptile-apps]

Greptile Summary

This PR implements a critical security fix that addresses a vulnerability where organization membership granted excessive cross-functional permissions to workspaces. Previously, being an admin of ANY organization would allow users to gain admin access to workspaces owned by ANY member of that organization, creating unintended cross-workspace access that violated the principle of least privilege.

The core changes involve:

1. Permission Model Restructuring: Removed the vulnerable isOrganizationAdminForWorkspace function from lib/permissions/utils.ts and simplified hasWorkspaceAdminAccess to only check workspace ownership or direct admin permissions

2. Function Relocation: Moved isOrganizationOwnerOrAdmin from the general permissions utilities to lib/billing/core/organization.ts to properly scope it within billing operations rather than general workspace access control

3. Workspace Access Isolation: Updated getManageableWorkspaces to only return workspaces that users directly own or have been explicitly granted admin permissions to, removing any organization-based access paths

4. Import Path Updates: Consolidated organization billing imports and updated routes like api/billing/route.ts and api/usage-limits/route.ts to use the reorganized billing modules

5. Logging Standardization: Replaced numerous console.error calls across the codebase with structured logging using createLogger, improving observability and debugging capabilities throughout the application

The security fix ensures that workspace permissions are now purely workspace-centric, with users only having access to workspaces they own or have been explicitly invited to, regardless of their organization membership status. This decoupling creates clearer security boundaries and prevents the unauthorized access scenarios described in issue #995.

Confidence score: 5/5

• This PR successfully addresses a critical security vulnerability with well-tested changes that properly isolate workspace permissions
• Score reflects comprehensive permission model restructuring with extensive test coverage and clear security improvements
• No files require special attention as the changes follow established patterns and include proper error handling

_{31 files reviewed, no comments}

_{Edit Code Review Bot Settings | Greptile}