Organization admin roles, space managers, and shareable link branding

apps/web/__tests__/unit/desktop-organization-branding.test.ts

@@ -85,6 +85,7 @@ describe("desktop organization branding", () => {
 	it("filters tombstoned and inaccessible organization rows", () => {
 		const rows = [
 			row({ id: "owned" }),
+			row({ id: "admin", ownerId: "user-2", role: "admin" }),
 			row({ id: "member", ownerId: "user-2", role: "member" }),
 			row({ id: "owner-member", ownerId: "user-2", role: "owner" }),
 			row({ id: "tombstone", tombstoneAt: new Date() }),
@@ -93,7 +94,7 @@ describe("desktop organization branding", () => {
 
 		expect(
 			filterAccessibleOrganizationRows(rows, "user-1").map((r) => r.id),
-		).toEqual(["owned", "member", "owner-member"]);
+		).toEqual(["owned", "admin", "member", "owner-member"]);
 	});
 
 	it("derives owner role and edit access from ownership", () => {
@@ -134,6 +135,12 @@ describe("desktop organization branding", () => {
 				"user-1",
 			),
 		).toBe(false);
+		expect(
+			canEditOrganizationBranding(
+				row({ ownerId: "user-2", role: "admin" }),
+				"user-1",
+			),
+		).toBe(true);
 		expect(
 			canEditOrganizationBranding(row({ tombstoneAt: new Date() }), "user-1"),
 		).toBe(false);
@@ -142,7 +149,7 @@ describe("desktop organization branding", () => {
 				row({ ownerId: "user-2", role: "owner" }),
 				"user-1",
 			),
-		).toBe(true);
+		).toBe(false);
 	});
 
 	it("validates and normalizes branding patch payloads", () => {

apps/web/__tests__/unit/loom-import.test.ts

@@ -629,7 +629,7 @@ describe("importFromLoom", () => {
 			expect.objectContaining({
 				spaceId: "video-123",
 				userId: "user-123",
-				role: "Admin",
+				role: "admin",
 			}),
 		);
 		expect(valuesMock).toHaveBeenCalledWith(

apps/web/__tests__/unit/roles-permissions.test.ts

@@ -0,0 +1,258 @@
+import { describe, expect, it } from "vitest";
+import {
+	canChangeOrganizationMemberRole,
+	canChangeSpaceMemberRole,
+	canManageOrganizationBilling,
+	canManageOrganizationMembers,
+	canManageSpace,
+	canRemoveOrganizationMember,
+	canRemoveSpaceMember,
+	canViewOrganizationSettings,
+	getEffectiveOrganizationRole,
+	getEffectiveSpaceRole,
+	normalizeAssignableOrganizationRole,
+	normalizeOrganizationRole,
+	normalizeSpaceRole,
+} from "@/lib/permissions/roles";
+
+describe("organization role permissions", () => {
+	it("normalizes organization roles and rejects non-assignable owner changes", () => {
+		expect(normalizeOrganizationRole("OWNER")).toBe("owner");
+		expect(normalizeOrganizationRole("admin")).toBe("admin");
+		expect(normalizeOrganizationRole("member")).toBe("member");
+		expect(normalizeOrganizationRole("unknown")).toBeNull();
+		expect(normalizeAssignableOrganizationRole("admin")).toBe("admin");
+		expect(normalizeAssignableOrganizationRole("member")).toBe("member");
+		expect(normalizeAssignableOrganizationRole("owner")).toBeNull();
+	});
+
+	it("derives owner from organization ownership even when membership role differs", () => {
+		expect(
+			getEffectiveOrganizationRole({
+				userId: "user-1",
+				ownerId: "user-1",
+				memberRole: "member",
+			}),
+		).toBe("owner");
+		expect(
+			getEffectiveOrganizationRole({
+				userId: "user-2",
+				ownerId: "user-1",
+				memberRole: "admin",
+			}),
+		).toBe("admin");
+		expect(
+			getEffectiveOrganizationRole({
+				userId: "stale-owner-row",
+				ownerId: "real-owner",
+				memberRole: "owner",
+			}),
+		).toBe("member");
+	});
+
+	it("allows only owners and admins to view and manage organization members", () => {
+		expect(canViewOrganizationSettings("owner")).toBe(true);
+		expect(canViewOrganizationSettings("admin")).toBe(true);
+		expect(canViewOrganizationSettings("member")).toBe(false);
+		expect(canManageOrganizationMembers("owner")).toBe(true);
+		expect(canManageOrganizationMembers("admin")).toBe(true);
+		expect(canManageOrganizationMembers("member")).toBe(false);
+		expect(canManageOrganizationBilling("owner")).toBe(true);
+		expect(canManageOrganizationBilling("admin")).toBe(false);
+	});
+
+	it("lets owners and admins assign admin/member roles to non-owner members", () => {
+		for (const actorRole of ["owner", "admin"] as const) {
+			for (const nextRole of ["admin", "member"] as const) {
+				expect(
+					canChangeOrganizationMemberRole({
+						actorRole,
+						actorUserId: "actor",
+						targetUserId: "target",
+						ownerId: "owner",
+						targetRole: "member",
+						nextRole,
+					}),
+				).toBe(true);
+			}
+		}
+	});
+
+	it("protects organization owners, peer admins, and actor self role from role changes", () => {
+		expect(
+			canChangeOrganizationMemberRole({
+				actorRole: "admin",
+				actorUserId: "admin",
+				targetUserId: "owner",
+				ownerId: "owner",
+				targetRole: "owner",
+				nextRole: "member",
+			}),
+		).toBe(false);
+		expect(
+			canChangeOrganizationMemberRole({
+				actorRole: "admin",
+				actorUserId: "admin-1",
+				targetUserId: "admin-2",
+				ownerId: "owner",
+				targetRole: "admin",
+				nextRole: "member",
+			}),
+		).toBe(false);
+		expect(
+			canChangeOrganizationMemberRole({
+				actorRole: "owner",
+				actorUserId: "owner",
+				targetUserId: "admin",
+				ownerId: "owner",
+				targetRole: "admin",
+				nextRole: "member",
+			}),
+		).toBe(true);
+		expect(
+			canChangeOrganizationMemberRole({
+				actorRole: "admin",
+				actorUserId: "admin",
+				targetUserId: "admin",
+				ownerId: "owner",
+				targetRole: "admin",
+				nextRole: "member",
+			}),
+		).toBe(false);
+		expect(
+			canChangeOrganizationMemberRole({
+				actorRole: "member",
+				actorUserId: "member",
+				targetUserId: "target",
+				ownerId: "owner",
+				targetRole: "member",
+				nextRole: "admin",
+			}),
+		).toBe(false);
+	});
+
+	it("lets admins remove members but never owners, peer admins, or themselves", () => {
+		expect(
+			canRemoveOrganizationMember({
+				actorRole: "admin",
+				actorUserId: "admin",
+				targetUserId: "member",
+				ownerId: "owner",
+				targetRole: "member",
+			}),
+		).toBe(true);
+		expect(
+			canRemoveOrganizationMember({
+				actorRole: "admin",
+				actorUserId: "admin",
+				targetUserId: "owner",
+				ownerId: "owner",
+				targetRole: "owner",
+			}),
+		).toBe(false);
+		expect(
+			canRemoveOrganizationMember({
+				actorRole: "admin",
+				actorUserId: "admin-1",
+				targetUserId: "admin-2",
+				ownerId: "owner",
+				targetRole: "admin",
+			}),
+		).toBe(false);
+		expect(
+			canRemoveOrganizationMember({
+				actorRole: "owner",
+				actorUserId: "owner",
+				targetUserId: "admin",
+				ownerId: "owner",
+				targetRole: "admin",
+			}),
+		).toBe(true);
+		expect(
+			canRemoveOrganizationMember({
+				actorRole: "admin",
+				actorUserId: "admin",
+				targetUserId: "admin",
+				ownerId: "owner",
+				targetRole: "admin",
+			}),
+		).toBe(false);
+	});
+});
+
+describe("space role permissions", () => {
+	it("normalizes current and legacy space admin roles", () => {
+		expect(normalizeSpaceRole("admin")).toBe("admin");
+		expect(normalizeSpaceRole("Admin")).toBe("admin");
+		expect(normalizeSpaceRole("member")).toBe("member");
+		expect(normalizeSpaceRole("owner")).toBeNull();
+	});
+
+	it("treats the creator as a space admin", () => {
+		expect(
+			getEffectiveSpaceRole({
+				userId: "creator",
+				createdById: "creator",
+				memberRole: "member",
+			}),
+		).toBe("admin");
+		expect(
+			getEffectiveSpaceRole({
+				userId: "member",
+				createdById: "creator",
+				memberRole: "Admin",
+			}),
+		).toBe("admin");
+	});
+
+	it("allows organization owners, organization admins, and space admins to manage a space", () => {
+		expect(canManageSpace({ organizationRole: "owner", spaceRole: null })).toBe(
+			true,
+		);
+		expect(canManageSpace({ organizationRole: "admin", spaceRole: null })).toBe(
+			true,
+		);
+		expect(
+			canManageSpace({ organizationRole: "member", spaceRole: "admin" }),
+		).toBe(true);
+		expect(
+			canManageSpace({ organizationRole: "member", spaceRole: "member" }),
+		).toBe(false);
+		expect(canManageSpace({ organizationRole: null, spaceRole: null })).toBe(
+			false,
+		);
+	});
+
+	it("protects the space creator from role changes and removal", () => {
+		expect(
+			canChangeSpaceMemberRole({
+				canManage: true,
+				targetUserId: "creator",
+				createdById: "creator",
+				nextRole: "member",
+			}),
+		).toBe(false);
+		expect(
+			canRemoveSpaceMember({
+				canManage: true,
+				targetUserId: "creator",
+				createdById: "creator",
+			}),
+		).toBe(false);
+		expect(
+			canChangeSpaceMemberRole({
+				canManage: true,
+				targetUserId: "member",
+				createdById: "creator",
+				nextRole: "admin",
+			}),
+		).toBe(true);
+		expect(
+			canRemoveSpaceMember({
+				canManage: true,
+				targetUserId: "member",
+				createdById: "creator",
+			}),
+		).toBe(true);
+	});
+});

apps/web/actions/loom.ts

@@ -568,7 +568,7 @@ async function getOrCreateImportSpace({
 			id: SpaceMemberId.make(nanoId()),
 			spaceId,
 			userId: createdById,
-			role: "Admin",
+			role: "admin",
 		});
 	});