fix(webapp): scope member removal and run replay to the caller org

Member removal looked up and deleted an orgMember by its globally unique id
without binding it to the resolved organization, so a manager in one org could
remove members of another by submitting a foreign id. Scope the lookup and
delete to the org at both the route and the model layer, and reject a foreign
id.

A run replay can target a different environment, but the user-supplied override
was forwarded to the trigger service without scoping, so a run could be created
in another tenant environment. Validate the override belongs to the source
run project before triggering.

When the inviter has no resolvable role, the role-ladder check returned true and
offered every role including the highest. Fail closed instead: the invite still
proceeds, but assigning an explicit role is refused.

Author: matt-aitken

apps/webapp/app/models/member.server.ts

@@ -73,15 +73,24 @@ export async function removeTeamMember({
     throw new Error("User does not have access to this organization");
   }
 
-  return prisma.orgMember.delete({
-    where: {
-      id: memberId,
-    },
+  // Scope the target to this org. A member id is a globally unique key, so
+  // deleting by id alone would remove members of other orgs; bind it to the
+  // resolved org and reject a foreign id.
+  const member = await prisma.orgMember.findFirst({
+    where: { id: memberId, organizationId: org.id },
     include: {
       organization: true,
       user: true,
     },
   });
+
+  if (!member) {
+    throw new Error("Member not found in this organization");
+  }
+
+  await prisma.orgMember.delete({ where: { id: member.id } });
+
+  return member;
 }
 
 export async function inviteMembers({

apps/webapp/app/routes/_app.orgs.$organizationSlug.invite/route.tsx

@@ -132,12 +132,11 @@ function isAtOrBelow(
   inviterRoleId: string | null,
   invitedRoleId: string
 ): boolean {
-  // No RBAC role on inviter (e.g. the runtime fallback couldn't derive
-  // one) → fall back to the legacy OrgMember.role check the calling
-  // code already enforces. Allow the invite to proceed; the action
-  // would have already failed earlier if the inviter wasn't allowed
-  // to invite at all.
-  if (!inviterRoleId) return true;
+  // No resolvable role for the inviter → fail closed: we can't confirm a
+  // target role is at or below an unknown level, so refuse it. The invite
+  // itself still proceeds (it's gated by manage:members); only assigning an
+  // explicit role is refused, and the picker offers nothing in this case.
+  if (!inviterRoleId) return false;
   const level = buildRoleLevel(roles);
   const inviter = level[inviterRoleId];
   const invited = level[invitedRoleId];

apps/webapp/app/routes/_app.orgs.$organizationSlug.settings.team/route.tsx

@@ -253,17 +253,24 @@ export const action = dashboardAction(
       return json(submission);
     }
 
-    // Default intent: remove a member or leave the org. Self-leave (the
-    // actor removing their own membership) is always allowed. Removing
-    // another member requires `manage:members` — pre-RBAC the
-    // `removeTeamMember` model fn only verified the actor was a member
-    // of the target org, so any org member could remove any other
-    // member by id; this gate fixes that latent permissions hole.
+    // Default intent: remove a member or leave the org. Scope the target to
+    // the actor's organization: an orgMember id is a globally unique key, so an
+    // unscoped lookup (plus an unscoped delete in the model) would let a
+    // manager in one org remove members of another by submitting a foreign id.
+    // Self-leave is always allowed; removing someone else requires
+    // manage:members.
+    const orgId = context.organizationId;
+    if (!orgId) {
+      return json({ ok: false, error: "Organization not found" } as const, { status: 404 });
+    }
     const targetMember = await $replica.orgMember.findFirst({
-      where: { id: submission.value.memberId },
+      where: { id: submission.value.memberId, organizationId: orgId },
       select: { userId: true },
     });
-    const isSelfLeave = targetMember?.userId === userId;
+    if (!targetMember) {
+      return json({ ok: false, error: "Member not found" } as const, { status: 404 });
+    }
+    const isSelfLeave = targetMember.userId === userId;
     if (!isSelfLeave && !ability.can("manage", { type: "members" })) {
       return json({ ok: false, error: "Unauthorized" } as const, { status: 403 });
     }

apps/webapp/app/routes/resources.taskruns.$runParam.replay.ts

@@ -382,6 +382,31 @@ export const action = dashboardAction(
         return redirectWithErrorMessage(submission.value.failedRedirect, request, "Run not found");
       }
 
+      // A replay can target a different environment, but only within the source
+      // run's own project. The override id is user-supplied and the downstream
+      // service looks it up without scoping, so confirm it belongs to this
+      // project before triggering, otherwise a run could be created in another
+      // tenant's environment.
+      if (submission.value.environment) {
+        const overrideEnvironment = await prisma.runtimeEnvironment.findFirst({
+          where: {
+            id: submission.value.environment,
+            project: {
+              slug: taskRun.project.slug,
+              organization: { slug: taskRun.project.organization.slug },
+            },
+          },
+          select: { id: true },
+        });
+        if (!overrideEnvironment) {
+          return redirectWithErrorMessage(
+            submission.value.failedRedirect,
+            request,
+            "Environment not found"
+          );
+        }
+      }
+
       const replayRunService = new ReplayTaskRunService();
       const newRun = await replayRunService.call(taskRun, {
         environmentId: submission.value.environment,