fix(webapp): scope team-member removal to the caller's org

[lissy93]

Closes #nothing

✅ Checklist

• I have followed every step in the contributing guide
• The PR title follows the convention.
• I ran and tested the code works

---

Testing

• pnpm run typecheck --filter webapp passes
• Traced the only caller (_app.orgs.$organizationSlug.settings.team/route.tsx): the rendered memberId always comes from the org-scoped loader, so every legitimate request (self-leave or removing a same-org member) still matches and succeeds
• A cross-org memberId now resolves to no record; the delete throws P2025, which the route already catches and returns as a 400, so no crash

---

Changelog

Scope removeTeamMember deletes to the caller's organization, fixing a cross-org member-deletion IDOR

Previously, a member of any org could delete a row from any other org, if they knew their id. And they do know their ID, since OrgMember.id is rendered into a hidden form input on the team-settings page.

Note that I previously opened this as a private PR about a month ago, here. But I think this is safe to open publicly, since it doesn't reveal the other steps needed to exploit the full account take over (which I documented in GHSA-58mc-m3qq-6qrh.

I submitted a vouch request in #3539 - could you take a look please?

---

Screenshots

N/A — server-side authorization fix

💯

[changeset-bot]

⚠️ No Changeset found

Latest commit: f572087

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 4b81768d-5eb1-4e24-9a2e-c5a90b6d03d1

📥 Commits

Reviewing files that changed from the base of the PR and between 85886b9 and f572087.

📒 Files selected for processing (2)

• .server-changes/remove-team-member-org-scope.md
• apps/webapp/app/models/member.server.ts

---

Walkthrough

This PR fixes an organization-scoping vulnerability in the removeTeamMember function. The delete operation now constrains the query by both member ID and the resolved organization context, preventing cross-organization member deletion that could occur when deletion was previously keyed by member ID alone. A change-log entry documents the security fix.

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Hi @lissy93, thanks for your interest in contributing!

This project requires that pull request authors are vouched, and you are not in the list of vouched users.

This PR will be closed automatically. See https://github.com/triggerdotdev/trigger.dev/blob/main/CONTRIBUTING.md for more details.

[lissy93]

This project requires that pull request authors are vouched, and you are not in the list of vouched users.
This PR will be closed automatically. See https://github.com/triggerdotdev/trigger.dev/blob/main/CONTRIBUTING.md for more details.

I did, about a month ago, in #3539 - but am still waiting 😭

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 1 additional finding.