From f5720878e4c1ce4458f8787f9bb8143357c79f20 Mon Sep 17 00:00:00 2001 From: Alicia Sykes Date: Fri, 5 Jun 2026 11:49:35 +0100 Subject: [PATCH] fix(webapp): scope team-member removal to the caller's org --- .server-changes/remove-team-member-org-scope.md | 6 ++++++ apps/webapp/app/models/member.server.ts | 1 + 2 files changed, 7 insertions(+) create mode 100644 .server-changes/remove-team-member-org-scope.md diff --git a/.server-changes/remove-team-member-org-scope.md b/.server-changes/remove-team-member-org-scope.md new file mode 100644 index 00000000000..da60f61d78d --- /dev/null +++ b/.server-changes/remove-team-member-org-scope.md @@ -0,0 +1,6 @@ +--- +area: webapp +type: fix +--- + +Scope the `removeTeamMember` delete to the resolved organization so a member can only be deleted from the org they belong to. Previously the delete was keyed by `OrgMember.id` alone, letting a privileged caller in one org delete members of an unrelated org by id (cross-org IDOR). diff --git a/apps/webapp/app/models/member.server.ts b/apps/webapp/app/models/member.server.ts index b88fc7e11c0..708117d2f62 100644 --- a/apps/webapp/app/models/member.server.ts +++ b/apps/webapp/app/models/member.server.ts @@ -76,6 +76,7 @@ export async function removeTeamMember({ return prisma.orgMember.delete({ where: { id: memberId, + organizationId: org.id, }, include: { organization: true,