`03475a3`

orgs: deny suspended actors on org/team mutations (SR2 C4)

Pre-fix: S30/S31 wired org/team handlers to call orgs.IsOwner
directly without going through policy.Can. A suspended user listed
as an org owner could still invite, change roles, remove members,
accept invitations, create teams, add team members, and grant
team→repo access — bypassing the suspension gate every other
mutation surface enforces. Same shape as SR1 C1, new surface.

Lighter fix per SR2 sprint plan: short-circuit on viewer.IsSuspended
at every point of entry. Heavier fix (real policy.Can actions for
ActionOrgInvite/ActionTeamMemberAdd/...) is correct architecturally
but is a larger refactor; left as forward-link.

Gated:
- requireOrgOwner — covers teamCreate, teamMemberAddRemove,
teamRepoGrant via the existing helper.
- invite — direct IsOwner caller, gated inline.
- memberMutate — direct IsOwner caller, gated inline (covers
changeRole + removeMember).
- invitationAction — accept/decline now denies suspended users.

Read-only IsOwner callers (teamsList, teamView, canSeeTeam,
filterSecretTeams) intentionally NOT gated — suspension blocks
writes, not reads (consistent with SR1).

Authored by

espadonne 3 days ago

SHA: 03475a3d5219dfe818d66600322b6a7322adc95e
Parents: d30741e
Tree: f85137c

2 changed files

Status	File	+	-
M	`internal/web/handlers/orgs/orgs.go`	21	0
M	`internal/web/handlers/orgs/teams.go`	9	0

internal/web/handlers/orgs/orgs.gomodified

  		h.d.Render.HTTPError(w, r, http.StatusUnauthorized, "")
  		return
+ 	}
 +	// Suspended owners are denied with the same 403 as non-owners
 +	// (SR2 C4). Org/team mutations don't currently route through
 +	// policy.Can; this short-circuit mirrors the suspended-actor
 +	// gate every other write surface enforces.
 +	if viewer.IsSuspended {
 +		h.d.Render.HTTPError(w, r, http.StatusForbidden, "")
 +		return
 +	}
  	owner, err := orgs.IsOwner(r.Context(), h.deps(), org.ID, viewer.ID)
  	if err != nil || !owner {
  		h.d.Render.HTTPError(w, r, http.StatusForbidden, "")
  		h.d.Render.HTTPError(w, r, http.StatusUnauthorized, "")
  		return
+ 	}
 +	// Suspended owners denied like non-owners (SR2 C4).
 +	if viewer.IsSuspended {
 +		h.d.Render.HTTPError(w, r, http.StatusForbidden, "")
 +		return
 +	}
  	owner, _ := orgs.IsOwner(r.Context(), h.deps(), org.ID, viewer.ID)
  	if !owner {
  		h.d.Render.HTTPError(w, r, http.StatusForbidden, "")
  		http.Redirect(w, r, "/login?next="+r.URL.Path, http.StatusSeeOther)
  		return
+ 	}
 +	// Suspended users can't act on invitations either way (SR2 C4).
 +	// Joining an org while suspended would let them participate in
 +	// org-scoped actions; declining is harmless but the consistent
 +	// gate makes the surface uniform.
 +	if viewer.IsSuspended {
 +		h.d.Render.HTTPError(w, r, http.StatusForbidden, "")
 +		return
 +	}
  	tok := chi.URLParam(r, "token")
  	inv, err := orgs.LookupInvitationByToken(r.Context(), h.deps(), tok)
  	if err != nil {

internal/web/handlers/orgs/teams.gomodified

  		http.Redirect(w, r, "/login?next="+r.URL.Path, http.StatusSeeOther)
  		return false
+ 	}
 +	// Suspended actors get the same 403 as non-owners. Mirrors the
 +	// suspended gate the policy package enforces on every other
 +	// mutation surface — this gate doesn't go through policy.Can yet
 +	// (the org/team actions aren't in the policy enum), so we
 +	// short-circuit here (SR2 C4). Same shape as SR1 C1 fix.
 +	if viewer.IsSuspended {
 +		h.d.Render.HTTPError(w, r, http.StatusForbidden, "")
 +		return false
 +	}
  	owner, _ := orgs.IsOwner(r.Context(), h.deps(), orgID, viewer.ID)
  	if !owner {
  		h.d.Render.HTTPError(w, r, http.StatusForbidden, "")