fix: scope bulk user deletion to callers organization (calcom#28872)

pedroccastro · web-flow · commit d25130274f3a · 2026-04-14T08:29:46.000-03:00
diff --git a/apps/web/playwright/lib/orgMigration.ts b/apps/web/playwright/lib/orgMigration.ts
@@ -653,6 +653,7 @@ async function dbRemoveUserFromOrg({
 
   await ProfileRepository.deleteMany({
     userIds: [userToRemoveFromOrg.id],
+    organizationId: userToRemoveFromOrg.organizationId!,
   });
 }
 
diff --git a/packages/features/profile/repositories/ProfileRepository.ts b/packages/features/profile/repositories/ProfileRepository.ts
@@ -400,10 +400,10 @@ export class ProfileRepository implements IProfileRepository {
     });
   }
 
-  static deleteMany({ userIds }: { userIds: number[] }) {
+  static deleteMany({ userIds, organizationId }: { userIds: number[]; organizationId: number }) {
     // Even though there can be just one profile matching a userId and organizationId, we are using deleteMany as it won't error if the profile doesn't exist
     return prisma.profile.deleteMany({
-      where: { userId: { in: userIds } },
+      where: { userId: { in: userIds }, organizationId },
     });
   }
 
diff --git a/packages/trpc/server/routers/viewer/organizations/bulkDeleteUsers.handler.ts b/packages/trpc/server/routers/viewer/organizations/bulkDeleteUsers.handler.ts
@@ -82,6 +82,7 @@ export async function bulkDeleteUsersHandler({ ctx, input }: BulkDeleteUsersHand
       id: {
         in: input.userIds,
       },
+      organizationId: currentUserOrgId,
     },
     data: {
       organizationId: null,
@@ -130,6 +131,7 @@ export async function bulkDeleteUsersHandler({ ctx, input }: BulkDeleteUsersHand
 
   const removeProfiles = ProfileRepository.deleteMany({
     userIds: input.userIds,
+    organizationId: currentUserOrgId,
   });
 
   // We do this in a transaction to make sure that all memberships are removed before we remove the organization relation from the user

Original file line number	Diff line number	Diff line change
`@@ -653,6 +653,7 @@ async function dbRemoveUserFromOrg({`
`653`	`653`
`654`	`654`	`await ProfileRepository.deleteMany({`
`655`	`655`	`userIds: [userToRemoveFromOrg.id],`
	`656`	`+ organizationId: userToRemoveFromOrg.organizationId!,`
`656`	`657`	`});`
`657`	`658`	`}`
`658`	`659`
Original file line number	Diff line number	Diff line change
`@@ -400,10 +400,10 @@ export class ProfileRepository implements IProfileRepository {`
`400`	`400`	`});`
`401`	`401`	`}`
`402`	`402`
`403`		`- static deleteMany({ userIds }: { userIds: number[] }) {`
	`403`	`+ static deleteMany({ userIds, organizationId }: { userIds: number[]; organizationId: number }) {`
`404`	`404`	`// Even though there can be just one profile matching a userId and organizationId, we are using deleteMany as it won't error if the profile doesn't exist`
`405`	`405`	`return prisma.profile.deleteMany({`
`406`		`- where: { userId: { in: userIds } },`
	`406`	`+ where: { userId: { in: userIds }, organizationId },`
`407`	`407`	`});`
`408`	`408`	`}`
`409`	`409`