fix(webapp): harden RBAC org scoping and write-tier gating

Resolve the RBAC organization from the primary so the role check is never
evaluated without an org scope under replica lag: run cancel/replay fall back
to the primary when the replica and buffer both miss, and the bulk-action
routes read the org from the primary directly. Pin the buffered replay
environment lookup to the buffer entry org so a malformed entry cannot resolve
an environment in another org.

Gate the seat-purchase modal on billing permission on the invite page, and gate
environment-variable creation on write access rather than read access.

Author: matt-aitken

apps/webapp/app/routes/_app.orgs.$organizationSlug.invite/route.tsx

@@ -58,7 +58,7 @@ export const loader = dashboardLoader(
       message: "With your current role, you can't invite team members.",
     },
   },
-  async ({ user, context }) => {
+  async ({ user, context, ability }) => {
     const organizationId = context.organizationId;
     if (!organizationId) {
       throw new Response("Not Found", { status: 404 });
@@ -98,7 +98,11 @@ export const loader = dashboardLoader(
           .map((r) => r.id)
       : [];
 
-    return typedjson({ ...result, offerableRoleIds });
+    // Buying seats is a billing operation: surface whether this user can, so
+    // the purchase modal disables its trigger (the team action enforces it).
+    const canManageBilling = ability.can("manage", { type: "billing" });
+
+    return typedjson({ ...result, offerableRoleIds, canManageBilling });
   }
 );
 
@@ -269,6 +273,7 @@ export default function Page() {
     planSeatLimit,
     roles,
     offerableRoleIds,
+    canManageBilling,
   } = useTypedLoaderData<typeof loader>();
   const [total, setTotal] = useState(limits.used);
   const organization = useOrganization();
@@ -324,6 +329,7 @@ export default function Page() {
                   usedSeats={limits.used}
                   maxQuota={maxSeatQuota}
                   planSeatLimit={planSeatLimit}
+                  canManageBilling={canManageBilling}
                   triggerButton={<Button variant="primary/small">Purchase more seats…</Button>}
                 />
               }

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.bulk-actions.$bulkActionParam/route.tsx

@@ -26,7 +26,7 @@ import { redirectWithErrorMessage, redirectWithSuccessMessage } from "~/models/m
 import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { BulkActionPresenter } from "~/presenters/v3/BulkActionPresenter.server";
-import { $replica } from "~/db.server";
+import { prisma } from "~/db.server";
 import { logger } from "~/services/logger.server";
 import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { checkPermissions } from "~/services/routeBuilders/permissions.server";
@@ -46,7 +46,10 @@ const BulkActionParamSchema = EnvironmentParamSchema.extend({
 });
 
 async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
-  const org = await $replica.organization.findFirst({ where: { slug }, select: { id: true } });
+  // Resolve from the primary (not the replica) so the RBAC auth scope is never
+  // resolved without an org under replica lag, which would let the role check
+  // run unscoped under the enterprise plugin.
+  const org = await prisma.organization.findFirst({ where: { slug }, select: { id: true } });
   return org?.id ?? null;
 }
 

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables.new/route.tsx

@@ -212,8 +212,9 @@ export default function Page() {
     parentData,
     "Environment variables page loader data must be defined when rendering the create dialog"
   );
-  const { environments, hasStaging, accessibleEnvironmentIds } = parentData;
-  const accessibleEnvironmentIdSet = new Set(accessibleEnvironmentIds);
+  const { environments, hasStaging, writableEnvironmentIds } = parentData;
+  // Creating a variable is a write, so gate the targets on write access.
+  const writableEnvironmentIdSet = new Set(writableEnvironmentIds);
   const lastSubmission = useActionData();
   const navigation = useNavigation();
   const navigate = useNavigate();
@@ -310,7 +311,7 @@ export default function Page() {
               )}
               <div className="flex items-center gap-2">
                 {nonBranchEnvironments.map((environment) =>
-                  accessibleEnvironmentIdSet.has(environment.id) ? (
+                  writableEnvironmentIdSet.has(environment.id) ? (
                     <CheckboxWithLabel
                       key={environment.id}
                       id={environment.id}

apps/webapp/app/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.environment-variables/route.tsx

@@ -149,6 +149,12 @@ export const loader = dashboardLoader(
         .map((env) => env.id);
       const accessible = new Set(accessibleEnvironmentIds);
 
+      // Write access is a separate grant from read: gate write controls (edit,
+      // delete, create) on this set, not on read-accessibility.
+      const writableEnvironmentIds = environments
+        .filter((env) => ability.can("write", { type: "envvars", envType: env.type }))
+        .map((env) => env.id);
+
       // Withhold values (and the "who/when" metadata) for environments the
       // role can't read — never serialize them to the client.
       const masked: MaskedEnvironmentVariable[] = environmentVariables.map((variable) =>
@@ -170,6 +176,7 @@ export const loader = dashboardLoader(
         hasStaging,
         vercelIntegration,
         accessibleEnvironmentIds,
+        writableEnvironmentIds,
       });
     } catch (error) {
       console.error(error);

apps/webapp/app/routes/resources.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs.bulkaction.tsx

@@ -51,7 +51,7 @@ import { findProjectBySlug } from "~/models/project.server";
 import { findEnvironmentBySlug } from "~/models/runtimeEnvironment.server";
 import { CreateBulkActionPresenter } from "~/presenters/v3/CreateBulkActionPresenter.server";
 import { RUNS_BULK_INSPECTOR_UI_SEARCH_PARAMS } from "~/routes/_app.orgs.$organizationSlug.projects.$projectParam.env.$envParam.runs._index/shouldRevalidateRunsList";
-import { $replica } from "~/db.server";
+import { $replica, prisma } from "~/db.server";
 import { logger } from "~/services/logger.server";
 import { dashboardAction, dashboardLoader } from "~/services/routeBuilders/dashboardBuilder";
 import { checkPermissions } from "~/services/routeBuilders/permissions.server";
@@ -60,7 +60,10 @@ import { EnvironmentParamSchema, v3BulkActionPath } from "~/utils/pathBuilder";
 import { BulkActionService } from "~/v3/services/bulk/BulkActionV2.server";
 
 async function resolveOrgIdFromSlug(slug: string): Promise<string | null> {
-  const org = await $replica.organization.findFirst({ where: { slug }, select: { id: true } });
+  // Resolve from the primary (not the replica) so the RBAC auth scope is never
+  // resolved without an org under replica lag, which would let the role check
+  // run unscoped under the enterprise plugin.
+  const org = await prisma.organization.findFirst({ where: { slug }, select: { id: true } });
   return org?.id ?? null;
 }
 

apps/webapp/app/routes/resources.taskruns.$runParam.cancel.ts

@@ -30,7 +30,19 @@ async function resolveRunOrganizationId(runParam: string): Promise<string | null
 
   const buffer = getMollifierBuffer();
   const entry = buffer ? await buffer.getEntry(runParam) : null;
-  return entry?.orgId ?? null;
+  if (entry?.orgId) {
+    return entry.orgId;
+  }
+
+  // Replica lag with the buffer entry already drained: the run can exist in
+  // the primary while both lookups above miss. Fall back to the primary so the
+  // RBAC scope is never resolved without an org (which would let the role check
+  // run unscoped under the enterprise plugin).
+  const primaryRun = await prisma.taskRun.findFirst({
+    where: { friendlyId: runParam },
+    select: { project: { select: { organizationId: true } } },
+  });
+  return primaryRun?.project.organizationId ?? null;
 }
 
 export const action = dashboardAction(

apps/webapp/app/routes/resources.taskruns.$runParam.replay.ts

@@ -267,7 +267,19 @@ async function resolveRunOrganizationId(runParam: string): Promise<string | null
 
   const buffer = getMollifierBuffer();
   const entry = buffer ? await buffer.getEntry(runParam) : null;
-  return entry?.orgId ?? null;
+  if (entry?.orgId) {
+    return entry.orgId;
+  }
+
+  // Replica lag with the buffer entry already drained: the run can exist in
+  // the primary while both lookups above miss. Fall back to the primary so the
+  // RBAC scope is never resolved without an org (which would let the role check
+  // run unscoped under the enterprise plugin).
+  const primaryRun = await prisma.taskRun.findFirst({
+    where: { friendlyId: runParam },
+    select: { project: { select: { organizationId: true } } },
+  });
+  return primaryRun?.project.organizationId ?? null;
 }
 
 export const action = dashboardAction(
@@ -351,7 +363,9 @@ export const action = dashboardAction(
           });
           if (synthetic) {
             const envRow = await prisma.runtimeEnvironment.findFirst({
-              where: { id: entry.envId },
+              // Pin to the buffer entry's org so a malformed entry can't
+              // resolve an environment in a different org.
+              where: { id: entry.envId, project: { organizationId: entry.orgId } },
               select: {
                 slug: true,
                 project: { select: { slug: true, organization: { select: { slug: true } } } },