Always implement comprehensive authorization checks that verify user permissions at the appropriate hierarchy level (individual → team → organization) before allowing operations. Consider multiple permission levels and provide proper fallbacks when users have different roles across teams or organizations.
Key principles:
Example implementation:
// Check individual ownership first
const userReschedulingIsOwner = isUserReschedulingOwner(userId, originalRescheduledBooking?.userId);
// Check team-level permissions
let isTeamOwnerOrAdmin = false;
if (isTeamEventType && originalRescheduledBooking?.eventType?.teamId) {
const membership = await prisma.membership.findFirst({
where: {
teamId: originalRescheduledBooking.eventType.teamId,
userId: user?.id,
role: { in: [MembershipRole.OWNER, MembershipRole.ADMIN] }
}
});
isTeamOwnerOrAdmin = !!membership;
}
// Check organization-level permissions
const hasOrgPermission = await permissionCheckService.checkPermission({
userId,
teamId,
permission: "organization.adminApi",
fallbackRoles: [MembershipRole.OWNER, MembershipRole.ADMIN]
});
if (!userReschedulingIsOwner && !isTeamOwnerOrAdmin && !hasOrgPermission) {
throw new TRPCError({ code: "FORBIDDEN", message: "Insufficient permissions" });
}
This prevents unauthorized access by ensuring users can only perform operations they have legitimate permissions for, whether through direct ownership, team membership, or organizational authority.
Enter the URL of a public GitHub repository