@@ -4,7 +4,10 @@ import { z } from "zod";
44import { prisma } from "~/db.server" ;
55import { DeleteOrganizationService } from "~/services/deleteOrganization.server" ;
66import { logger } from "~/services/logger.server" ;
7- import { resolveOrganizationForApiUser } from "~/services/organizationApiAccess.server" ;
7+ import {
8+ authorizePatOrganizationAccess ,
9+ resolveOrganizationForApiUser ,
10+ } from "~/services/organizationApiAccess.server" ;
811import { authenticateApiRequestWithPersonalAccessToken } from "~/services/personalAccessToken.server" ;
912
1013const ParamsSchema = z . object ( {
@@ -34,8 +37,6 @@ export async function action({ request, params }: ActionFunctionArgs) {
3437 return json ( { error : "Invalid or Missing Access Token" } , { status : 401 } ) ;
3538 }
3639
37- // Org delete/rename are membership-scoped only — the dashboard settings
38- // route gates them on membership, not an RBAC ability.
3940 const organization = await resolveOrganizationForApiUser ( {
4041 orgParam : parsedParams . data . orgParam ,
4142 userId : authenticationResult . userId ,
@@ -45,6 +46,18 @@ export async function action({ request, params }: ActionFunctionArgs) {
4546 return json ( { error : "Organization not found" } , { status : 404 } ) ;
4647 }
4748
49+ // Rename/delete are Owner-only (via manage:all). Membership resolution above
50+ // is the OSS floor; this is the role gate enforced when the RBAC plugin runs.
51+ const denied = await authorizePatOrganizationAccess ( {
52+ request,
53+ organizationId : organization . id ,
54+ resource : "organization" ,
55+ action : "manage" ,
56+ } ) ;
57+ if ( denied ) {
58+ return denied ;
59+ }
60+
4861 if ( method === "DELETE" ) {
4962 try {
5063 await new DeleteOrganizationService ( ) . call ( {
0 commit comments