From 61cf426615a4aa095b150362526aa52f2d1ea115 Mon Sep 17 00:00:00 2001
From: Mauricio Siu <47042324+Siumauricio@users.noreply.github.com>
Date: Sun, 22 Jun 2025 23:56:13 -0600
Subject: [PATCH] feat(user-access): implement access control for user
 information retrieval

- Added checks to deny access if the user is not found in the organization.
- Implemented authorization logic to allow access only for users requesting their own information or users with owner role in the same organization.
---
 apps/dokploy/server/api/routers/user.ts | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/apps/dokploy/server/api/routers/user.ts b/apps/dokploy/server/api/routers/user.ts
index b2277399..3ac91dc0 100644
--- a/apps/dokploy/server/api/routers/user.ts
+++ b/apps/dokploy/server/api/routers/user.ts
@@ -75,6 +75,24 @@ export const userRouter = createTRPCRouter({
 				},
 			});
 
+			// If user not found in the organization, deny access
+			if (!memberResult) {
+				throw new TRPCError({
+					code: "NOT_FOUND",
+					message: "User not found in this organization",
+				});
+			}
+
+			// Allow access if:
+			// 1. User is requesting their own information
+			// 2. User has owner role (admin permissions) AND user is in the same organization
+			if (memberResult.userId !== ctx.user.id && ctx.user.role !== "owner") {
+				throw new TRPCError({
+					code: "UNAUTHORIZED",
+					message: "You are not authorized to access this user",
+				});
+			}
+
 			return memberResult;
 		}),
 	get: protectedProcedure.query(async ({ ctx }) => {