[server] make first user owner

Author: svenefftinge

components/server/package.json

@@ -7,10 +7,9 @@
     "start": "node ./dist/main.js",
     "start-inspect": "node --inspect=0.0.0.0:9229 ./dist/main.js",
     "generate": "leeway run components/spicedb:generate-ts > src/authorization/definitions.ts && npx prettier --write src/authorization/definitions.ts",
-    "build": "yarn generate && yarn lint && npx tsc",
+    "build": "yarn clean && yarn generate && yarn lint && npx tsc",
     "lint": "yarn eslint src/*.ts src/**/*.ts",
     "lint:fix": "yarn eslint src/*.ts src/**/*.ts --fix",
-    "build:clean": "yarn clean && yarn build",
     "rebuild": "yarn build:clean",
     "build:watch": "watch 'yarn build' .",
     "watch": "leeway exec --package .:app --transitive-dependencies --filter-type yarn --components --parallel -- yarn build -w --preserveWatchOutput",

components/server/src/orgs/organization-service.spec.db.ts

@@ -120,7 +120,10 @@ describe("OrganizationService", async () => {
         owner = previouslyMember;
 
         // owner can downgrade themselves only if they are not the last owner
-        await expectError(ErrorCodes.CONFLICT, os.addOrUpdateMember(owner.id, org.id, owner.id, "member"));
+        await os.addOrUpdateMember(owner.id, org.id, owner.id, "member");
+        // verify they are still an owner
+        const members = await os.listMembers(owner.id, org.id);
+        expect(members.some((m) => m.userId === owner.id && m.role === "owner")).to.be.true;
 
         // owner can delete themselves only if they are not the last owner
         await expectError(ErrorCodes.CONFLICT, os.removeOrganizationMember(owner.id, org.id, owner.id));

components/server/src/orgs/organization-service.ts

@@ -187,16 +187,16 @@ export class OrganizationService {
         if (userId) {
             await this.auth.checkPermissionOnOrganization(userId, "write_members", orgId);
         }
-        if (role !== "owner") {
-            const members = await this.teamDB.findMembersByTeam(orgId);
-            if (!members.some((m) => m.userId !== memberId && m.role === "owner")) {
-                throw new ApplicationError(ErrorCodes.CONFLICT, "Cannot remove the last owner of an organization.");
-            }
-        }
         const members = await this.teamDB.findMembersByTeam(orgId);
-        const firstMember = members.filter((m) => m.userId !== BUILTIN_INSTLLATION_ADMIN_USER_ID).length === 0;
-        if (firstMember) {
-            // first member (that is not an admin) is going to be an owner
+        const hasOtherRegularOwners =
+            members.filter(
+                (m) =>
+                    m.userId !== BUILTIN_INSTLLATION_ADMIN_USER_ID && //
+                    m.userId !== memberId && //
+                    m.role === "owner",
+            ).length > 0;
+        if (!hasOtherRegularOwners) {
+            // first regular member is going to be an owner
             role = "owner";
             log.info({ userId: memberId }, "First member of organization, setting role to owner.");
         }
@@ -208,12 +208,15 @@ export class OrganizationService {
                 await this.auth.addOrganizationRole(orgId, memberId, role);
             });
         } catch (err) {
-            //TODO simply removing the user is not necessarily the right thing to do here, as the user might have been a member before
-            await this.auth.removeOrganizationRole(orgId, memberId, "member");
+            await this.auth.removeOrganizationRole(
+                orgId,
+                memberId,
+                members.find((m) => m.userId === memberId)?.role || "member",
+            );
             throw err;
         }
-        // we can remove the built-in installation admin now
-        if (firstMember) {
+        // we can remove the built-in installation admin if we have added an owner
+        if (!hasOtherRegularOwners) {
             try {
                 await this.removeOrganizationMember(memberId, orgId, BUILTIN_INSTLLATION_ADMIN_USER_ID);
             } catch (error) {