From 270d359e6a7be36e62f5d95211912815e405ee3e Mon Sep 17 00:00:00 2001
From: shreddedbacon <b@benjackson.email>
Date: Wed, 6 Sep 2023 18:51:33 +1000
Subject: [PATCH 1/2] chore: fix the viewuser permission

---
 services/api/src/resources/organization/resolvers.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/services/api/src/resources/organization/resolvers.ts b/services/api/src/resources/organization/resolvers.ts
index 24945bd2d0..7d1401dcb9 100644
--- a/services/api/src/resources/organization/resolvers.ts
+++ b/services/api/src/resources/organization/resolvers.ts
@@ -385,7 +385,9 @@ export const getUserByEmailAndOrganizationId: ResolverFn = async (
   { email, organization},
   { sqlClientPool, models, hasPermission },
 ) => {
-  await hasPermission('organization', 'viewUser', organization);
+  await hasPermission('organization', 'viewUser', {
+    organization: organization
+  });
 
   try {
     const user = await models.UserModel.loadUserByUsername(email);

From a66cc2ea9e5e89100b4c88364a26f2bc7cdf613d Mon Sep 17 00:00:00 2001
From: shreddedbacon <b@benjackson.email>
Date: Wed, 6 Sep 2023 18:56:07 +1000
Subject: [PATCH 2/2] fix: addowner addviewer permission check fix

---
 services/api/src/resources/user/resolvers.ts | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/services/api/src/resources/user/resolvers.ts b/services/api/src/resources/user/resolvers.ts
index 562402933a..2f4d42cb7e 100644
--- a/services/api/src/resources/user/resolvers.ts
+++ b/services/api/src/resources/user/resolvers.ts
@@ -233,9 +233,15 @@ export const addUserToOrganization: ResolverFn = async (
     owner: false,
   }
   if (owner) {
+    await hasPermission('organization', 'addOwner', {
+      organization: organization
+    });
     updateUser.owner = true
+  } else {
+    await hasPermission('organization', 'addViewer', {
+      organization: organization
+    });
   }
-  await hasPermission('organization', 'addViewer')
   await models.UserModel.updateUser(updateUser);
 
   userActivityLogger(`User added a user to organization '${organizationData.name}'`, {
@@ -272,7 +278,9 @@ export const removeUserFromOrganization: ResolverFn = async (
     username: R.prop('email', userInput),
   });
 
-  await hasPermission('organization', 'addOwner');
+  await hasPermission('organization', 'addOwner', {
+    organization: organization
+  });
 
   await models.UserModel.updateUser({
     id: user.id,