fix(rbac): update ui having dropped org role

Author: jordan-umusu

frontend/src/app/invitations/accept/page.tsx

@@ -201,13 +201,13 @@ function AcceptInvitationContent() {
               <>
                 <strong>{invitation.inviter_name}</strong> has invited you to
                 join <strong>{invitation.organization_name}</strong> as a{" "}
-                <strong>{invitation.role}</strong>.
+                <strong>{invitation.role_name}</strong>.
               </>
             ) : (
               <>
                 You&apos;ve been invited to join{" "}
                 <strong>{invitation.organization_name}</strong> as a{" "}
-                <strong>{invitation.role}</strong>.
+                <strong>{invitation.role_name}</strong>.
               </>
             )}
           </CardDescription>
@@ -224,7 +224,7 @@ function AcceptInvitationContent() {
               <div className="flex justify-between">
                 <span className="text-muted-foreground">Role</span>
                 <span className="font-medium capitalize">
-                  {invitation.role}
+                  {invitation.role_name}
                 </span>
               </div>
               {invitation.inviter_email && (
@@ -320,12 +320,12 @@ function AcceptInvitationContent() {
           {invitation.inviter_name ? (
             <>
               <strong>{invitation.inviter_name}</strong> has invited you to join
-              this organization as a <strong>{invitation.role}</strong>.
+              this organization as a <strong>{invitation.role_name}</strong>.
             </>
           ) : (
             <>
               You&apos;ve been invited to join this organization as a{" "}
-              <strong>{invitation.role}</strong>.
+              <strong>{invitation.role_name}</strong>.
             </>
           )}
         </CardDescription>
@@ -341,7 +341,9 @@ function AcceptInvitationContent() {
             </div>
             <div className="flex justify-between">
               <span className="text-muted-foreground">Role</span>
-              <span className="font-medium capitalize">{invitation.role}</span>
+              <span className="font-medium capitalize">
+                {invitation.role_name}
+              </span>
             </div>
             {invitation.inviter_email && (
               <div className="flex justify-between">

frontend/src/components/organization/org-invitations-table.tsx

@@ -7,7 +7,6 @@ import { useForm } from "react-hook-form"
 import { z } from "zod"
 import {
   type OrgInvitationRead,
-  type OrgRole,
   organizationGetInvitationToken,
 } from "@/client"
 import {
@@ -68,7 +67,7 @@ import { useOrgInvitations } from "@/lib/hooks"
 
 const invitationFormSchema = z.object({
   email: z.string().email("Invalid email address"),
-  role: z.enum(["member", "admin", "owner"]),
+  role_slug: z.enum(["member", "admin", "owner"]),
 })
 
 type InvitationFormValues = z.infer<typeof invitationFormSchema>
@@ -85,15 +84,15 @@ export function OrgInvitationsTable() {
     resolver: zodResolver(invitationFormSchema),
     defaultValues: {
       email: "",
-      role: "member",
+      role_slug: "member",
     },
   })
 
   const handleCreateInvitation = async (values: InvitationFormValues) => {
     try {
       await createInvitation({
         email: values.email,
-        role: values.role as OrgRole,
+        role_slug: values.role_slug,
       })
       form.reset()
       setIsCreateDialogOpen(false)
@@ -176,7 +175,7 @@ export function OrgInvitationsTable() {
                   />
                   <FormField
                     control={form.control}
-                    name="role"
+                    name="role_slug"
                     render={({ field }) => (
                       <FormItem>
                         <FormLabel>Role</FormLabel>
@@ -249,7 +248,7 @@ export function OrgInvitationsTable() {
               enableHiding: false,
             },
             {
-              accessorKey: "role",
+              accessorKey: "role_name",
               header: ({ column }) => (
                 <DataTableColumnHeader
                   className="text-xs"
@@ -259,7 +258,7 @@ export function OrgInvitationsTable() {
               ),
               cell: ({ row }) => (
                 <div className="text-xs capitalize">
-                  {row.getValue<OrgInvitationRead["role"]>("role")}
+                  {row.getValue<OrgInvitationRead["role_name"]>("role_name")}
                 </div>
               ),
               enableSorting: true,

frontend/src/components/organization/org-members-table.tsx

@@ -59,7 +59,7 @@ export function OrgMembersTable() {
   const handleChangeRole = async (role: UserRole) => {
     try {
       if (selectedMember) {
-        if (selectedMember.role === role) {
+        if (selectedMember.role_slug === role) {
           toast({
             title: "Update skipped",
             description: `User ${selectedMember.email} is already a ${role} member`,
@@ -161,7 +161,7 @@ export function OrgMembersTable() {
               enableHiding: false,
             },
             {
-              accessorKey: "role",
+              accessorKey: "role_slug",
               header: ({ column }) => (
                 <DataTableColumnHeader
                   className="text-xs"
@@ -171,7 +171,7 @@ export function OrgMembersTable() {
               ),
               cell: ({ row }) => (
                 <div className="text-xs capitalize">
-                  {row.getValue<OrgMemberRead["role"]>("role")}
+                  {row.getValue<OrgMemberRead["role_slug"]>("role_slug") || "-"}
                 </div>
               ),
               enableSorting: true,

frontend/src/hooks/use-org-membership.ts

@@ -26,7 +26,7 @@ export function useOrgMembership() {
 
   // Check if user has org-level admin/owner role (not platform admin)
   const hasOrgAdminRole =
-    membership?.role === "admin" || membership?.role === "owner"
+    membership?.role_slug === "admin" || membership?.role_slug === "owner"
 
   // Check if user can administer the org (platform admin OR org admin/owner)
   const canAdministerOrg = user?.isPlatformAdmin() || hasOrgAdminRole

tracecat/auth/credentials.py

@@ -902,8 +902,6 @@ async def role_dependency_not_req_ws(
             )
 
         return Depends(role_dependency_not_req_ws)
-    else:
-        raise ValueError(f"Invalid require_workspace value: {require_workspace}")
 
 
 # --- Platform-level (Superuser) Authentication ---

tracecat/organization/router.py

@@ -15,6 +15,10 @@
     OrganizationInvitation,
     OrganizationMembership,
     User,
+    UserRoleAssignment,
+)
+from tracecat.db.models import (
+    Role as RoleModel,
 )
 from tracecat.exceptions import (
     TracecatAuthorizationError,
@@ -111,13 +115,26 @@ async def get_current_org_member(
             detail="No organization context",
         )
 
-    # Query user and membership directly (no admin access required)
+    # Query user, membership, and org-level role assignment
+    # We need to left join on UserRoleAssignment and Role to get the org-level role
     statement = (
-        select(User, OrganizationMembership.role)
+        select(User, RoleModel.id, RoleModel.slug)
         .join(
             OrganizationMembership,
             OrganizationMembership.user_id == User.id,  # pyright: ignore[reportArgumentType]
         )
+        .outerjoin(
+            UserRoleAssignment,
+            and_(
+                UserRoleAssignment.user_id == User.id,  # pyright: ignore[reportArgumentType]
+                UserRoleAssignment.organization_id == role.organization_id,  # pyright: ignore[reportArgumentType]
+                UserRoleAssignment.workspace_id.is_(None),  # Org-level assignment
+            ),
+        )
+        .outerjoin(
+            RoleModel,
+            RoleModel.id == UserRoleAssignment.role_id,
+        )
         .where(
             and_(
                 User.id == role.user_id,  # pyright: ignore[reportArgumentType]
@@ -129,13 +146,14 @@ async def get_current_org_member(
     row = result.tuples().one_or_none()
 
     if row is not None:
-        user, org_role = row
+        user, role_id, role_slug = row
         return OrgMemberRead(
             user_id=user.id,
             first_name=user.first_name,
             last_name=user.last_name,
             email=user.email,
-            role=org_role,
+            role_id=role_id,
+            role_slug=role_slug,
             is_active=user.is_active,
             is_superuser=user.is_superuser,
             is_verified=user.is_verified,
@@ -155,7 +173,8 @@ async def get_current_org_member(
                 first_name=user.first_name,
                 last_name=user.last_name,
                 email=user.email,
-                role=OrgRole.OWNER,  # Superusers have implicit owner role
+                role_id=None,
+                role_slug=OrgRole.OWNER,  # Superusers have implicit owner role
                 is_active=user.is_active,
                 is_superuser=user.is_superuser,
                 is_verified=user.is_verified,