[server] Deny "joinOrganization" for org-owned users

geropl · geropl · commit 2fa6e93e818e · 2024-12-09T10:19:31.000Z
diff --git a/components/server/src/orgs/organization-service.ts b/components/server/src/orgs/organization-service.ts
@@ -269,6 +269,19 @@ export class OrganizationService {
     }
 
     public async joinOrganization(userId: string, inviteId: string): Promise<string> {
+        const user = await this.userDB.findUserById(userId);
+        if (!user) {
+            throw new ApplicationError(ErrorCodes.INTERNAL_SERVER_ERROR, `User ${userId} not found`);
+        }
+
+        const mayJoinOrganization = await this.userAuthentication.mayJoinOrganization(user);
+        if (!mayJoinOrganization) {
+            throw new ApplicationError(
+                ErrorCodes.PERMISSION_DENIED,
+                "Organizational accounts are not allowed to join other organizations",
+            );
+        }
+
         // Invites can be used by anyone, as long as they know the invite ID, hence needs no resource guard
         const invite = await this.teamDB.findTeamMembershipInviteById(inviteId);
         if (!invite || invite.invalidationTime !== "") {
@@ -277,10 +290,6 @@ export class OrganizationService {
         if (await this.teamDB.hasActiveSSO(invite.teamId)) {
             throw new ApplicationError(ErrorCodes.NOT_FOUND, "Invites are disabled for SSO-enabled organizations.");
         }
-        const user = await this.userDB.findUserById(userId);
-        if (!user) {
-            throw new ApplicationError(ErrorCodes.INTERNAL_SERVER_ERROR, `User ${userId} not found`);
-        }
 
         // set skipRoleUpdate=true to avoid member/owner click join link again cause role change
         await runWithSubjectId(SYSTEM_USER, () =>
diff --git a/components/server/src/workspace/gitpod-server-impl.ts b/components/server/src/workspace/gitpod-server-impl.ts
@@ -1446,14 +1446,6 @@ export class GitpodServerImpl implements GitpodServerWithTracing, Disposable {
 
         const user = await this.checkAndBlockUser("joinTeam");
 
-        const mayCreateOrganization = await this.userAuthentication.mayJoinOrganization(user);
-        if (!mayCreateOrganization) {
-            throw new ApplicationError(
-                ErrorCodes.PERMISSION_DENIED,
-                "Organizational accounts are not allowed to join other organizations",
-            );
-        }
-
         const orgId = await this.organizationService.joinOrganization(user.id, inviteId);
         const org = await this.getTeam(ctx, orgId);
         if (org !== undefined) {
