Teams & Organizations

User Management

Manage users and their roles in your team.

User management in Supersaas operates within the scope of individual teams. Users can be members of multiple teams, potentially with different roles in each.

Roles

Supersaas defines standard roles within a team:

Owner

  • Typically the creator of the team.
  • Has all permissions, including managing billing (if implemented), updating team settings, managing members (inviting, removing, changing roles - role changing not explicitly shown but implied capability), and deleting the team.
  • There is only one owner per team (teams.ownerId). The teamMembers table also stores a role, which should be 'owner' for the user matching ownerId.
  • Owner-specific routes/actions are protected by checks like isTeamOwner in the frontend (App/Sidebar/Team.vue) and backend middleware/route handlers (app/middleware/team-owner.ts, server/utils/teamValidation.ts).

Admin

  • Can manage team members (invite, remove, potentially change roles).
  • Can manage other team settings (depending on your application's specific features).
  • Cannot delete the team.
Supersaas currently focuses heavily on the Owner role. You may need to implement specific checks and permissions for the Admin role.

Member

  • Standard user role with access to the team's resources based on the application's features.
  • Cannot manage settings or members.
  • Cannot delete the team.
  • Cannot access or manage billing.

Roles are defined in shared/validations/team.ts (UserRole enum) and stored in the role column of the teamMembers table (server/database/schema/teams.ts).

Viewing Members

  • UI: Active team members are listed in the App/TeamMembers.vue component, typically accessed via a "Workspace Members" link in the settings section of the sidebar (visible to owners).
  • Data: The component fetches data from the GET /api/teams/:id/members endpoint.
  • Backend Query: This endpoint uses the getActiveTeamMembers query (server/database/queries/teams.ts), which joins teamMembers and users tables to retrieve member details including name, email, avatar, role, and join date.
  • Information Displayed: Name (with avatar), Email, Role (as a badge), Last Login, Date Joined.

Adding Members

  • New members are added to a team exclusively through the Invitation Flow (See Page 3).

Removing Members

  • UI: Team owners (and potentially Admins) can remove members using the dropdown menu associated with each member in the App/TeamMembers.vue list.
  • Process:
    1. Selecting "Remove from team" triggers the useTeam().removeTeamMember(memberId) function.
    2. This function calls the DELETE /api/teams/:teamId/members/:memberId endpoint.
    3. The backend API route executes the deleteTeamMember query (server/database/queries/teams.ts), which removes the corresponding record from the teamMembers table.
  • Restrictions:
    • Users cannot remove themselves (usually).
    • Owners typically cannot be removed directly (the team might need to be transferred or deleted). You may need to add specific logic for this.
    • Only Owners (and potentially Admins) should have access to the API endpoint and UI elements for removal. Access control should be enforced in the API route.

Access Control

  • Route Middleware: The app/middleware/team-owner.ts middleware protects entire pages/routes, ensuring only team owners can access them (e.g., settings pages). It checks if the logged-in user is the owner of the team specified by the route slug.
  • Backend Validation: The server/utils/teamValidation.ts utility provides the validateTeamOwnership function. This is crucial for protecting specific API endpoints (like team deletion or critical settings updates) by verifying the requesting user is the owner of the target team. You should use this or similar validation logic in your sensitive API routes.

Relevant Files

  • Components: App/TeamMembers.vue
  • Composables: app/composables/useTeam.ts
  • API Routes: GET /api/teams/:id/members (implementing getActiveTeamMembers), DELETE /api/teams/:id/members/:memberId (implementing deleteTeamMember)
  • Database: server/database/schema/teams.ts (defines teamMembers), server/database/queries/teams.ts (contains getActiveTeamMembers, deleteTeamMember)
  • Middleware: app/middleware/team-owner.ts
  • Validation: server/utils/teamValidation.ts
  • Constants/Enums: shared/validations/team.ts (contains UserRole enum, used in inviteTeamMemberSchema)

Overview

Text, title, and styling in standard markdown.

Invitation flow

Text, title, and styling in standard markdown.