From 06230ad2e9ea7c988a3a8b4f6a9da2154bfa71df Mon Sep 17 00:00:00 2001
From: Francis Cao <franciscao@gmail.com>
Date: Tue, 21 Oct 2025 15:35:17 -0700
Subject: [PATCH] clean up teams api messaging and permissions

---
 src/app/api/teams/[teamId]/route.ts                |  4 ++--
 src/app/api/teams/[teamId]/users/[userId]/route.ts |  6 +++---
 src/app/api/teams/[teamId]/users/route.ts          | 14 +++++++-------
 src/permissions/team.ts                            |  4 ----
 4 files changed, 12 insertions(+), 16 deletions(-)

diff --git a/src/app/api/teams/[teamId]/route.ts b/src/app/api/teams/[teamId]/route.ts
index c2a9416d..de3e3143 100644
--- a/src/app/api/teams/[teamId]/route.ts
+++ b/src/app/api/teams/[teamId]/route.ts
@@ -41,7 +41,7 @@ export async function POST(request: Request, { params }: { params: Promise<{ tea
   const { teamId } = await params;
 
   if (!(await canUpdateTeam(auth, teamId))) {
-    return unauthorized({ message: 'You must be the owner of this team.' });
+    return unauthorized({ message: 'You must be the owner/manager of this team.' });
   }
 
   const team = await updateTeam(teamId, body);
@@ -62,7 +62,7 @@ export async function DELETE(
   const { teamId } = await params;
 
   if (!(await canDeleteTeam(auth, teamId))) {
-    return unauthorized({ message: 'You must be the owner of this team.' });
+    return unauthorized({ message: 'You must be the owner/manager of this team.' });
   }
 
   await deleteTeam(teamId);
diff --git a/src/app/api/teams/[teamId]/users/[userId]/route.ts b/src/app/api/teams/[teamId]/users/[userId]/route.ts
index 2ed2f059..10bbb37a 100644
--- a/src/app/api/teams/[teamId]/users/[userId]/route.ts
+++ b/src/app/api/teams/[teamId]/users/[userId]/route.ts
@@ -17,7 +17,7 @@ export async function GET(
   const { teamId, userId } = await params;
 
   if (!(await canUpdateTeam(auth, teamId))) {
-    return unauthorized({ message: 'You must be the owner of this team.' });
+    return unauthorized({ message: 'You must be the owner/manager of this team.' });
   }
 
   const teamUser = await getTeamUser(teamId, userId);
@@ -42,7 +42,7 @@ export async function POST(
   const { teamId, userId } = await params;
 
   if (!(await canUpdateTeam(auth, teamId))) {
-    return unauthorized({ message: 'You must be the owner of this team.' });
+    return unauthorized({ message: 'You must be the owner/manager of this team.' });
   }
 
   const teamUser = await getTeamUser(teamId, userId);
@@ -69,7 +69,7 @@ export async function DELETE(
   const { teamId, userId } = await params;
 
   if (!(await canDeleteTeamUser(auth, teamId, userId))) {
-    return unauthorized({ message: 'You must be the owner of this team.' });
+    return unauthorized({ message: 'You must be the owner/manager of this team.' });
   }
 
   const teamUser = await getTeamUser(teamId, userId);
diff --git a/src/app/api/teams/[teamId]/users/route.ts b/src/app/api/teams/[teamId]/users/route.ts
index 500ad0c5..6f97ac29 100644
--- a/src/app/api/teams/[teamId]/users/route.ts
+++ b/src/app/api/teams/[teamId]/users/route.ts
@@ -1,9 +1,9 @@
-import { z } from 'zod';
-import { unauthorized, json, badRequest } from '@/lib/response';
-import { canAddUserToTeam, canViewTeam } from '@/permissions';
 import { getQueryFilters, parseRequest } from '@/lib/request';
-import { pagingParams, teamRoleParam, searchParams } from '@/lib/schema';
+import { badRequest, json, unauthorized } from '@/lib/response';
+import { pagingParams, searchParams, teamRoleParam } from '@/lib/schema';
+import { canUpdateTeam, canViewTeam } from '@/permissions';
 import { createTeamUser, getTeamUser, getTeamUsers } from '@/queries/prisma';
+import { z } from 'zod';
 
 export async function GET(request: Request, { params }: { params: Promise<{ teamId: string }> }) {
   const schema = z.object({
@@ -20,7 +20,7 @@ export async function GET(request: Request, { params }: { params: Promise<{ team
   const { teamId } = await params;
 
   if (!(await canViewTeam(auth, teamId))) {
-    return unauthorized({ message: 'You must be the owner of this team.' });
+    return unauthorized({ message: 'You must be a member of this team.' });
   }
 
   const filters = await getQueryFilters(query);
@@ -65,8 +65,8 @@ export async function POST(request: Request, { params }: { params: Promise<{ tea
 
   const { teamId } = await params;
 
-  if (!(await canAddUserToTeam(auth))) {
-    return unauthorized();
+  if (!(await canUpdateTeam(auth, teamId))) {
+    return unauthorized({ message: 'You must be the owner/manager of this team.' });
   }
 
   const { userId, role } = body;
diff --git a/src/permissions/team.ts b/src/permissions/team.ts
index a585de07..a62eff2e 100644
--- a/src/permissions/team.ts
+++ b/src/permissions/team.ts
@@ -39,10 +39,6 @@ export async function canDeleteTeam({ user }: Auth, teamId: string) {
   return teamUser && hasPermission(teamUser.role, PERMISSIONS.teamDelete);
 }
 
-export async function canAddUserToTeam({ user }: Auth) {
-  return user.isAdmin;
-}
-
 export async function canDeleteTeamUser({ user }: Auth, teamId: string, removeUserId: string) {
   if (user.isAdmin) {
     return true;