diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index c900d64b6..baff5512e 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -27,7 +27,7 @@ jobs: SMTP_MESSAGE_MAX_SIZE: ${{ secrets.SMTP_MESSAGE_MAX_SIZE }} DKIM_PRIVATE_KEY_VALUE: ${{ secrets.DKIM_PRIVATE_KEY_VALUE }} AXE_SILENT: ${{ secrets.AXE_SILENT }} - AXE_SHOW_META: ${{ secrets.AXE_SILENT }} + AXE_SHOW_META: ${{ secrets.AXE_SHOW_META }} AXE_SHOW_STACK: ${{ secrets.AXE_SHOW_STACK }} TXT_ENCRYPTION_KEY: ${{ secrets.TXT_ENCRYPTION_KEY }} HELPER_ENCRYPTION_KEY: ${{ secrets.HELPER_ENCRYPTION_KEY }} diff --git a/app/controllers/api/v1/enforce-paid-plan.js b/app/controllers/api/v1/enforce-paid-plan.js index c23404b2c..d13c60fd8 100644 --- a/app/controllers/api/v1/enforce-paid-plan.js +++ b/app/controllers/api/v1/enforce-paid-plan.js @@ -9,6 +9,10 @@ async function enforcePaidPlan(ctx, next) { if (!ctx.isAuthenticated()) return ctx.throw(Boom.unauthorized(ctx.translateError('LOGIN_REQUIRED'))); + // if the user is a member of a team plan and in the admin group, continue + if (ctx.state?.domain?.group === 'admin' && ctx.state?.domain?.plan === 'team') + return next(); + if (ctx.state.user.plan === 'free') return ctx.throw( Boom.paymentRequired( diff --git a/app/controllers/web/my-account/ensure-upgraded-plan.js b/app/controllers/web/my-account/ensure-upgraded-plan.js index 827670637..43413359f 100644 --- a/app/controllers/web/my-account/ensure-upgraded-plan.js +++ b/app/controllers/web/my-account/ensure-upgraded-plan.js @@ -15,7 +15,11 @@ function ensureUpgradedPlan(ctx, next) { ) return next(); - if (!ctx.state.domain && ctx.state.user.plan !== 'free') return next(); + if ( + (!ctx.state.domain && ctx.state.user.plan !== 'free') || + ctx.state?.domain?.plan === 'team' + ) + return next(); const redirectTo = ctx.state.domain ? ctx.state.l( diff --git a/routes/api/v1/index.js b/routes/api/v1/index.js index b57508934..1e4e7e0b5 100644 --- a/routes/api/v1/index.js +++ b/routes/api/v1/index.js @@ -168,7 +168,6 @@ router policies.ensureApiToken, policies.checkVerifiedEmail, web.myAccount.ensureNotBanned, - api.v1.enforcePaidPlan, web.myAccount.ensurePaidToDate, (ctx, next) => { // @@ -200,23 +199,27 @@ router '/domains', web.myAccount.validateDomain, rateLimit(50, 'create domain'), + api.v1.enforcePaidPlan, web.myAccount.createDomain, api.v1.domains.retrieve ) .get( '/domains/:domain_id', web.myAccount.retrieveDomain, + api.v1.enforcePaidPlan, api.v1.domains.retrieve ) .get( '/domains/:domain_id/verify-records', web.myAccount.retrieveDomain, + api.v1.enforcePaidPlan, web.myAccount.verifyRecords ) .put( '/domains/:domain_id', web.myAccount.retrieveDomain, web.myAccount.ensureDomainAdmin, + api.v1.enforcePaidPlan, web.myAccount.ensureUpgradedPlan, web.myAccount.updateDomain, web.myAccount.retrieveDomains, @@ -226,6 +229,7 @@ router '/domains/:domain_id', web.myAccount.retrieveDomain, web.myAccount.ensureDomainAdmin, + api.v1.enforcePaidPlan, web.myAccount.removeDomain, web.myAccount.retrieveDomains, api.v1.domains.retrieve @@ -238,6 +242,7 @@ router web.myAccount.retrieveDomain, web.myAccount.ensureDomainAdmin, web.myAccount.ensureTeamPlan, + api.v1.enforcePaidPlan, web.myAccount.ensureUpgradedPlan, rateLimit(10, 'create invite'), web.myAccount.createInvite, @@ -250,6 +255,7 @@ router web.myAccount.retrieveDomain, web.myAccount.ensureDomainAdmin, web.myAccount.ensureTeamPlan, + api.v1.enforcePaidPlan, web.myAccount.ensureUpgradedPlan, web.myAccount.removeInvite, web.myAccount.retrieveDomains, @@ -264,6 +270,7 @@ router web.myAccount.ensureDomainAdmin, web.myAccount.ensureTeamPlan, web.myAccount.ensureUpgradedPlan, + api.v1.enforcePaidPlan, web.myAccount.retrieveAliases, web.myAccount.updateMember, web.myAccount.retrieveDomains, @@ -276,6 +283,7 @@ router web.myAccount.ensureDomainAdmin, web.myAccount.ensureTeamPlan, web.myAccount.ensureUpgradedPlan, + api.v1.enforcePaidPlan, web.myAccount.retrieveAliases, web.myAccount.removeMember, web.myAccount.retrieveDomains,