org settings: enable owner-only delete + export UI and add member self-deactivation; harden owner-only checks on org delete/settings/export

- Owner-only: enforce on DELETE /api/org/delete, PUT /api/org/settings, GET /api/org/export\n- UI: Enable Delete organization (owners) and Export as JSON (owners) on /org/settings\n- UI: Add 'Delete my account' for non-owner members, calls DELETE /api/user/deactivate and signs out\n- Misc: loading/disabled states and confirmations

Author: mxy680

app/api/org/delete/route.ts

@@ -10,15 +10,13 @@ export async function DELETE() {
     const session = await getServerSession(authOptions)
     if (!session?.user?.id) return NextResponse.json({ error: "Unauthorized" }, { status: 401 })
 
-    // Resolve org via same logic as org/settings
-    const user = await prisma.user.findUnique({ where: { id: session.user.id }, select: { email: true, id: true } })
+    // Resolve org by email and enforce OWNER-only (email or contactEmail match)
+    const user = await prisma.user.findUnique({ where: { id: session.user.id }, select: { email: true } })
     if (!user?.email) return NextResponse.json({ error: "Organization not found" }, { status: 404 })
-    const org = await prisma.organization.findFirst({ where: { email: user.email }, select: { id: true } })
+    const org = await prisma.organization.findFirst({ where: { OR: [{ email: user.email }, { contactEmail: user.email }] }, select: { id: true, email: true, contactEmail: true } })
     if (!org?.id) return NextResponse.json({ error: "Organization not found" }, { status: 404 })
-
-    // Ensure requester is a member (avoids delete via just email match)
-    const member = await prisma.organizationMember.findFirst({ where: { organizationId: org.id, userId: session.user.id } })
-    if (!member) return NextResponse.json({ error: "Forbidden" }, { status: 403 })
+    const isOwner = org.email === user.email || org.contactEmail === user.email
+    if (!isOwner) return NextResponse.json({ error: "Forbidden" }, { status: 403 })
 
     await prisma.organization.delete({ where: { id: org.id } })
     return NextResponse.json({ ok: true })

app/api/org/export/route.ts

@@ -25,13 +25,11 @@ export async function GET(req: NextRequest) {
     const type = searchParams.get("type") as "signups" | "volunteers" | "messages" | "account" | null
     if (!type) return NextResponse.json({ error: "Missing type" }, { status: 400 })
 
-    // Resolve org by current user's email (same as org/settings), then ensure requester is a member
-    const user = await prisma.user.findUnique({ where: { id: session.user.id }, select: { email: true, id: true } })
+    // Owner-only: resolve org by matching user's email to org.email or org.contactEmail
+    const user = await prisma.user.findUnique({ where: { id: session.user.id }, select: { email: true } })
     if (!user?.email) return NextResponse.json({ error: "Organization not found" }, { status: 404 })
-    const org = await prisma.organization.findFirst({ where: { email: user.email }, select: { id: true } })
-    if (!org?.id) return NextResponse.json({ error: "Organization not found" }, { status: 404 })
-    const member = await prisma.organizationMember.findFirst({ where: { organizationId: org.id, userId: session.user.id } })
-    if (!member) return NextResponse.json({ error: "Forbidden" }, { status: 403 })
+    const org = await prisma.organization.findFirst({ where: { OR: [{ email: user.email }, { contactEmail: user.email }] }, select: { id: true } })
+    if (!org?.id) return NextResponse.json({ error: "Forbidden" }, { status: 403 })
 
     let csv = ""
     let filename = "export.csv"

app/api/org/settings/route.ts

@@ -64,18 +64,12 @@ export async function PUT(req: Request) {
   const defaultVolunteersNeeded = body?.defaultVolunteersNeeded as number | undefined
   if (!name) return NextResponse.json({ error: "Missing name" }, { status: 400 })
 
-  // Resolve organization by membership first; fallback to email heuristic
-  let orgIdResolved: string | null = null
-  const member = await prisma.organizationMember.findFirst({ where: { userId: session.user.id }, select: { organizationId: true } })
-  if (member?.organizationId) orgIdResolved = member.organizationId
-  if (!orgIdResolved) {
-    const user = await prisma.user.findUnique({ where: { id: session.user.id }, select: { email: true } })
-    if (user?.email) {
-      const org = await prisma.organization.findFirst({ where: { email: user.email }, select: { id: true } })
-      orgIdResolved = org?.id ?? null
-    }
-  }
-  if (!orgIdResolved) return NextResponse.json({ error: "Organization not found" }, { status: 404 })
+  // Owner-only: resolve org by matching user's email to org.email or org.contactEmail
+  const user = await prisma.user.findUnique({ where: { id: session.user.id }, select: { email: true } })
+  if (!user?.email) return NextResponse.json({ error: "Organization not found" }, { status: 404 })
+  const ownerOrg = await prisma.organization.findFirst({ where: { OR: [{ email: user.email }, { contactEmail: user.email }] }, select: { id: true } })
+  const orgIdResolved = ownerOrg?.id ?? null
+  if (!orgIdResolved) return NextResponse.json({ error: "Forbidden" }, { status: 403 })
 
   const updated = await prisma.organization.update({
     where: { id: orgIdResolved },

app/org/settings/page.tsx

@@ -1,6 +1,7 @@
 "use client"
 
 import * as React from "react"
+import { signOut } from "next-auth/react"
 import { Button } from "@/components/ui/button"
 import { Card, CardContent } from "@/components/ui/card"
 import { Input } from "@/components/ui/input"
@@ -15,6 +16,7 @@ export default function Page() {
   const [saving, setSaving] = React.useState(false)
   const [orgId, setOrgId] = React.useState<string | null>(null)
   const [orgEmail, setOrgEmail] = React.useState<string>("")
+  const [orgContactEmail, setOrgContactEmail] = React.useState<string>("")
   const [userEmail, setUserEmail] = React.useState<string>("")
   const [members, setMembers] = React.useState<Array<{ id: string; user: { id: string; name: string | null; email: string; image: string | null } }>>([])
   const [pending, setPending] = React.useState<Array<{ id: string; message: string | null; createdAt: string; user: { id: string; name: string | null; email: string; image: string | null } }>>([])
@@ -42,6 +44,7 @@ export default function Page() {
   const [defaultLocation, setDefaultLocation] = React.useState<string>("")
   const [defaultHours, setDefaultHours] = React.useState<number | undefined>(2)
   const [defaultVolunteers, setDefaultVolunteers] = React.useState<number | undefined>(10)
+  const [deleting, setDeleting] = React.useState(false)
 
   // Simple option lists; can be expanded
   const timezones = React.useMemo(() => {
@@ -71,6 +74,7 @@ export default function Page() {
         setOrgName(json?.name ?? "")
         if (json?.id) setOrgId(json.id as string)
         setOrgEmail((json?.email as string) || "")
+        setOrgContactEmail((json?.contactEmail as string) || "")
         setUserEmail((json?.userEmail as string) || "")
         // baseUrl no longer used
         setTimezone((prev) => (json?.timezone as string) || prev)
@@ -351,12 +355,33 @@ export default function Page() {
               <p className="text-sm text-muted-foreground">Export a full JSON snapshot of your data.</p>
             </div>
             <div className="shrink-0">
-              <Button
-                className="bg-orange-500 text-white hover:bg-orange-600 disabled:opacity-50 disabled:pointer-events-none"
-                disabled
-              >
-                Export as JSON
-              </Button>
+              {(() => {
+                const isOwner = Boolean(userEmail) && (userEmail === orgEmail || (!!orgContactEmail && userEmail === orgContactEmail))
+                const disabled = loading || saving || !isOwner
+                return (
+                <Button
+                  className="bg-orange-500 text-white hover:bg-orange-600 disabled:opacity-50 disabled:pointer-events-none"
+                  disabled={disabled}
+                  onClick={async () => {
+                    try {
+                      const r = await fetch("/api/org/export?type=account")
+                      if (!r.ok) return
+                      const blob = await r.blob()
+                      const url = URL.createObjectURL(blob)
+                      const a = document.createElement("a")
+                      a.href = url
+                      a.download = `organization-${orgId || "account"}.json`
+                      document.body.appendChild(a)
+                      a.click()
+                      a.remove()
+                      URL.revokeObjectURL(url)
+                    } catch {}
+                  }}
+                >
+                  Export as JSON
+                </Button>
+                )
+              })()}
             </div>
           </div>
         </CardContent>
@@ -371,14 +396,67 @@ export default function Page() {
               <p className="text-sm text-muted-foreground">Be careful—this action is permanent.</p>
             </div>
             <div className="shrink-0">
-              <Button
-                variant="destructive"
-                disabled
-                className="disabled:opacity-50 disabled:pointer-events-none"
-                title="Temporarily disabled"
-              >
-                Delete organization (disabled)
-              </Button>
+              {(() => {
+                const isOwner = Boolean(userEmail) && (userEmail === orgEmail || (!!orgContactEmail && userEmail === orgContactEmail))
+                const disabled = loading || saving || deleting
+                if (isOwner) {
+                  return (
+                    <Button
+                      variant="destructive"
+                      disabled={disabled}
+                      className="disabled:opacity-50 disabled:pointer-events-none"
+                      title="Delete this organization"
+                      onClick={async () => {
+                        const confirmed = window.confirm("This will permanently delete the organization and all related data. Continue?")
+                        if (!confirmed) return
+                        try {
+                          setDeleting(true)
+                          const r = await fetch("/api/org/delete", { method: "DELETE" })
+                          if (!r.ok) {
+                            alert("Failed to delete organization")
+                            return
+                          }
+                          await signOut({ callbackUrl: "/" })
+                        } catch {
+                          alert("Failed to delete organization")
+                        } finally {
+                          setDeleting(false)
+                        }
+                      }}
+                    >
+                      {deleting ? "Deleting…" : "Delete organization"}
+                    </Button>
+                  )
+                }
+                // Non-owner: allow deleting their own account
+                return (
+                  <Button
+                    variant="destructive"
+                    disabled={disabled}
+                    className="disabled:opacity-50 disabled:pointer-events-none"
+                    title="Delete my account"
+                    onClick={async () => {
+                      const confirmed = window.confirm("This will permanently delete your account and remove your access to this org. Continue?")
+                      if (!confirmed) return
+                      try {
+                        setDeleting(true)
+                        const r = await fetch("/api/user/deactivate", { method: "DELETE" })
+                        if (!r.ok) {
+                          alert("Failed to delete account")
+                          return
+                        }
+                        await signOut({ callbackUrl: "/" })
+                      } catch {
+                        alert("Failed to delete account")
+                      } finally {
+                        setDeleting(false)
+                      }
+                    }}
+                  >
+                    {deleting ? "Deleting…" : "Delete my account"}
+                  </Button>
+                )
+              })()}
             </div>
           </div>
         </CardContent>