diff --git a/app/Http/Controllers/Api/TeamController.php b/app/Http/Controllers/Api/TeamController.php
index e12d83542..fd0282d96 100644
--- a/app/Http/Controllers/Api/TeamController.php
+++ b/app/Http/Controllers/Api/TeamController.php
@@ -218,7 +218,10 @@ public function current_team(Request $request)
if (is_null($teamId)) {
return invalidTokenResponse();
}
- $team = auth()->user()->currentTeam();
+ $team = auth()->user()->teams->where('id', $teamId)->first();
+ if (is_null($team)) {
+ return response()->json(['message' => 'Team not found.'], 404);
+ }
return response()->json(
$this->removeSensitiveData($team),
@@ -263,7 +266,10 @@ public function current_team_members(Request $request)
if (is_null($teamId)) {
return invalidTokenResponse();
}
- $team = auth()->user()->currentTeam();
+ $team = auth()->user()->teams->where('id', $teamId)->first();
+ if (is_null($team)) {
+ return response()->json(['message' => 'Team not found.'], 404);
+ }
$team->members->makeHidden([
'pivot',
'email_change_code',
diff --git a/app/Http/Middleware/DecideWhatToDoWithUser.php b/app/Http/Middleware/DecideWhatToDoWithUser.php
index 8b1c550df..dbf261f4d 100644
--- a/app/Http/Middleware/DecideWhatToDoWithUser.php
+++ b/app/Http/Middleware/DecideWhatToDoWithUser.php
@@ -18,14 +18,21 @@ public function handle(Request $request, Closure $next): Response
}
if (auth()?->user()?->currentTeam()) {
refreshSession(auth()->user()->currentTeam());
+ } elseif (auth()?->user()?->teams?->count() > 0) {
+ // User's session team is invalid (e.g., removed from team), switch to first available team
+ refreshSession(auth()->user()->teams->first());
}
- if (! auth()->user() || ! isCloud() || isInstanceAdmin()) {
+ if (! auth()->user() || ! isCloud()) {
if (! isCloud() && showBoarding() && ! in_array($request->path(), allowedPathsForBoardingAccounts())) {
return redirect()->route('onboarding');
}
return $next($request);
}
+ // Instance admins can access settings and admin routes regardless of subscription
+ if (isInstanceAdmin() && ($request->routeIs('settings.*') || $request->path() === 'admin')) {
+ return $next($request);
+ }
if (! auth()->user()->hasVerifiedEmail()) {
if ($request->path() === 'verify' || in_array($request->path(), allowedPathsForInvalidAccounts()) || $request->routeIs('verify.verify')) {
return $next($request);
diff --git a/app/Livewire/ActivityMonitor.php b/app/Livewire/ActivityMonitor.php
index bc310e715..370ff1eaa 100644
--- a/app/Livewire/ActivityMonitor.php
+++ b/app/Livewire/ActivityMonitor.php
@@ -79,8 +79,10 @@ public function polling()
$causer_id = data_get($this->activity, 'causer_id');
$user = User::find($causer_id);
if ($user) {
- $teamId = $user->currentTeam()->id;
- if (! self::$eventDispatched) {
+ $teamId = data_get($this->activity, 'properties.team_id')
+ ?? $user->currentTeam()?->id
+ ?? $user->teams->first()?->id;
+ if ($teamId && ! self::$eventDispatched) {
if (filled($this->eventData)) {
$this->eventToDispatch::dispatch($teamId, $this->eventData);
} else {
diff --git a/app/Livewire/Settings/Advanced.php b/app/Livewire/Settings/Advanced.php
index fb9c91263..16361ce79 100644
--- a/app/Livewire/Settings/Advanced.php
+++ b/app/Livewire/Settings/Advanced.php
@@ -3,16 +3,12 @@
namespace App\Livewire\Settings;
use App\Models\InstanceSettings;
-use App\Models\Server;
use App\Rules\ValidIpOrCidr;
use Livewire\Attributes\Validate;
use Livewire\Component;
class Advanced extends Component
{
- #[Validate('required')]
- public Server $server;
-
public InstanceSettings $settings;
#[Validate('boolean')]
@@ -44,7 +40,6 @@ class Advanced extends Component
public function rules()
{
return [
- 'server' => 'required',
'is_registration_enabled' => 'boolean',
'do_not_track' => 'boolean',
'is_dns_validation_enabled' => 'boolean',
@@ -62,7 +57,6 @@ public function mount()
if (! isInstanceAdmin()) {
return redirect()->route('dashboard');
}
- $this->server = Server::findOrFail(0);
$this->settings = instanceSettings();
$this->custom_dns_servers = $this->settings->custom_dns_servers;
$this->allowed_ips = $this->settings->allowed_ips;
diff --git a/app/Livewire/Settings/Index.php b/app/Livewire/Settings/Index.php
index 14c0eec32..ded1c1a4d 100644
--- a/app/Livewire/Settings/Index.php
+++ b/app/Livewire/Settings/Index.php
@@ -12,7 +12,7 @@ class Index extends Component
{
public InstanceSettings $settings;
- public Server $server;
+ public ?Server $server = null;
#[Validate('nullable|string|max:255')]
public ?string $fqdn = null;
@@ -57,7 +57,9 @@ public function mount()
return redirect()->route('dashboard');
}
$this->settings = instanceSettings();
- $this->server = Server::findOrFail(0);
+ if (! isCloud()) {
+ $this->server = Server::findOrFail(0);
+ }
$this->fqdn = $this->settings->fqdn;
$this->public_port_min = $this->settings->public_port_min;
$this->public_port_max = $this->settings->public_port_max;
@@ -127,7 +129,7 @@ public function submit()
$this->validate();
- if ($this->settings->is_dns_validation_enabled && $this->fqdn) {
+ if ($this->settings->is_dns_validation_enabled && $this->fqdn && $this->server) {
if (! validateDNSEntry($this->fqdn, $this->server)) {
$this->dispatch('error', "Validating DNS failed.
Make sure you have added the DNS records correctly.
{$this->fqdn}->{$this->server->ip}
Check this documentation for further help.");
$error_show = true;
@@ -151,7 +153,9 @@ public function submit()
$this->instantSave(isSave: false);
$this->settings->save();
- $this->server->setupDynamicProxyConfiguration();
+ if ($this->server) {
+ $this->server->setupDynamicProxyConfiguration();
+ }
if (! $error_show) {
$this->dispatch('success', 'Instance settings updated successfully!');
}
@@ -169,6 +173,12 @@ public function buildHelperImage()
return;
}
+ if (! $this->server) {
+ $this->dispatch('error', 'Server not available.');
+
+ return;
+ }
+
$version = $this->dev_helper_version ?: config('constants.coolify.helper_version');
if (empty($version)) {
$this->dispatch('error', 'Please specify a version to build.');
diff --git a/app/Livewire/Settings/Updates.php b/app/Livewire/Settings/Updates.php
index fe20763b6..01a67c38c 100644
--- a/app/Livewire/Settings/Updates.php
+++ b/app/Livewire/Settings/Updates.php
@@ -12,7 +12,7 @@ class Updates extends Component
{
public InstanceSettings $settings;
- public Server $server;
+ public ?Server $server = null;
#[Validate('string')]
public string $auto_update_frequency;
@@ -25,7 +25,9 @@ class Updates extends Component
public function mount()
{
- $this->server = Server::findOrFail(0);
+ if (! isCloud()) {
+ $this->server = Server::findOrFail(0);
+ }
$this->settings = instanceSettings();
$this->auto_update_frequency = $this->settings->auto_update_frequency;
@@ -76,7 +78,9 @@ public function submit()
}
$this->instantSave();
- $this->server->setupDynamicProxyConfiguration();
+ if ($this->server) {
+ $this->server->setupDynamicProxyConfiguration();
+ }
} catch (\Exception $e) {
return handleError($e, $this);
}
diff --git a/app/Livewire/Team/InviteLink.php b/app/Livewire/Team/InviteLink.php
index 45af53950..ee6d535e9 100644
--- a/app/Livewire/Team/InviteLink.php
+++ b/app/Livewire/Team/InviteLink.php
@@ -48,7 +48,7 @@ private function generateInviteLink(bool $sendEmail = false)
// Prevent privilege escalation: users cannot invite someone with higher privileges
$userRole = auth()->user()->role();
- if ($userRole === 'member' && in_array($this->role, ['admin', 'owner'])) {
+ if (is_null($userRole) || ($userRole === 'member' && in_array($this->role, ['admin', 'owner']))) {
throw new \Exception('Members cannot invite admins or owners.');
}
if ($userRole === 'admin' && $this->role === 'owner') {
diff --git a/app/Livewire/Team/Member.php b/app/Livewire/Team/Member.php
index 96c98c637..b1f692365 100644
--- a/app/Livewire/Team/Member.php
+++ b/app/Livewire/Team/Member.php
@@ -71,11 +71,11 @@ public function remove()
|| Role::from($this->getMemberRole())->gt(auth()->user()->role())) {
throw new \Exception('You are not authorized to perform this action.');
}
+ $teamId = currentTeam()->id;
$this->member->teams()->detach(currentTeam());
+ // Clear cache for the removed user - both old and new key formats
Cache::forget("team:{$this->member->id}");
- Cache::remember('team:'.$this->member->id, 3600, function () {
- return $this->member->teams()->first();
- });
+ Cache::forget("user:{$this->member->id}:team:{$teamId}");
$this->dispatch('reloadWindow');
} catch (\Exception $e) {
$this->dispatch('error', $e->getMessage());
diff --git a/app/Models/User.php b/app/Models/User.php
index b790efcf1..4561cddb2 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -2,6 +2,7 @@
namespace App\Models;
+use App\Jobs\UpdateStripeCustomerEmailJob;
use App\Notifications\Channels\SendsEmail;
use App\Notifications\TransactionalEmails\ResetPassword as TransactionalEmailsResetPassword;
use App\Traits\DeletesUserSessions;
@@ -295,9 +296,10 @@ public function isAdminFromSession()
public function isInstanceAdmin()
{
- $found_root_team = Auth::user()->teams->filter(function ($team) {
+ $found_root_team = $this->teams->filter(function ($team) {
if ($team->id == 0) {
- if (! Auth::user()->isAdmin()) {
+ $role = $team->pivot->role;
+ if ($role !== 'admin' && $role !== 'owner') {
return false;
}
@@ -310,32 +312,51 @@ public function isInstanceAdmin()
return $found_root_team->count() > 0;
}
- public function currentTeam()
+ public function currentTeam(): ?Team
{
- return Cache::remember('team:'.Auth::id(), 3600, function () {
- if (is_null(data_get(session('currentTeam'), 'id')) && Auth::user()->teams->count() > 0) {
- return Auth::user()->teams[0];
- }
+ $sessionTeamId = data_get(session('currentTeam'), 'id');
- return Team::find(session('currentTeam')->id);
+ if (is_null($sessionTeamId)) {
+ return null;
+ }
+
+ // Check if user actually belongs to this team
+ if (! $this->teams->contains('id', $sessionTeamId)) {
+ session()->forget('currentTeam');
+ Cache::forget('user:'.$this->id.':team:'.$sessionTeamId);
+
+ return null;
+ }
+
+ return Cache::remember('user:'.$this->id.':team:'.$sessionTeamId, 3600, function () use ($sessionTeamId) {
+ return Team::find($sessionTeamId);
});
}
- public function otherTeams()
- {
- return Auth::user()->teams->filter(function ($team) {
- return $team->id != currentTeam()->id;
- });
- }
-
- public function role()
+ public function role(): ?string
{
if (data_get($this, 'pivot')) {
return $this->pivot->role;
}
- $user = Auth::user()->teams->where('id', currentTeam()->id)->first();
- return data_get($user, 'pivot.role');
+ $current = $this->currentTeam();
+ if (is_null($current)) {
+ return null;
+ }
+
+ $team = $this->teams->where('id', $current->id)->first();
+
+ return data_get($team, 'pivot.role');
+ }
+
+ /**
+ * Get the user's role in a specific team
+ */
+ public function roleInTeam(int $teamId): ?string
+ {
+ $team = $this->teams->where('id', $teamId)->first();
+
+ return data_get($team, 'pivot.role');
}
/**
@@ -415,9 +436,10 @@ public function confirmEmailChange(string $code): bool
]);
// For cloud users, dispatch job to update Stripe customer email asynchronously
- if (isCloud() && $this->currentTeam()->subscription) {
- dispatch(new \App\Jobs\UpdateStripeCustomerEmailJob(
- $this->currentTeam(),
+ $currentTeam = $this->currentTeam();
+ if (isCloud() && $currentTeam?->subscription) {
+ dispatch(new UpdateStripeCustomerEmailJob(
+ $currentTeam,
$this->id,
$newEmail,
$oldEmail
diff --git a/bootstrap/helpers/shared.php b/bootstrap/helpers/shared.php
index e26b7b6c7..4db777732 100644
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@@ -182,8 +182,11 @@ function refreshSession(?Team $team = null): void
$team = User::find(Auth::id())->teams->first();
}
}
+ // Clear old cache key format for backwards compatibility
Cache::forget('team:'.Auth::id());
- Cache::remember('team:'.Auth::id(), 3600, function () use ($team) {
+ // Use new cache key format that includes team ID
+ Cache::forget('user:'.Auth::id().':team:'.$team->id);
+ Cache::remember('user:'.Auth::id().':team:'.$team->id, 3600, function () use ($team) {
return $team;
});
session(['currentTeam' => $team]);
@@ -384,7 +387,7 @@ function base_url(bool $withPort = true): string
function isSubscribed()
{
- return isSubscriptionActive() || auth()->user()->isInstanceAdmin();
+ return isSubscriptionActive();
}
function isProduction(): bool
diff --git a/bootstrap/helpers/subscriptions.php b/bootstrap/helpers/subscriptions.php
index 1a0ae0fbd..4b84fb7f6 100644
--- a/bootstrap/helpers/subscriptions.php
+++ b/bootstrap/helpers/subscriptions.php
@@ -13,6 +13,10 @@ function isSubscriptionActive()
if (! $team) {
return false;
}
+ // Root team (id=0) doesn't require subscription
+ if ($team->id === 0) {
+ return true;
+ }
$subscription = $team?->subscription;
if (is_null($subscription)) {