refactor for public access case

msukkari · msukkari · commit 7b3e6e7d1975 · 2025-07-14T17:05:17.000-07:00
diff --git a/packages/web/src/app/[domain]/layout.tsx b/packages/web/src/app/[domain]/layout.tsx
@@ -38,18 +38,11 @@ export default async function Layout({
         return notFound();
     }
 
+    const session = await auth();
     const publicAccessEnabled = hasEntitlement("public-access") && await getPublicAccessStatus(domain);
-    if (!publicAccessEnabled) {
-        const session = await auth();
-        if (!session) {
-            const ssoEntitlement = await hasEntitlement("sso");
-            if (ssoEntitlement && env.AUTH_EE_GCP_IAP_ENABLED && env.AUTH_EE_GCP_IAP_AUDIENCE) {
-                return <GcpIapAuth callbackUrl={`/${domain}`} />;
-            } else {
-                redirect('/login');
-            }
-        }
-
+    
+    // If the user is authenticated, we must check if they're a member of the org
+    if (session) {
         const membership = await prisma.userToOrg.findUnique({
             where: {
                 orgId_userId: {
@@ -61,7 +54,7 @@ export default async function Layout({
                 user: true
             }
         });
-
+        
         // There's two reasons why a user might not be a member of an org:
         // 1. The org doesn't require member approval, but the org was at max capacity when the user registered. In this case, we show them
         // the join organization card to allow them to join the org if seat capacity is freed up. This card handles checking if the org has available seats.
@@ -90,6 +83,16 @@ export default async function Layout({
                 }
             }
         }
+    } else {
+        // If the user isn't authenticated and public access isn't enabled, we need to redirect them to the login page.
+        if (!publicAccessEnabled) {
+            const ssoEntitlement = await hasEntitlement("sso");
+            if (ssoEntitlement && env.AUTH_EE_GCP_IAP_ENABLED && env.AUTH_EE_GCP_IAP_AUDIENCE) {
+                return <GcpIapAuth callbackUrl={`/${domain}`} />;
+            } else {
+                redirect('/login');
+            }
+        }
     }
 
     if (!org.isOnboarded) {
diff --git a/packages/web/src/initialize.ts b/packages/web/src/initialize.ts
@@ -114,7 +114,7 @@ const syncDeclarativeConfig = async (configPath: string) => {
 
     if (hasPublicAccessEntitlement) {
         if (enablePublicAccess && env.SOURCEBOT_EE_AUDIT_LOGGING_ENABLED === 'true') {
-            logger.error(`Audit logging is not supported when public access is enabled. Please disable audit logging or disable public access.`);
+            logger.error(`Audit logging is not supported when public access is enabled. Please disable audit logging (SOURCEBOT_EE_AUDIT_LOGGING_ENABLED) or disable public access.`);
             process.exit(1);
         }
         

Original file line number	Diff line number	Diff line change
`@@ -114,7 +114,7 @@ const syncDeclarativeConfig = async (configPath: string) => {`
`114`	`114`
`115`	`115`	`if (hasPublicAccessEntitlement) {`
`116`	`116`	`if (enablePublicAccess && env.SOURCEBOT_EE_AUDIT_LOGGING_ENABLED === 'true') {`
`117`		- logger.error(`Audit logging is not supported when public access is enabled. Please disable audit logging or disable public access.`);
	`117`	+ logger.error(`Audit logging is not supported when public access is enabled. Please disable audit logging (SOURCEBOT_EE_AUDIT_LOGGING_ENABLED) or disable public access.`);
`118`	`118`	`process.exit(1);`
`119`	`119`	`}`
`120`	`120`