fix: More instances of wrong avatar URL fixed (#10519)

* Fix user.avatar

* Fix avtars in admin users listing

* Handle unpublished org

apps/web/pages/api/user/avatar.ts

@@ -2,7 +2,7 @@ import crypto from "crypto";
 import type { NextApiRequest, NextApiResponse } from "next";
 import { z } from "zod";
 
-import { orgDomainConfig } from "@calcom/features/ee/organizations/lib/orgDomains";
+import { getSlugOrRequestedSlug, orgDomainConfig } from "@calcom/features/ee/organizations/lib/orgDomains";
 import { getPlaceholderAvatar } from "@calcom/lib/defaultAvatarImage";
 import prisma from "@calcom/prisma";
 
@@ -12,22 +12,33 @@ const querySchema = z
   .object({
     username: z.string(),
     teamname: z.string(),
+    /**
+     * Allow fetching avatar of a particular organization
+     * Avatars being public, we need not worry about others accessing it.
+     */
+    orgId: z.string().transform((s) => Number(s)),
   })
   .partial();
 
 async function getIdentityData(req: NextApiRequest) {
-  const { username, teamname } = querySchema.parse(req.query);
+  const { username, teamname, orgId } = querySchema.parse(req.query);
   const { currentOrgDomain, isValidOrgDomain } = orgDomainConfig(req.headers.host ?? "");
+
   const org = isValidOrgDomain ? currentOrgDomain : null;
+
+  const orgQuery = orgId
+    ? {
+        id: orgId,
+      }
+    : org
+    ? getSlugOrRequestedSlug(org)
+    : null;
+
   if (username) {
     const user = await prisma.user.findFirst({
       where: {
         username,
-        organization: isValidOrgDomain
-          ? {
-              slug: currentOrgDomain,
-            }
-          : null,
+        organization: orgQuery,
       },
       select: { avatar: true, email: true },
     });
@@ -42,11 +53,7 @@ async function getIdentityData(req: NextApiRequest) {
     const team = await prisma.team.findFirst({
       where: {
         slug: teamname,
-        parent: isValidOrgDomain
-          ? {
-              slug: currentOrgDomain,
-            }
-          : null,
+        parent: orgQuery,
       },
       select: { logo: true },
     });

packages/features/ee/organizations/lib/orgDomains.ts

@@ -1,5 +1,7 @@
 import { ALLOWED_HOSTNAMES, RESERVED_SUBDOMAINS, WEBAPP_URL } from "@calcom/lib/constants";
 
+import type { Prisma } from ".prisma/client";
+
 /**
  * return the org slug
  * @param hostname
@@ -60,5 +62,5 @@ export function getSlugOrRequestedSlug(slug: string) {
         },
       },
     ],
-  };
+  } satisfies Prisma.TeamWhereInput;
 }

packages/features/ee/users/components/UsersTable.tsx

@@ -135,7 +135,7 @@ function UsersTableBare() {
                       size="md"
                       alt={`Avatar of ${user.username || "Nameless"}`}
                       gravatarFallbackMd5=""
-                      imageSrc={`${WEBAPP_URL}/${user.username}/avatar.png`}
+                      imageSrc={`${WEBAPP_URL}/${user.username}/avatar.png?orgId=${user.organizationId}`}
                     />
 
                     <div className="text-subtle ml-4 font-medium">

packages/trpc/server/middlewares/sessionMiddleware.ts

@@ -104,7 +104,9 @@ export async function getUserFromSession(ctx: TRPCContextInner, session: Maybe<S
   const orgMetadata = teamMetadataSchema.parse(user.organization?.metadata || {});
   const rawAvatar = user.avatar;
   // This helps to prevent reaching the 4MB payload limit by avoiding base64 and instead passing the avatar url
-  user.avatar = rawAvatar ? `${WEBAPP_URL}/${user.username}/avatar.png` : defaultAvatarSrc({ email });
+  user.avatar = rawAvatar
+    ? `${WEBAPP_URL}/${user.username}/avatar.png?orgId=${user.organizationId}`
+    : defaultAvatarSrc({ email });
   const locale = user?.locale || ctx.locale;
 
   const isOrgAdmin = !!user.organization?.members.length;

packages/trpc/server/routers/viewer/admin/listPaginated.handler.ts

@@ -49,6 +49,7 @@ export const listPaginatedHandler = async ({ ctx, input }: GetOptions) => {
       name: true,
       timeZone: true,
       role: true,
+      organizationId: true,
     },
   });