dubinc · devkiran · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026 · Apr 1, 2026
diff --git a/.github/workflows/playwright.yaml b/.github/workflows/playwright.yaml
@@ -38,9 +38,6 @@ jobs:
       TINYBIRD_API_KEY: "xx"
       TINYBIRD_API_URL: "xx"
 
-      AXIOM_TOKEN: "xx"
-      AXIOM_DATASET: "xx"
-
       # serverless-redis-http (SRH) — must match jobs.e2e.services.srh env
       SRH_TOKEN: "e2e_srh_token"
       UPSTASH_REDIS_REST_URL: "http://127.0.0.1:8079"

diff --git a/apps/web/app/(ee)/api/cron/export/events/partner/route.ts b/apps/web/app/(ee)/api/cron/export/events/partner/route.ts
@@ -10,6 +10,7 @@ import { obfuscateCustomerEmail } from "@/lib/api/partner-profile/obfuscate-cust
 import { getProgramEnrollmentOrThrow } from "@/lib/api/programs/get-program-enrollment-or-throw";
 import { generateExportFilename } from "@/lib/api/utils/generate-export-filename";
 import { generateRandomString } from "@/lib/api/utils/generate-random-string";
+import { linkIncludeFilter } from "@/lib/auth/partner-users/link-scope-filter";
 import { MAX_PARTNER_LINKS_FOR_LOCAL_FILTERING } from "@/lib/constants/partner-profile";
 import { verifyQstashSignature } from "@/lib/cron/verify-qstash";
 import { generateRandomName } from "@/lib/names";
@@ -48,30 +49,46 @@ export async function POST(req: Request) {
     const { columns, partnerId, programId, userId, ...parsedParams } =
       payloadSchema.parse(JSON.parse(rawBody));
 
-    const user = await prisma.user.findUnique({
+    const partnerUser = await prisma.partnerUser.findUnique({
       where: {
-        id: userId,
+        userId_partnerId: {
+          userId,
+          partnerId,
+        },
       },
       select: {
-        email: true,
+        assignedLinks: true,
+        user: {
+          select: {
+            email: true,
+          },
+        },
       },
     });
 
-    if (!user) {
-      return logAndRespond(`User ${userId} not found. Skipping the export.`);
+    if (!partnerUser) {
+      return logAndRespond(
+        `Partner user ${userId} not found. Skipping the export.`,
+      );
     }
 
+    const { user } = partnerUser;
+
     if (!user.email) {
       return logAndRespond(`User ${userId} has no email. Skipping the export.`);
     }
 
+    const assignedLinkIds = partnerUser.assignedLinks.map(
+      ({ linkId }) => linkId,
+    );
+
     const { program, links, customerDataSharingEnabledAt } =
       await getProgramEnrollmentOrThrow({
         partnerId,
         programId,
         include: {
           program: true,
-          links: true,
+          links: linkIncludeFilter(assignedLinkIds),
         },
       });
 
@@ -116,7 +133,8 @@ export async function POST(req: Request) {
       includeMetadata: false,
       ...(parsedParams.linkId
         ? { linkId: parsedParams.linkId }
-        : links.length > MAX_PARTNER_LINKS_FOR_LOCAL_FILTERING
+        : links.length > MAX_PARTNER_LINKS_FOR_LOCAL_FILTERING &&
+            assignedLinkIds.length === 0
           ? { partnerId }
           : { linkId: parseFilterValue(links.map((link) => link.id)) }),
       dataAvailableFrom: program.startedAt ?? program.createdAt,

diff --git a/apps/web/app/(ee)/api/partner-profile/invites/route.ts b/apps/web/app/(ee)/api/partner-profile/invites/route.ts
@@ -36,6 +36,8 @@ export const GET = withPartnerProfile(async ({ partner, searchParams }) => {
       ...invite,
       id: null,
       name: invite.email,
+      programAccess: "all",
+      programs: [],
     }),
   );
 

diff --git a/apps/web/app/(ee)/api/partner-profile/messages/count/route.ts b/apps/web/app/(ee)/api/partner-profile/messages/count/route.ts
@@ -1,28 +1,35 @@
 import { withPartnerProfile } from "@/lib/auth/partner";
+import { programScopeFilter } from "@/lib/auth/partner-users/program-scope-filter";
 import { countMessagesQuerySchema } from "@/lib/zod/schemas/messages";
 import { prisma } from "@dub/prisma";
 import { NextResponse } from "next/server";
 
 // GET /api/partner-profile/messages/count - count messages for a partner
-export const GET = withPartnerProfile(async ({ partner, searchParams }) => {
-  const { unread } = countMessagesQuerySchema.parse(searchParams);
+export const GET = withPartnerProfile(
+  async ({ partner, searchParams, partnerUser: { assignedProgramIds } }) => {
+    const { unread } = countMessagesQuerySchema.parse(searchParams);
 
-  const count = await prisma.message.count({
-    where: {
-      partnerId: partner.id,
-      ...(unread !== undefined && {
-        // Only count messages from the program
-        senderPartnerId: null,
-        readInApp: unread
-          ? // Only count unread messages
-            null
-          : {
-              // Only count read messages
-              not: null,
-            },
-      }),
-    },
-  });
+    const count = await prisma.message.count({
+      where: {
+        partnerId: partner.id,
+        ...(unread !== undefined && {
+          // Only count messages from the program
+          senderPartnerId: null,
+          readInApp: unread
+            ? // Only count unread messages
+              null
+            : {
+                // Only count read messages
+                not: null,
+              },
+        }),
+        ...programScopeFilter(assignedProgramIds),
+      },
+    });
 
-  return NextResponse.json(count);
-});
+    return NextResponse.json(count);
+  },
+  {
+    requiredPermission: "messages.read",
+  },
+);
diff --git a/apps/web/app/(ee)/api/partner-profile/messages/route.ts b/apps/web/app/(ee)/api/partner-profile/messages/route.ts
@@ -1,4 +1,5 @@
 import { withPartnerProfile } from "@/lib/auth/partner";
+import { throwIfNoProgramAccess } from "@/lib/auth/partner-users/throw-if-no-access";
 import {
   ProgramMessagesSchema,
   getProgramMessagesQuerySchema,
@@ -7,120 +8,136 @@ import { prisma } from "@dub/prisma";
 import { NextResponse } from "next/server";
 
 // GET /api/partner-profile/messages - get messages grouped by program
-export const GET = withPartnerProfile(async ({ partner, searchParams }) => {
-  const {
-    programSlug,
-    sortBy,
-    sortOrder,
-    messagesLimit: messagesLimitArg,
-  } = getProgramMessagesQuerySchema.parse(searchParams);
+export const GET = withPartnerProfile(
+  async ({ partner, searchParams, partnerUser }) => {
+    const {
+      programSlug,
+      sortBy,
+      sortOrder,
+      messagesLimit: messagesLimitArg,
+    } = getProgramMessagesQuerySchema.parse(searchParams);
 
-  const messagesLimit = messagesLimitArg ?? (programSlug ? undefined : 10);
+    const messagesLimit = messagesLimitArg ?? (programSlug ? undefined : 10);
 
-  const programs = await prisma.program.findMany({
-    where: {
-      // Partner is not banned from the program
-      partners: {
-        none: {
-          partnerId: partner.id,
-          status: "banned",
-        },
-      },
+    throwIfNoProgramAccess({
+      programSlug,
+      partnerUser,
+    });
 
-      ...(programSlug
-        ? {
-            slug: programSlug,
-            OR: [
-              // Partner is enrolled in the program
-              // in this case, return messages regardless of messaging enabled status which is passed to the UI
-              {
-                partners: {
-                  some: {
-                    partnerId: partner.id,
+    const programs = await prisma.program.findMany({
+      where: {
+        // Partner is not banned from the program
+        partners: {
+          none: {
+            partnerId: partner.id,
+            status: "banned",
+          },
+        },
+        ...(programSlug
+          ? {
+              slug: programSlug,
+              OR: [
+                // Partner is enrolled in the program
+                // in this case, return messages regardless of messaging enabled status which is passed to the UI
+                {
+                  partners: {
+                    some: {
+                      partnerId: partner.id,
+                    },
                   },
                 },
-              },
-              {
-                // Partner has received a direct message from the program
-                messages: {
-                  some: {
-                    partnerId: partner.id,
-                    senderPartnerId: null, // Sent by the program
+                {
+                  // Partner has received a direct message from the program
+                  messages: {
+                    some: {
+                      partnerId: partner.id,
+                      senderPartnerId: null, // Sent by the program
+                    },
                   },
                 },
-              },
-            ],
-          }
-        : {
-            OR: [
-              // Program has messaging enabled and partner has 1+ messages with the program
-              {
-                messagingEnabledAt: {
-                  not: null,
-                },
-                messages: {
-                  some: {
-                    partnerId: partner.id,
+              ],
+            }
+          : {
+              OR: [
+                // Program has messaging enabled and partner has 1+ messages with the program
+                {
+                  messagingEnabledAt: {
+                    not: null,
+                  },
+                  messages: {
+                    some: {
+                      partnerId: partner.id,
+                    },
                   },
                 },
-              },
 
-              // Partner has received a direct message from the program
-              {
-                messages: {
-                  some: {
-                    partnerId: partner.id,
-                    senderPartnerId: null, // Sent by the program
+                // Partner has received a direct message from the program
+                {
+                  messages: {
+                    some: {
+                      partnerId: partner.id,
+                      senderPartnerId: null, // Sent by the program
+                    },
                   },
                 },
-              },
-            ],
-          }),
-    },
-    include: {
-      messages: {
-        where: {
-          partnerId: partner.id,
-        },
-        include: {
-          senderPartner: true,
-          senderUser: true,
-        },
-        orderBy: {
-          [sortBy]: sortOrder,
+              ],
+              ...(partnerUser.assignedProgramIds
+                ? {
+                    id: {
+                      in: partnerUser.assignedProgramIds,
+                    },
+                  }
+                : {}),
+            }),
+      },
+      include: {
+        messages: {
+          where: {
+            partnerId: partner.id,
+          },
+          include: {
+            senderPartner: true,
+            senderUser: true,
+          },
+          orderBy: {
+            [sortBy]: sortOrder,
+          },
+          take: messagesLimit,
         },
-        take: messagesLimit,
       },
-    },
-  });
+    });
 
-  return NextResponse.json(
-    ProgramMessagesSchema.parse(
-      programs
-        // Sort by unread first, then by most recent message
-        .sort((a, b) => {
-          const aUnread = a.messages.some(
-            (m) => !m.senderPartnerId && !m.readInApp,
-          );
-          const bUnread = b.messages.some(
-            (m) => !m.senderPartnerId && !m.readInApp,
-          );
+    return NextResponse.json(
+      ProgramMessagesSchema.parse(
+        programs
+          // Sort by unread first, then by most recent message
+          .sort((a, b) => {
+            const aUnread = a.messages.some(
+              (m) => !m.senderPartnerId && !m.readInApp,
+            );
+            const bUnread = b.messages.some(
+              (m) => !m.senderPartnerId && !m.readInApp,
+            );
 
-          if (aUnread !== bUnread) {
-            return aUnread ? -1 : 1;
-          }
+            if (aUnread !== bUnread) {
+              return aUnread ? -1 : 1;
+            }
 
-          return sortOrder === "desc"
-            ? (b.messages?.[0]?.[sortBy]?.getTime() ?? 0) -
-                (a.messages?.[0]?.[sortBy]?.getTime() ?? 0)
-            : (a.messages?.[0]?.[sortBy]?.getTime() ?? 0) -
-                (b.messages?.[0]?.[sortBy]?.getTime() ?? 0);
-        })
-        // Map to {program, messages}
-        .map(({ messages, ...program }) => ({
-          program,
-          messages,
-        })),
-    ),
-  );
-});
+            return sortOrder === "desc"
+              ? (b.messages?.[0]?.[sortBy]?.getTime() ?? 0) -
+                  (a.messages?.[0]?.[sortBy]?.getTime() ?? 0)
+              : (a.messages?.[0]?.[sortBy]?.getTime() ?? 0) -
+                  (b.messages?.[0]?.[sortBy]?.getTime() ?? 0);
+          })
+          // Map to {program, messages}
+          .map(({ messages, ...program }) => ({
+            program,
+            messages,
+          })),
+      ),
+    );
+  },
+  {
+    requiredPermission: "messages.read",
+  },
+);