address comments

Author: icecrasher321

apps/sim/app/api/organizations/[id]/permission-groups/[groupId]/route.ts

@@ -115,16 +115,28 @@ export const PUT = withRouteHandler(
         ? { ...currentConfig, ...updates.config }
         : currentConfig
 
+      // Demoting the org default with no new scope: it becomes a non-default
+      // group with no workspaces (inert) until an admin re-scopes it. The client
+      // sends only `isDefault: false`, so this never forwards a workspace list
+      // (which a non-default group otherwise requires) against the per-group cap.
+      const demotingDefaultToInert =
+        group.isDefault &&
+        updates.isDefault === false &&
+        updates.appliesToAllWorkspaces === undefined &&
+        updates.workspaceIds === undefined
+
       // Resolve the target workspace scope. Setting the group as default forces
       // all-workspaces; otherwise an explicit `appliesToAllWorkspaces` wins, and
       // supplying `workspaceIds` alone implies a specific scope.
       const scopeProvided =
+        demotingDefaultToInert ||
         updates.appliesToAllWorkspaces !== undefined ||
         updates.workspaceIds !== undefined ||
         updates.isDefault === true
 
-      const resolvedAppliesToAll =
-        updates.isDefault === true
+      const resolvedAppliesToAll = demotingDefaultToInert
+        ? false
+        : updates.isDefault === true
           ? true
           : updates.appliesToAllWorkspaces !== undefined
             ? updates.appliesToAllWorkspaces
@@ -188,7 +200,7 @@ export const PUT = withRouteHandler(
           if (!resolvedAppliesToAll) {
             resolvedWorkspaceIds =
               providedWorkspaceIds ?? (await getGroupWorkspaces(id, tx)).map((ws) => ws.id)
-            if (resolvedWorkspaceIds.length === 0) {
+            if (resolvedWorkspaceIds.length === 0 && !demotingDefaultToInert) {
               throw new Error('NO_WORKSPACES')
             }
           }

apps/sim/ee/access-control/components/access-control.tsx

@@ -1027,19 +1027,14 @@ export function AccessControl() {
       if (!viewingGroup || !organizationId) return
       const seq = ++scopeWriteSeqRef.current
       try {
+        // Promoting forces all-workspaces; demoting leaves the group non-default
+        // with no workspaces (inert) until it is re-scoped from the selector — the
+        // route handles this from `isDefault: false` alone, so no workspace list
+        // (bounded by the per-group cap) is sent.
         const result = await updatePermissionGroup.mutateAsync({
           id: viewingGroup.id,
           organizationId,
           isDefault: enabled,
-          // Demoting the org default to a workspace group targets every current
-          // workspace so it keeps governing the same scope; the admin can narrow
-          // it afterward. Promoting clears workspaces (the route forces all-ws).
-          ...(enabled
-            ? {}
-            : {
-                appliesToAllWorkspaces: false,
-                workspaceIds: organizationWorkspaces.map((ws) => ws.id),
-              }),
         })
 
         if (seq !== scopeWriteSeqRef.current) return

apps/sim/lib/api/contracts/permission-groups.test.ts

@@ -90,6 +90,10 @@ describe('updatePermissionGroupBodySchema', () => {
     expect(updatePermissionGroupBodySchema.safeParse({}).success).toBe(true)
   })
 
+  it('accepts demoting the default via isDefault:false alone (the route re-scopes it)', () => {
+    expect(updatePermissionGroupBodySchema.safeParse({ isDefault: false }).success).toBe(true)
+  })
+
   it('rejects switching to specific scope with no workspaces', () => {
     const result = updatePermissionGroupBodySchema.safeParse({
       appliesToAllWorkspaces: false,