@oneuptime/common 9.1.0 → 9.1.1

package/Models/DatabaseModels/BillingPaymentMethod.ts

@@ -20,7 +20,11 @@ import { Column, Entity, Index, JoinColumn, ManyToOne } from "typeorm";
 @AllowAccessIfSubscriptionIsUnpaid()
 @TenantColumn("projectId")
 @TableAccessControl({
-  create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+  create: [
+    Permission.ProjectOwner,
+    Permission.ManageProjectBilling,
+    Permission.CreateBillingPaymentMethod,
+  ],
   read: [
     Permission.ProjectOwner,
     Permission.ProjectUser,
@@ -28,7 +32,11 @@ import { Column, Entity, Index, JoinColumn, ManyToOne } from "typeorm";
     Permission.ProjectMember,
     Permission.ReadBillingPaymentMethod,
   ],
-  delete: [Permission.ProjectOwner, Permission.DeleteBillingPaymentMethod],
+  delete: [
+    Permission.ProjectOwner,
+    Permission.ManageProjectBilling,
+    Permission.DeleteBillingPaymentMethod,
+  ],
   update: [],
 })
 @CrudApiEndpoint(new Route("/billing-payment-methods"))
@@ -45,7 +53,11 @@ import { Column, Entity, Index, JoinColumn, ManyToOne } from "typeorm";
 })
 export default class BillingPaymentMethod extends BaseModel {
   @ColumnAccessControl({
-    create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+    create: [
+      Permission.ProjectOwner,
+      Permission.ManageProjectBilling,
+      Permission.CreateBillingPaymentMethod,
+    ],
     read: [
       Permission.ProjectOwner,
       Permission.ProjectUser,
@@ -77,7 +89,11 @@ export default class BillingPaymentMethod extends BaseModel {
   public project?: Project = undefined;
 
   @ColumnAccessControl({
-    create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+    create: [
+      Permission.ProjectOwner,
+      Permission.ManageProjectBilling,
+      Permission.CreateBillingPaymentMethod,
+    ],
     read: [
       Permission.ProjectOwner,
       Permission.ProjectAdmin,
@@ -103,7 +119,11 @@ export default class BillingPaymentMethod extends BaseModel {
   public projectId?: ObjectID = undefined;
 
   @ColumnAccessControl({
-    create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+    create: [
+      Permission.ProjectOwner,
+      Permission.ManageProjectBilling,
+      Permission.CreateBillingPaymentMethod,
+    ],
     read: [
       Permission.ProjectOwner,
       Permission.ProjectAdmin,
@@ -136,7 +156,11 @@ export default class BillingPaymentMethod extends BaseModel {
   public createdByUser?: User = undefined;
 
   @ColumnAccessControl({
-    create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+    create: [
+      Permission.ProjectOwner,
+      Permission.ManageProjectBilling,
+      Permission.CreateBillingPaymentMethod,
+    ],
     read: [
       Permission.ProjectOwner,
       Permission.ProjectAdmin,
@@ -218,7 +242,11 @@ export default class BillingPaymentMethod extends BaseModel {
   public deletedByUserId?: ObjectID = undefined;
 
   @ColumnAccessControl({
-    create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+    create: [
+      Permission.ProjectOwner,
+      Permission.ManageProjectBilling,
+      Permission.CreateBillingPaymentMethod,
+    ],
     read: [
       Permission.ProjectOwner,
       Permission.ProjectAdmin,
@@ -278,7 +306,11 @@ export default class BillingPaymentMethod extends BaseModel {
   public paymentProviderCustomerId?: string = undefined;
 
   @ColumnAccessControl({
-    create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+    create: [
+      Permission.ProjectOwner,
+      Permission.ManageProjectBilling,
+      Permission.CreateBillingPaymentMethod,
+    ],
     read: [
       Permission.ProjectOwner,
       Permission.ProjectAdmin,
@@ -298,7 +330,11 @@ export default class BillingPaymentMethod extends BaseModel {
   public last4Digits?: string = undefined;
 
   @ColumnAccessControl({
-    create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+    create: [
+      Permission.ProjectOwner,
+      Permission.ManageProjectBilling,
+      Permission.CreateBillingPaymentMethod,
+    ],
     read: [
       Permission.ProjectOwner,
       Permission.ProjectAdmin,

package/Models/DatabaseModels/StatusPageDomain.ts

@@ -282,8 +282,9 @@ export default class StatusPageDomain extends BaseModel {
   @TableColumn({
     required: true,
     type: TableColumnType.ShortText,
-    title: "Sumdomain",
-    description: "Subdomain of your status page - like (status)",
+    title: "Subdomain",
+    description:
+      "Subdomain label for your status page such as 'status'. Leave blank or enter @ to use the root domain.",
   })
   @Column({
     nullable: false,

package/Models/DatabaseModels/User.ts

@@ -30,7 +30,7 @@ import { Column, Entity, Index, JoinColumn, ManyToOne } from "typeorm";
 })
 @AllowAccessIfSubscriptionIsUnpaid()
 @TableAccessControl({
-  create: [Permission.Public],
+  create: [],
   read: [Permission.CurrentUser],
   delete: [Permission.CurrentUser],
   update: [Permission.CurrentUser],

package/Server/API/BillingPaymentMethodAPI.ts

@@ -42,17 +42,16 @@ export default class UserAPI extends BaseAPI<
           const userPermissions: Array<UserPermission> = (
             await this.getPermissionsForTenant(req)
           ).filter((permission: UserPermission) => {
-            return (
-              permission.permission.toString() ===
-                Permission.ProjectOwner.toString() ||
-              permission.permission.toString() ===
-                Permission.CreateBillingPaymentMethod.toString()
-            );
+            return [
+              Permission.ProjectOwner,
+              Permission.ManageProjectBilling,
+              Permission.CreateBillingPaymentMethod,
+            ].includes(permission.permission);
           });
 
           if (userPermissions.length === 0) {
             throw new BadDataException(
-              "Only Project owner can add payment methods.",
+              "Only project owners or members with Manage Billing access can add payment methods.",
             );
           }
 

package/Server/API/StatusPageAPI.ts

@@ -2809,7 +2809,7 @@ export default class StatusPageAPI extends BaseAPI<
               manageSubscriptionUrl: manageUrlink,
             },
             subject:
-              "Manage your Subscription for" +
+              "Manage your Subscription for " +
               (statusPage.name || "Status Page"),
           },
           {

package/Server/EnvironmentConfig.ts

@@ -44,6 +44,8 @@ const FRONTEND_ENV_ALLOW_LIST: Array<string> = [
   "DISABLE_TELEMETRY",
   "SLACK_APP_CLIENT_ID",
   "MICROSOFT_TEAMS_APP_CLIENT_ID",
+  "CAPTCHA_ENABLED",
+  "CAPTCHA_SITE_KEY",
 ];
 
 const FRONTEND_ENV_ALLOW_PREFIXES: Array<string> = [
@@ -324,6 +326,13 @@ export const Host: string = process.env["HOST"] || "";
 
 export const ProvisionSsl: boolean = process.env["PROVISION_SSL"] === "true";
 
+export const CaptchaEnabled: boolean =
+  process.env["CAPTCHA_ENABLED"] === "true";
+
+export const CaptchaSecretKey: string = process.env["CAPTCHA_SECRET_KEY"] || "";
+
+export const CaptchaSiteKey: string = process.env["CAPTCHA_SITE_KEY"] || "";
+
 export const WorkflowScriptTimeoutInMS: number = process.env[
   "WORKFLOW_SCRIPT_TIMEOUT_IN_MS"
 ]
@@ -446,6 +455,8 @@ export const MicrosoftTeamsAppClientId: string | null =
   process.env["MICROSOFT_TEAMS_APP_CLIENT_ID"] || null;
 export const MicrosoftTeamsAppClientSecret: string | null =
   process.env["MICROSOFT_TEAMS_APP_CLIENT_SECRET"] || null;
+export const MicrosoftTeamsAppTenantId: string | null =
+  process.env["MICROSOFT_TEAMS_APP_TENANT_ID"] || null;
 
 // VAPID Configuration for Web Push Notifications
 export const VapidPublicKey: string | undefined =

package/Server/Services/StatusPageDomainService.ts

@@ -48,19 +48,26 @@ export class Service extends DatabaseService<StatusPageDomain> {
       );
     }
 
-    if (createBy.data.subdomain) {
-      // trim and lowercase the subdomain.
-      createBy.data.subdomain = createBy.data.subdomain.trim().toLowerCase();
+    let normalizedSubdomain: string =
+      createBy.data.subdomain?.trim().toLowerCase() || "";
+
+    if (normalizedSubdomain === "@") {
+      normalizedSubdomain = "";
     }
 
+    createBy.data.subdomain = normalizedSubdomain;
+
     if (domain) {
-      createBy.data.fullDomain = (
-        createBy.data.subdomain +
-        "." +
-        domain.domain?.toString()
-      )
-        .toLowerCase()
-        .trim();
+      const baseDomain: string =
+        domain.domain?.toString().toLowerCase().trim() || "";
+
+      if (!baseDomain) {
+        throw new BadDataException("Please select a valid domain.");
+      }
+
+      createBy.data.fullDomain = normalizedSubdomain
+        ? `${normalizedSubdomain}.${baseDomain}`
+        : baseDomain;
     }
 
     createBy.data.cnameVerificationToken = ObjectID.generate().toString();

package/Server/Types/Workflow/Components/Email.ts

@@ -115,9 +115,18 @@ export default class Email extends ComponentCode {
       const smtpTransport: SMTPTransport.Options = {
         host: args["smtp-host"]?.toString(),
         port: args["smtp-port"] as number,
-        secure: Boolean(args["secure"]),
       };
 
+      if (
+        args["secure"] === true ||
+        args["secure"] === "true" ||
+        args["secure"] === 1
+      ) {
+        smtpTransport.secure = true;
+      } else {
+        smtpTransport.secure = false;
+      }
+
       if (username && password) {
         smtpTransport.auth = {
           user: username,

package/Server/Utils/Captcha.ts

@@ -0,0 +1,98 @@
+import axios, { AxiosError, AxiosResponse } from "axios";
+import BadDataException from "../../Types/Exception/BadDataException";
+import logger from "./Logger";
+import { CaptchaEnabled, CaptchaSecretKey } from "../EnvironmentConfig";
+
+export interface VerifyCaptchaOptions {
+  token: string | null | undefined;
+  remoteIp?: string | null;
+}
+
+const REQUEST_TIMEOUT_MS: number = 5000;
+const GENERIC_ERROR_MESSAGE: string =
+  "Captcha verification failed. Please try again.";
+
+type HCaptchaResponse = {
+  success?: boolean;
+  [key: string]: unknown;
+};
+
+class CaptchaUtil {
+  public static isCaptchaEnabled(): boolean {
+    return CaptchaEnabled && Boolean(CaptchaSecretKey);
+  }
+
+  public static async verifyCaptcha(
+    options: VerifyCaptchaOptions,
+  ): Promise<void> {
+    if (!CaptchaEnabled) {
+      return;
+    }
+
+    if (!CaptchaSecretKey) {
+      logger.error(
+        "Captcha is enabled but CAPTCHA_SECRET_KEY is not configured.",
+      );
+      throw new BadDataException(GENERIC_ERROR_MESSAGE);
+    }
+
+    const token: string = (options.token || "").trim();
+
+    if (!token) {
+      throw new BadDataException(
+        "Captcha token is missing. Please complete the verification challenge.",
+      );
+    }
+
+    try {
+      await this.verifyHCaptcha(token, options.remoteIp || undefined);
+    } catch (err) {
+      if (axios.isAxiosError(err)) {
+        const axiosError: AxiosError = err as AxiosError;
+        logger.error(
+          `Captcha provider verification failure: ${axiosError.message}`,
+        );
+      } else {
+        logger.error(
+          `Captcha provider verification failure: ${(err as Error).message}`,
+        );
+      }
+
+      throw new BadDataException(GENERIC_ERROR_MESSAGE);
+    }
+  }
+
+  private static async verifyHCaptcha(
+    token: string,
+    remoteIp?: string,
+  ): Promise<void> {
+    const params: URLSearchParams = new URLSearchParams();
+    params.append("secret", CaptchaSecretKey);
+    params.append("response", token);
+
+    if (remoteIp) {
+      params.append("remoteip", remoteIp);
+    }
+
+    const response: AxiosResponse<HCaptchaResponse> =
+      await axios.post<HCaptchaResponse>(
+        "https://hcaptcha.com/siteverify",
+        params.toString(),
+        {
+          headers: {
+            "content-type": "application/x-www-form-urlencoded",
+          },
+          timeout: REQUEST_TIMEOUT_MS,
+        },
+      );
+
+    if (!response.data?.success) {
+      logger.warn(
+        `hCaptcha verification failed: ${JSON.stringify(response.data || {})}`,
+      );
+      throw new BadDataException(GENERIC_ERROR_MESSAGE);
+    }
+  }
+}
+
+export default CaptchaUtil;

package/Server/Utils/Greenlock/Greenlock.ts

@@ -1,4 +1,5 @@
 import {
+  IsBillingEnabled,
   LetsEncryptAccountKey,
   LetsEncryptNotificationEmail,
 } from "../../../Server/EnvironmentConfig";
@@ -325,9 +326,15 @@ export default class GreenlockUtil {
         throw e;
       }
 
-      throw new ServerException(
-        `Unable to order certificate for ${data.domain}. Please contact support at support@oneuptime.com for more information.`,
-      );
+      if (IsBillingEnabled) {
+        throw new ServerException(
+          `Unable to order certificate for ${data.domain}. Please contact support at support@oneuptime.com for more information.`,
+        );
+      } else {
+        throw new ServerException(
+          `Unable to order certificate for ${data.domain}. Please make sure that your server can be accessed publicly over port 80 (HTTP) and port 443 (HTTPS). If the problem persists, please refer to server logs for more information. Please also set up LOG_LEVEL=DEBUG to get more detailed server logs.`,
+        );
+      }
     }
   }
 }

package/Server/Utils/Workspace/MicrosoftTeams/MicrosoftTeams.ts

@@ -43,6 +43,7 @@ import OneUptimeDate from "../../../../Types/Date";
 import {
   MicrosoftTeamsAppClientId,
   MicrosoftTeamsAppClientSecret,
+  MicrosoftTeamsAppTenantId,
 } from "../../../EnvironmentConfig";
 
 // Import services for bot commands
@@ -91,18 +92,25 @@ const MICROSOFT_TEAMS_APP_TYPE: string = "SingleTenant";
 const MICROSOFT_TEAMS_MAX_PAGES: number = 500;
 
 export default class MicrosoftTeamsUtil extends WorkspaceBase {
+  private static cachedAdapter: CloudAdapter | null = null;
   private static readonly WELCOME_CARD_STATE_KEY: string =
     "oneuptime.microsoftTeams.welcomeCardSent";
   // Get or create Bot Framework adapter for a specific tenant
-  private static getBotAdapter(microsoftAppTenantId: string): CloudAdapter {
+  private static getBotAdapter(): CloudAdapter {
+    if (this.cachedAdapter) {
+      return this.cachedAdapter;
+    }
+
     if (!MicrosoftTeamsAppClientId || !MicrosoftTeamsAppClientSecret) {
       throw new BadDataException(
         "Microsoft Teams App credentials not configured",
       );
     }
 
-    if (!microsoftAppTenantId) {
-      throw new BadDataException("Microsoft Teams tenant ID is required");
+    if (!MicrosoftTeamsAppTenantId) {
+      throw new BadDataException(
+        "Microsoft Teams app tenant ID is not configured",
+      );
     }
 
     logger.debug(
@@ -110,18 +118,19 @@ export default class MicrosoftTeamsUtil extends WorkspaceBase {
     );
     logger.debug(`App ID: ${MicrosoftTeamsAppClientId}`);
     logger.debug(`App Type: ${MICROSOFT_TEAMS_APP_TYPE}`);
-    logger.debug(`Tenant ID: ${microsoftAppTenantId}`);
+    logger.debug(`Tenant ID: ${MicrosoftTeamsAppTenantId}`);
 
     const authConfig: ConfigurationBotFrameworkAuthenticationOptions = {
       MicrosoftAppId: MicrosoftTeamsAppClientId,
       MicrosoftAppPassword: MicrosoftTeamsAppClientSecret,
       MicrosoftAppType: MICROSOFT_TEAMS_APP_TYPE,
-      MicrosoftAppTenantId: microsoftAppTenantId,
+      MicrosoftAppTenantId: MicrosoftTeamsAppTenantId,
     };
 
     const botFrameworkAuthentication: ConfigurationBotFrameworkAuthentication =
       new ConfigurationBotFrameworkAuthentication(authConfig);
     const adapter: CloudAdapter = new CloudAdapter(botFrameworkAuthentication);
+    this.cachedAdapter = adapter;
 
     logger.debug("Bot Framework adapter created successfully");
     return adapter;
@@ -1141,7 +1150,7 @@ export default class MicrosoftTeamsUtil extends WorkspaceBase {
       logger.debug(`Using bot ID: ${miscData.botId}`);
 
       // Get Bot Framework adapter
-      const adapter: CloudAdapter = this.getBotAdapter(tenantId);
+      const adapter: CloudAdapter = this.getBotAdapter();
 
       // Create conversation reference for the channel
       const conversationReference: ConversationReference = {
@@ -2564,7 +2573,7 @@ All monitoring checks are passing normally.`;
       }
 
       // Get Bot Framework adapter
-      const adapter: CloudAdapter = this.getBotAdapter(tenantId);
+      const adapter: CloudAdapter = this.getBotAdapter();
 
       // Create custom activity handler class that extends TeamsActivityHandler
       class OneUptimeTeamsActivityHandler extends TeamsActivityHandler {

package/UI/Components/Captcha/Captcha.tsx

@@ -0,0 +1,75 @@
+import HCaptcha from "@hcaptcha/react-hcaptcha";
+import React from "react";
+
+export interface CaptchaProps {
+  siteKey: string;
+  resetSignal?: number | undefined;
+  error?: string | undefined;
+  onTokenChange?: (token: string) => void;
+  onBlur?: (() => void) | undefined;
+  className?: string | undefined;
+}
+
+const Captcha: React.FC<CaptchaProps> = ({
+  siteKey,
+  resetSignal = 0,
+  error,
+  onTokenChange,
+  onBlur,
+  className,
+}: CaptchaProps): JSX.Element => {
+  const captchaRef: React.MutableRefObject<HCaptcha | null> =
+    React.useRef<HCaptcha | null>(null);
+  const onTokenChangeRef: React.MutableRefObject<
+    CaptchaProps["onTokenChange"]
+  > = React.useRef<CaptchaProps["onTokenChange"]>(onTokenChange);
+
+  React.useEffect(() => {
+    onTokenChangeRef.current = onTokenChange;
+  }, [onTokenChange]);
+
+  const handleTokenChange: (token: string | null) => void = React.useCallback(
+    (token: string | null) => {
+      onTokenChangeRef.current?.(token || "");
+    },
+    [],
+  );
+
+  React.useEffect(() => {
+    captchaRef.current?.resetCaptcha();
+    handleTokenChange("");
+  }, [resetSignal, handleTokenChange]);
+
+  if (!siteKey) {
+    return (
+      <div className={className || "text-center text-sm text-red-500"}>
+        Captcha is not configured.
+      </div>
+    );
+  }
+
+  return (
+    <div className={className || "flex flex-col items-center gap-2"}>
+      <HCaptcha
+        sitekey={siteKey}
+        ref={captchaRef}
+        onVerify={(token: string) => {
+          handleTokenChange(token);
+          onBlur?.();
+        }}
+        onExpire={() => {
+          handleTokenChange(null);
+          captchaRef.current?.resetCaptcha();
+          onBlur?.();
+        }}
+        onError={() => {
+          handleTokenChange(null);
+          onBlur?.();
+        }}
+      />
+      {error && <span className="text-sm text-red-500">{error}</span>}
+    </div>
+  );
+};
+
+export default Captcha;

package/UI/Config.ts

@@ -51,6 +51,9 @@ export const IS_ENTERPRISE_EDITION: boolean =
   env("IS_ENTERPRISE_EDITION") === "true";
 export const BILLING_PUBLIC_KEY: string = env("BILLING_PUBLIC_KEY") || "";
 
+export const CAPTCHA_ENABLED: boolean = env("CAPTCHA_ENABLED") === "true";
+export const CAPTCHA_SITE_KEY: string = env("CAPTCHA_SITE_KEY") || "";
+
 // VAPID Configuration for Push Notifications
 export const VAPID_PUBLIC_KEY: string = env("VAPID_PUBLIC_KEY") || "";
 

package/build/dist/Models/DatabaseModels/BillingPaymentMethod.js

@@ -43,7 +43,11 @@ let BillingPaymentMethod = class BillingPaymentMethod extends BaseModel {
 };
 __decorate([
     ColumnAccessControl({
-        create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+        create: [
+            Permission.ProjectOwner,
+            Permission.ManageProjectBilling,
+            Permission.CreateBillingPaymentMethod,
+        ],
         read: [
             Permission.ProjectOwner,
             Permission.ProjectUser,
@@ -73,7 +77,11 @@ __decorate([
 ], BillingPaymentMethod.prototype, "project", void 0);
 __decorate([
     ColumnAccessControl({
-        create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+        create: [
+            Permission.ProjectOwner,
+            Permission.ManageProjectBilling,
+            Permission.CreateBillingPaymentMethod,
+        ],
         read: [
             Permission.ProjectOwner,
             Permission.ProjectAdmin,
@@ -100,7 +108,11 @@ __decorate([
 ], BillingPaymentMethod.prototype, "projectId", void 0);
 __decorate([
     ColumnAccessControl({
-        create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+        create: [
+            Permission.ProjectOwner,
+            Permission.ManageProjectBilling,
+            Permission.CreateBillingPaymentMethod,
+        ],
         read: [
             Permission.ProjectOwner,
             Permission.ProjectAdmin,
@@ -130,7 +142,11 @@ __decorate([
 ], BillingPaymentMethod.prototype, "createdByUser", void 0);
 __decorate([
     ColumnAccessControl({
-        create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+        create: [
+            Permission.ProjectOwner,
+            Permission.ManageProjectBilling,
+            Permission.CreateBillingPaymentMethod,
+        ],
         read: [
             Permission.ProjectOwner,
             Permission.ProjectAdmin,
@@ -209,7 +225,11 @@ __decorate([
 ], BillingPaymentMethod.prototype, "deletedByUserId", void 0);
 __decorate([
     ColumnAccessControl({
-        create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+        create: [
+            Permission.ProjectOwner,
+            Permission.ManageProjectBilling,
+            Permission.CreateBillingPaymentMethod,
+        ],
         read: [
             Permission.ProjectOwner,
             Permission.ProjectAdmin,
@@ -272,7 +292,11 @@ __decorate([
 ], BillingPaymentMethod.prototype, "paymentProviderCustomerId", void 0);
 __decorate([
     ColumnAccessControl({
-        create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+        create: [
+            Permission.ProjectOwner,
+            Permission.ManageProjectBilling,
+            Permission.CreateBillingPaymentMethod,
+        ],
         read: [
             Permission.ProjectOwner,
             Permission.ProjectAdmin,
@@ -293,7 +317,11 @@ __decorate([
 ], BillingPaymentMethod.prototype, "last4Digits", void 0);
 __decorate([
     ColumnAccessControl({
-        create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+        create: [
+            Permission.ProjectOwner,
+            Permission.ManageProjectBilling,
+            Permission.CreateBillingPaymentMethod,
+        ],
         read: [
             Permission.ProjectOwner,
             Permission.ProjectAdmin,
@@ -315,7 +343,11 @@ BillingPaymentMethod = __decorate([
     AllowAccessIfSubscriptionIsUnpaid(),
     TenantColumn("projectId"),
     TableAccessControl({
-        create: [Permission.ProjectOwner, Permission.CreateBillingPaymentMethod],
+        create: [
+            Permission.ProjectOwner,
+            Permission.ManageProjectBilling,
+            Permission.CreateBillingPaymentMethod,
+        ],
         read: [
             Permission.ProjectOwner,
             Permission.ProjectUser,
@@ -323,7 +355,11 @@ BillingPaymentMethod = __decorate([
             Permission.ProjectMember,
             Permission.ReadBillingPaymentMethod,
         ],
-        delete: [Permission.ProjectOwner, Permission.DeleteBillingPaymentMethod],
+        delete: [
+            Permission.ProjectOwner,
+            Permission.ManageProjectBilling,
+            Permission.DeleteBillingPaymentMethod,
+        ],
         update: [],
     }),
     CrudApiEndpoint(new Route("/billing-payment-methods")),