From 3bf6b8c6c94b718ec2c1f6862c0c709afc0c1f1a Mon Sep 17 00:00:00 2001
From: olsch01 <olson2cm@icloud.com>
Date: Sun, 8 Mar 2026 19:49:23 -0400
Subject: [PATCH] fix: update password when adding existing user to new org

When an existing user was added to a new organization via the member
management UI, the password entered in the form was silently ignored.
This caused the user to be unable to log in with the password they
were given, since the hash in the database was from their original
account creation for a different org.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../src/modules/organizations/organizations.service.ts    | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/backend/src/modules/organizations/organizations.service.ts b/backend/src/modules/organizations/organizations.service.ts
index e690bbe..0afff92 100644
--- a/backend/src/modules/organizations/organizations.service.ts
+++ b/backend/src/modules/organizations/organizations.service.ts
@@ -153,6 +153,14 @@ export class OrganizationsService {
         existing.role = data.role;
         return this.userOrgRepository.save(existing);
       }
+      // Update password for existing user being added to a new org
+      if (data.password) {
+        const passwordHash = await bcrypt.hash(data.password, 12);
+        await dataSource.query(
+          `UPDATE shared.users SET password_hash = $1 WHERE id = $2`,
+          [passwordHash, userId],
+        );
+      }
     } else {
       // Create new user
       const passwordHash = await bcrypt.hash(data.password, 12);