fixed org ref setting

api/server/internal/server/accountapiimp/signup.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/tech/sendico/pkg/api/http/response"
+	"github.com/tech/sendico/pkg/db/storable"
 	"github.com/tech/sendico/pkg/merrors"
 	"github.com/tech/sendico/pkg/model"
 	"github.com/tech/sendico/pkg/mservice"
@@ -31,10 +32,19 @@ func (a *AccountAPI) createOrg(ctx context.Context, sr *srequest.Signup, permiss
 		return nil, merrors.DataConflict(fmt.Sprintf("invalid time zone '%s' provided, error %s", sr.OrganizationTimeZone, err.Error()))
 	}
 
+	// explicitly set org ref for permission related checks as unprotected template implementation
+	// is not aware of permisssions and won't set org
+	orgRef := primitive.NewObjectID()
 	org := &model.Organization{
 		OrganizationBase: model.OrganizationBase{
 			PermissionBound: model.PermissionBound{
+				Base: storable.Base{
+					ID: orgRef,
+				},
 				PermissionRef: permissionRef,
+				OrganizationBoundBase: model.OrganizationBoundBase{
+					OrganizationRef: orgRef,
+				},
 			},
 			Describable: model.Describable{
 				Name:        name,
@@ -48,11 +58,6 @@ func (a *AccountAPI) createOrg(ctx context.Context, sr *srequest.Signup, permiss
 		a.logger.Warn("Failed to create organization", zap.Error(err))
 		return nil, err
 	}
-	org.OrganizationRef = org.ID
-	if err := a.odb.Unprotected().Update(ctx, org); err != nil {
-		a.logger.Warn("Failed to update organization reference", zap.Error(err))
-		return nil, err
-	}
 
 	return org, nil
 }