add invoice copy to openapi client

update and invalid email

app/Actions/Jetstream/CreateOrganization.php

@@ -9,6 +9,7 @@ use App\Models\Organization;
 use App\Models\User;
 use App\Service\IpLookup\IpLookupServiceContract;
 use App\Service\OrganizationService;
+use App\Service\UserService;
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Validator;
@@ -50,10 +51,8 @@ class CreateOrganization implements CreatesTeams
             $currency
         );
 
-        $user->switchTeam($organization);
+        app(UserService::class)->switchCurrentOrganization($user, $organization);
 
-        // Note: The refresh is necessary for currently unknown reasons. Do not remove it.
-        $organization = $organization->refresh();
         AfterCreateOrganization::dispatch($organization);
 
         return $organization;

app/Console/Commands/Admin/UserCreateCommand.php

@@ -69,7 +69,7 @@ class UserCreateCommand extends Command
             );
         });
         /** @var Organization|null $organization */
-        $organization = $user->ownedTeams->first();
+        $organization = $user->ownedOrganizations->first();
         if ($organization === null) {
             throw new LogicException('User does not have an organization');
         }

app/Filament/Resources/OrganizationResource/RelationManagers/InvitationsRelationManager.php

@@ -21,7 +21,7 @@ use Illuminate\Validation\Rule;
 
 class InvitationsRelationManager extends RelationManager
 {
-    protected static string $relationship = 'teamInvitations';
+    protected static string $relationship = 'organizationInvitations';
 
     protected static ?string $title = 'Invitations';
 

app/Filament/Resources/UserResource.php

@@ -12,6 +12,7 @@ use App\Filament\Resources\UserResource\RelationManagers\OwnedOrganizationsRelat
 use App\Models\User;
 use App\Service\DeletionService;
 use App\Service\TimezoneService;
+use App\Service\UserService;
 use Brick\Money\ISOCurrencyProvider;
 use Exception;
 use Filament\Forms;
@@ -179,7 +180,7 @@ class UserResource extends Resource
             ])
             ->actions([
                 Impersonate::make()->before(function (User $record): void {
-                    if ($record->currentTeam === null) {
+                    if ($record->currentOrganization === null) {
                         $organization = $record->organizations()->where('personal_team', '=', true)->first();
                         if ($organization === null) {
                             $organization = $record->organizations()->first();
@@ -187,8 +188,7 @@ class UserResource extends Resource
                         if ($organization === null) {
                             throw new Exception('User has no organization');
                         }
-                        $record->currentTeam()->associate($organization);
-                        $record->save();
+                        app(UserService::class)->switchCurrentOrganization($record, $organization);
                     }
                 }),
                 Tables\Actions\EditAction::make(),

app/Filament/Resources/UserResource/RelationManagers/OwnedOrganizationsRelationManager.php

@@ -16,7 +16,7 @@ class OwnedOrganizationsRelationManager extends RelationManager
 {
     protected static ?string $title = 'Owned Organizations';
 
-    protected static string $relationship = 'ownedTeams';
+    protected static string $relationship = 'ownedOrganizations';
 
     public function form(Form $form): Form
     {

app/Http/Controllers/Api/V1/InvitationController.php

@@ -40,7 +40,7 @@ class InvitationController extends Controller
     {
         $this->checkPermission($organization, 'invitations:view');
 
-        $invitations = $organization->teamInvitations()
+        $invitations = $organization->organizationInvitations()
             ->orderBy('created_at', 'desc')
             ->paginate(config('app.pagination_per_page_default'));
 

app/Http/Controllers/Api/V1/OrganizationController.php

@@ -14,6 +14,7 @@ use App\Service\BillableRateService;
 use App\Service\DeletionService;
 use App\Service\IpLookup\IpLookupServiceContract;
 use App\Service\OrganizationService;
+use App\Service\UserService;
 use Illuminate\Auth\Access\AuthorizationException;
 use Illuminate\Http\JsonResponse;
 
@@ -106,10 +107,8 @@ class OrganizationController extends Controller
             $currency
         );
 
-        $user->switchTeam($organization);
+        app(UserService::class)->switchCurrentOrganization($user, $organization);
 
-        // Note: The refresh is necessary for currently unknown reasons. Do not remove it.
-        $organization = $organization->refresh();
         AfterCreateOrganization::dispatch($organization);
 
         return new OrganizationResource($organization, true);

app/Http/Controllers/Api/V1/UserController.php

@@ -49,18 +49,23 @@ class UserController extends Controller
             throw new AuthorizationException;
         }
 
-        if ($request->getPhoto() !== null) {
-            $photo = Base64File::decode($request->getPhoto());
-            assert($photo !== null);
-            $extension = Base64File::extension($photo['mime_type']);
-            assert($extension !== null);
-
-            $previousPhotoPath = $user->profile_photo_path;
-            $photoPath = 'profile-photos/'.Str::uuid().'.'.$extension;
+        if ($request->hasPhotoKey()) {
             $photoDisk = (string) config('jetstream.profile_photo_disk', 'public');
+            $previousPhotoPath = $user->profile_photo_path;
+            $newPhoto = $request->getPhoto();
 
-            Storage::disk($photoDisk)->put($photoPath, $photo['data'], 'public');
-            $user->profile_photo_path = $photoPath;
+            if ($newPhoto === null) {
+                $user->profile_photo_path = null;
+            } else {
+                $decoded = Base64File::decode($newPhoto);
+                assert($decoded !== null);
+                $extension = Base64File::extension($decoded['mime_type']);
+                assert($extension !== null);
+
+                $photoPath = 'profile-photos/'.Str::uuid().'.'.$extension;
+                Storage::disk($photoDisk)->put($photoPath, $decoded['data'], 'public');
+                $user->profile_photo_path = $photoPath;
+            }
 
             if ($previousPhotoPath !== null) {
                 Storage::disk($photoDisk)->delete($previousPhotoPath);
@@ -95,6 +100,27 @@ class UserController extends Controller
         return new UserResource($user);
     }
 
+    /**
+     * Reset the pending email for a user.
+     *
+     * This endpoint is independent of the organization.
+     *
+     * @operationId resetUserPendingEmail
+     *
+     * @throws AuthorizationException Thrown when the authenticated user does not match the user whose email is pending verification.
+     */
+    public function resetPendingEmail(User $user): JsonResponse
+    {
+        if ($user->getKey() !== $this->user()->getKey()) {
+            throw new AuthorizationException;
+        }
+
+        $user->pending_email = null;
+        $user->save();
+
+        return response()->json(null, 204);
+    }
+
     /**
      * Resend the pending email update verification email.
      *

app/Http/Controllers/Controller.php

@@ -59,7 +59,7 @@ class Controller extends BaseController
     protected function currentOrganization(): Organization
     {
         $user = $this->user();
-        $organization = $user->currentTeam;
+        $organization = $user->currentOrganization;
         if ($organization === null) {
             $organization = $user->organizations()->first();
         }

app/Http/Controllers/Web/UserController.php

@@ -36,10 +36,9 @@ class UserController extends Controller
             ->exists();
 
         if ($emailAlreadyInUse) {
-            return redirect(route('dashboard', [
-                'bannerStyle' => 'danger',
-                'bannerText' => __('The email address is already in use.'),
-            ]));
+            return redirect(route('dashboard'))
+                ->with('bannerStyle', 'danger')
+                ->with('bannerText', __('The email address is already in use.'));
         }
 
         $user->email = $email;
@@ -47,9 +46,8 @@ class UserController extends Controller
         $user->email_verified_at = Carbon::now();
         $user->save();
 
-        return redirect(route('dashboard', [
-            'bannerStyle' => 'success',
-            'bannerText' => __('Your email address has been updated successfully.'),
-        ]));
+        return redirect(route('dashboard'))
+            ->with('bannerStyle', 'success')
+            ->with('bannerText', __('Your email address has been updated successfully.'));
     }
 }

app/Http/Middleware/HandleInertiaRequests.php

@@ -46,7 +46,7 @@ class HandleInertiaRequests extends Middleware
         /** @var BillingContract $billing */
         $billing = app(BillingContract::class);
 
-        $currentOrganization = $request->user()?->currentTeam;
+        $currentOrganization = $request->user()?->currentOrganization;
 
         return array_merge(parent::share($request), [
             'has_billing_extension' => $hasBilling,

app/Http/Requests/V1/User/UserUpdateRequest.php

@@ -81,8 +81,15 @@ class UserUpdateRequest extends BaseFormRequest
         return $this->has('week_start') ? Weekday::from($this->input('week_start')) : null;
     }
 
+    public function hasPhotoKey(): bool
+    {
+        return $this->has('photo');
+    }
+
     public function getPhoto(): ?string
     {
-        return $this->has('photo') ? (string) $this->input('photo') : null;
+        $value = $this->input('photo');
+
+        return is_string($value) ? $value : null;
     }
 }

app/Http/Resources/V1/User/UserResource.php

@@ -28,6 +28,8 @@ class UserResource extends BaseResource
             'name' => $this->resource->name,
             /** @var string $email Email of user */
             'email' => $this->resource->email,
+            /** @var string|null $pending_email Email address awaiting verification (set when the user has requested an email change but not yet verified the new address) */
+            'pending_email' => $this->resource->pending_email,
             /** @var string $profile_photo_url Profile photo URL */
             'profile_photo_url' => $this->resource->profile_photo_url,
             /** @var string $timezone Timezone (f.e. Europe/Berlin or America/New_York) */

app/Models/Organization.php

@@ -43,7 +43,7 @@ use OwenIt\Auditing\Contracts\Auditable as AuditableContract;
  * @property Carbon|null $updated_at
  * @property Collection<int, User> $users
  * @property Collection<int, User> $realUsers
- * @property-read Collection<int, OrganizationInvitation> $teamInvitations
+ * @property-read Collection<int, OrganizationInvitation> $organizationInvitations
  * @property Member $membership
  * @property NumberFormat $number_format
  * @property CurrencyFormat $currency_format
@@ -51,7 +51,6 @@ use OwenIt\Auditing\Contracts\Auditable as AuditableContract;
  * @property IntervalFormat $interval_format
  * @property TimeFormat $time_format
  *
- * @method HasMany<OrganizationInvitation, $this> teamInvitations()
  * @method static OrganizationFactory factory()
  */
 class Organization extends JetstreamTeam implements AuditableContract
@@ -111,23 +110,6 @@ class Organization extends JetstreamTeam implements AuditableContract
     protected $attributes = [
     ];
 
-    /**
-     * Get all the non-placeholder users of the organization including its owner.
-     *
-     * @return Collection<int, User>
-     */
-    public function allRealUsers(): Collection
-    {
-        return $this->realUsers->merge([$this->owner]);
-    }
-
-    public function hasRealUserWithEmail(string $email): bool
-    {
-        return $this->allRealUsers()->contains(function (User $user) use ($email): bool {
-            return $user->email === $email;
-        });
-    }
-
     /**
      * Get all the users that belong to the team.
      *
@@ -172,6 +154,14 @@ class Organization extends JetstreamTeam implements AuditableContract
             ->where('is_placeholder', false);
     }
 
+    /**
+     * @return HasMany<OrganizationInvitation, $this>
+     */
+    public function organizationInvitations(): HasMany
+    {
+        return $this->hasMany(OrganizationInvitation::class, 'organization_id');
+    }
+
     /**
      * This method prevents an unhandled exception when the ID is not a UUID.
      * Normally this can be fixed with a route pattern, but Jetstream does not use route model binding.

app/Models/User.php

@@ -4,6 +4,7 @@ declare(strict_types=1);
 
 namespace App\Models;
 
+use App\Enums\Role;
 use App\Enums\Weekday;
 use App\Models\Concerns\CustomAuditable;
 use App\Models\Concerns\HasUuids;
@@ -52,6 +53,7 @@ use OwenIt\Auditing\Contracts\Auditable as AuditableContract;
  * @property Carbon|null $updated_at
  * @property string|null $current_team_id
  * @property Collection<int, Organization> $organizations
+ * @property Collection<int, Organization> $ownedOrganizations
  * @property Collection<int, TimeEntry> $timeEntries
  * @property Member $membership
  *
@@ -131,16 +133,39 @@ class User extends Authenticatable implements AuditableContract, FilamentUser, M
     {
         return Attribute::get(function (): string {
             return $this->profile_photo_path
-                ? Storage::disk($this->profilePhotoDisk())->url($this->profile_photo_path)
+                ? Storage::disk(config('filesystems.public'))->url($this->profile_photo_path)
                 : $this->defaultProfilePhotoUrl();
         });
     }
 
+    /**
+     * Get the default profile photo URL if no profile photo has been uploaded.
+     */
+    protected function defaultProfilePhotoUrl(): string
+    {
+        $name = trim(collect(explode(' ', $this->name))->map(function ($segment) {
+            return mb_substr($segment, 0, 1);
+        })->join(' '));
+
+        return 'https://ui-avatars.com/api/?name='.urlencode($name).'&color=7F9CF5&background=EBF4FF';
+    }
+
     public function canAccessPanel(Panel $panel): bool
     {
         return in_array($this->email, config('auth.super_admins', []), true) && $this->hasVerifiedEmail();
     }
 
+    public function isMemberOfOrganization(Organization $organization): bool
+    {
+        if ($this->relationLoaded('organizations')) {
+            return $this->organizations->contains(function (Organization $o) use ($organization): bool {
+                return $o->getKey() === $organization->getKey();
+            });
+        }
+
+        return $this->organizations()->whereKey($organization->getKey())->exists();
+    }
+
     public function canBeImpersonated(): bool
     {
         return $this->is_placeholder === false;
@@ -161,6 +186,14 @@ class User extends Authenticatable implements AuditableContract, FilamentUser, M
             ->as('membership');
     }
 
+    /**
+     * @return BelongsToMany<Organization, $this, Pivot, 'membership'>
+     */
+    public function ownedOrganizations(): BelongsToMany
+    {
+        return $this->organizations()->wherePivot('role', Role::Owner->value);
+    }
+
     /**
      * @return HasMany<TimeEntry, $this>
      */
@@ -215,12 +248,8 @@ class User extends Authenticatable implements AuditableContract, FilamentUser, M
      */
     public function scopeBelongsToOrganization(Builder $builder, Organization $organization): Builder
     {
-        return $builder->where(function (Builder $builder) use ($organization): Builder {
-            return $builder->whereHas('organizations', function (Builder $query) use ($organization): void {
-                $query->whereKey($organization->getKey());
-            })->orWhereHas('ownedTeams', function (Builder $query) use ($organization): void {
-                $query->whereKey($organization->getKey());
-            });
+        return $builder->whereHas('organizations', function (Builder $query) use ($organization): void {
+            $query->whereKey($organization->getKey());
         });
     }
 }

app/Policies/OrganizationPolicy.php

@@ -35,7 +35,7 @@ class OrganizationPolicy
             return true;
         }
 
-        return $user->belongsToTeam($organization);
+        return $user->isMemberOfOrganization($organization);
     }
 
     /**
@@ -97,6 +97,6 @@ class OrganizationPolicy
             return true;
         }
 
-        return $user->ownsTeam($organization);
+        return app(PermissionStore::class)->userHas($organization, $user, 'organizations:delete');
     }
 }

app/Rules/Base64ImageRule.php

@@ -16,6 +16,8 @@ class Base64ImageRule implements ValidationRule
         'image/png',
     ];
 
+    private const int MAX_BYTES = 1024 * 1024;
+
     /**
      * Run the validation rule.
      *
@@ -32,6 +34,12 @@ class Base64ImageRule implements ValidationRule
         $file = Base64File::decode($value);
         if ($file === null || ! in_array($file['mime_type'], self::ALLOWED_MIME_TYPES, true)) {
             $fail(__('validation.mimes', ['values' => 'jpg, png']));
+
+            return;
+        }
+
+        if (strlen($file['data']) > self::MAX_BYTES) {
+            $fail(__('validation.max.file', ['max' => (string) (self::MAX_BYTES / 1024)]));
         }
     }
 }

app/Service/DeletionService.php

@@ -173,7 +173,7 @@ class DeletionService
         $user->authCodes()->delete();
 
         // Note: Since the deletion of the profile photo is not reversible via a database rollback this needs to be done last
-        $user->deleteProfilePhoto();
+        $this->userService->deleteProfilePhoto($user);
 
         $user->delete();
 

app/Service/MemberService.php

@@ -97,7 +97,7 @@ class MemberService
         $isPlaceholder = $user->is_placeholder;
 
         if (! $isPlaceholder && $user->current_team_id === $member->organization_id) {
-            $user->currentTeam()->disassociate();
+            $user->currentOrganization()->disassociate();
             $user->save();
         }
 
@@ -216,7 +216,7 @@ class MemberService
     {
         $user = $member->user;
         if ($user->current_team_id === $member->organization_id) {
-            $user->currentTeam()->disassociate();
+            $user->currentOrganization()->disassociate();
             $user->save();
         }
 

app/Service/PermissionStore.php

@@ -291,7 +291,7 @@ class PermissionStore
     public function userHas(Organization $organization, User $user, string $permission): bool
     {
         if (! isset($this->permissionCache[$user->getKey().'|'.$organization->getKey()])) {
-            if (! $user->belongsToTeam($organization)) {
+            if (! $user->isMemberOfOrganization($organization)) {
                 return false;
             }
 
@@ -309,7 +309,7 @@ class PermissionStore
      */
     private function getPermissionsByUser(Organization $organization, User $user): array
     {
-        if (! $user->belongsToTeam($organization)) {
+        if (! $user->isMemberOfOrganization($organization)) {
             return [];
         }
 

app/Service/UserService.php

@@ -19,6 +19,7 @@ use App\Models\TimeEntry;
 use App\Models\User;
 use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\Hash;
+use Illuminate\Support\Facades\Storage;
 
 class UserService
 {
@@ -61,7 +62,6 @@ class UserService
                 $intervalFormat,
                 $timeFormat,
             );
-            $user->ownedTeams()->save($organization);
         }
 
         return $user;
@@ -103,13 +103,17 @@ class UserService
             true
         );
 
-        // Set the organization as the user's current organization
-        $user->currentOrganization()->associate($organization);
-        $user->save();
+        $this->switchCurrentOrganization($user, $organization);
 
         AfterCreateOrganization::dispatch($organization);
     }
 
+    public function switchCurrentOrganization(User $user, Organization $organization): void
+    {
+        $user->currentOrganization()->associate($organization);
+        $user->save();
+    }
+
     public function getOrganizationNameForUserName(string $username): string
     {
         return explode(' ', $username, 2)[0]."'s Organization";
@@ -157,4 +161,16 @@ class UserService
             $oldOwner->save();
         }
     }
+
+    public function deleteProfilePhoto(User $user): void
+    {
+        if ($user->profile_photo_path === null) {
+            return;
+        }
+
+        Storage::disk(config('filesystems.public'))->delete($user->profile_photo_path);
+
+        $user->profile_photo_path = null;
+        $user->save();
+    }
 }

database/factories/UserFactory.php

@@ -28,6 +28,7 @@ class UserFactory extends Factory
         return [
             'name' => $this->faker->name(),
             'email' => $this->faker->unique()->safeEmail(),
+            'pending_email' => null,
             'email_verified_at' => now(),
             'password' => '$2y$10$92IXUNpkjO0rOQ5byMi.Ye4oKoEa3Ro9llC/.og/at2.uheWG/igi', // password
             'two_factor_secret' => null,
@@ -119,7 +120,7 @@ class UserFactory extends Factory
 
             $organization->owner()->associate($user);
             $organization->users()->attach($user, ['role' => Role::Owner->value]);
-            $user->currentTeam()->associate($organization);
+            $user->currentOrganization()->associate($organization);
             $user->save();
         });
     }

e2e/profile.spec.ts

@@ -1,30 +1,374 @@
 import { test, expect } from '../playwright/fixtures';
 import { PLAYWRIGHT_BASE_URL, TEST_USER_PASSWORD } from '../playwright/config';
+import {
+    countEmailsWithSubject,
+    getEmailChangeVerificationUrl,
+    waitForEmailCount,
+} from './utils/mailpit';
+import { getCurrentUserViaApi } from './utils/api';
+import { registerUser } from './utils/members';
 import type { Page } from '@playwright/test';
+import path from 'path';
 
 async function goToProfilePage(page: Page) {
     await page.goto(PLAYWRIGHT_BASE_URL + '/user/profile');
 }
 
-test('test that user name can be updated', async ({ page }) => {
-    await page.goto(PLAYWRIGHT_BASE_URL + '/user/profile');
+function profileInformationForm(page: Page) {
+    return page
+        .getByRole('heading', { name: 'Profile Information', exact: true })
+        .locator('xpath=ancestor::*[descendant::form][1]');
+}
+
+async function saveProfileForm(page: Page): Promise<void> {
+    const form = profileInformationForm(page);
+    await form.getByRole('button', { name: 'Save' }).click();
+    await expect(form.getByText('Saved.', { exact: true })).toBeVisible();
+}
+
+test('user name can be updated', async ({ page }) => {
+    await goToProfilePage(page);
     await page.getByLabel('Name', { exact: true }).fill('NEW NAME');
-    await Promise.all([
-        page.getByRole('button', { name: 'Save' }).first().click(),
-        page.waitForResponse('**/user/profile-information'),
-    ]);
+    await saveProfileForm(page);
     await page.reload();
     await expect(page.getByLabel('Name', { exact: true })).toHaveValue('NEW NAME');
 });
 
-test.skip('test that user email can be updated', async ({ page }) => {
-    // this does not work because of email verification currently
-    await page.goto(PLAYWRIGHT_BASE_URL + '/user/profile');
-    const emailId = Math.round(Math.random() * 10000);
-    await page.getByLabel('Email').fill(`newemail+${emailId}@test.com`);
-    await page.getByRole('button', { name: 'Save' }).first().click();
+test('timezone change persists across reload', async ({ page }) => {
+    await goToProfilePage(page);
+    await page.getByLabel('Timezone').selectOption('America/New_York');
+    await saveProfileForm(page);
     await page.reload();
-    await expect(page.getByLabel('Email')).toHaveValue(`newemail+${emailId}@test.com`);
+    await expect(page.getByLabel('Timezone')).toHaveValue('America/New_York');
+});
+
+test('week-start change persists across reload', async ({ page }) => {
+    await goToProfilePage(page);
+    await page.getByLabel('Start of the week').selectOption('sunday');
+    await saveProfileForm(page);
+    await page.reload();
+    await expect(page.getByLabel('Start of the week')).toHaveValue('sunday');
+});
+
+test('profile photo can be uploaded, persists across reload, and can be removed', async ({
+    page,
+}) => {
+    await goToProfilePage(page);
+    const form = profileInformationForm(page);
+    const profilePhoto = form.getByRole('img', { name: 'John Doe' });
+
+    await expect(profilePhoto).toBeVisible();
+    await expect(profilePhoto).toHaveAttribute('src', /ui-avatars\.com/);
+    await expect(form.getByRole('button', { name: 'Remove Photo' })).toBeHidden();
+
+    await form.locator('#photo').setInputFiles(path.resolve('resources/testfiles/test.png'));
+    await saveProfileForm(page);
+    await expect(profilePhoto).toHaveAttribute('src', /profile-photos/);
+    await expect(form.getByRole('button', { name: 'Remove Photo' })).toBeVisible();
+
+    await page.reload();
+    const reloadedForm = profileInformationForm(page);
+    const reloadedProfilePhoto = reloadedForm.getByRole('img', { name: 'John Doe' });
+    await expect(reloadedProfilePhoto).toHaveAttribute('src', /profile-photos/);
+
+    await Promise.all([
+        page.waitForResponse(
+            (response) =>
+                response.url().includes('/api/v1/users/') &&
+                response.request().method() === 'PUT' &&
+                response.status() === 200
+        ),
+        reloadedForm.getByRole('button', { name: 'Remove Photo' }).click(),
+    ]);
+    await expect(reloadedProfilePhoto).toHaveAttribute('src', /ui-avatars\.com/);
+    await expect(reloadedForm.getByRole('button', { name: 'Remove Photo' })).toBeHidden();
+
+    await page.reload();
+    const finalForm = profileInformationForm(page);
+    await expect(finalForm.getByRole('img', { name: 'John Doe' })).toHaveAttribute(
+        'src',
+        /ui-avatars\.com/
+    );
+    await expect(finalForm.getByRole('button', { name: 'Remove Photo' })).toBeHidden();
+});
+
+test('field-level validation errors render inline when the server returns 422', async ({
+    page,
+}) => {
+    await goToProfilePage(page);
+    const form = profileInformationForm(page);
+    await form.getByLabel('Name').fill('a'.repeat(256));
+    await Promise.all([
+        page.waitForResponse(
+            (response) =>
+                response.url().includes('/api/v1/users/') &&
+                response.request().method() === 'PUT' &&
+                response.status() === 422
+        ),
+        form.getByRole('button', { name: 'Save' }).click(),
+    ]);
+    await expect(form.getByRole('alert').filter({ hasText: /255 characters/i })).toBeVisible();
+});
+
+test('submitting a new email keeps the current email displayed after reload', async ({
+    page,
+    ctx,
+}) => {
+    const { email: oldEmail } = await getCurrentUserViaApi(ctx);
+    const newEmail = `newemail+${Date.now()}@test.com`;
+
+    await goToProfilePage(page);
+    await page.getByLabel('Email').fill(newEmail);
+    await saveProfileForm(page);
+    await page.reload();
+
+    await expect(page.getByLabel('Email')).toHaveValue(oldEmail);
+});
+
+test('submitting a new email sends a verification email to the new address', async ({
+    page,
+    request,
+}) => {
+    await goToProfilePage(page);
+    const newEmail = `newemail+${Date.now()}@test.com`;
+
+    await page.getByLabel('Email').fill(newEmail);
+    await saveProfileForm(page);
+
+    expect(await waitForEmailCount(request, newEmail, 'Verify Email Address', 1)).toBeGreaterThan(
+        0
+    );
+});
+
+test('mixed-case email is lower-cased before the verification mail is sent', async ({
+    page,
+    request,
+}) => {
+    await goToProfilePage(page);
+    const stamp = Date.now();
+    const mixedCase = `MixedCase+${stamp}@Example.COM`;
+    const lowerCased = `mixedcase+${stamp}@example.com`;
+
+    await page.getByLabel('Email').fill(mixedCase);
+    await saveProfileForm(page);
+
+    const verifyUrl = await getEmailChangeVerificationUrl(request, lowerCased);
+    expect(new URL(verifyUrl).searchParams.get('email')).toBe(lowerCased);
+});
+
+test('re-submitting the current email does not send a verification email', async ({
+    page,
+    ctx,
+    request,
+}) => {
+    const { email: currentEmail } = await getCurrentUserViaApi(ctx);
+    const beforeCount = await countEmailsWithSubject(request, currentEmail, 'Verify Email Address');
+
+    await goToProfilePage(page);
+    await page.getByLabel('Email').fill(currentEmail);
+    await saveProfileForm(page);
+
+    await new Promise((r) => setTimeout(r, 1000));
+    const afterCount = await countEmailsWithSubject(request, currentEmail, 'Verify Email Address');
+    expect(afterCount).toBe(beforeCount);
+});
+
+test('after submitting a new email the pending-email banner is shown with a resend button', async ({
+    page,
+}) => {
+    await goToProfilePage(page);
+    const newEmail = `pending+${Date.now()}@test.com`;
+    await page.getByLabel('Email').fill(newEmail);
+    await saveProfileForm(page);
+
+    await expect(page.getByText(`A verification link was sent to`)).toBeVisible();
+    await expect(page.getByText(newEmail)).toBeVisible();
+    await expect(page.getByRole('button', { name: 'Resend verification email' })).toBeVisible();
+});
+
+test('clicking resend sends a second verification email and shows confirmation', async ({
+    page,
+    request,
+}) => {
+    await goToProfilePage(page);
+    const newEmail = `resend+${Date.now()}@test.com`;
+    await page.getByLabel('Email').fill(newEmail);
+    await saveProfileForm(page);
+
+    const beforeCount = await waitForEmailCount(request, newEmail, 'Verify Email Address', 1);
+    await page.getByRole('button', { name: 'Resend verification email' }).click();
+
+    await expect(page.getByText('Verification email sent.')).toBeVisible();
+    const afterCount = await waitForEmailCount(
+        request,
+        newEmail,
+        'Verify Email Address',
+        beforeCount + 1
+    );
+    expect(afterCount).toBeGreaterThan(beforeCount);
+});
+
+test('cancelling a pending email change clears it and hides the banner', async ({ page, ctx }) => {
+    const { email: currentEmail } = await getCurrentUserViaApi(ctx);
+    const newEmail = `cancel+${Date.now()}@test.com`;
+
+    await goToProfilePage(page);
+    await page.getByLabel('Email').fill(newEmail);
+    await saveProfileForm(page);
+
+    // The pending-email banner is shown with the cancel control.
+    await expect(page.getByText('A verification link was sent to')).toBeVisible();
+    await expect(page.getByText(newEmail)).toBeVisible();
+    const cancelButton = page.getByRole('button', { name: 'Cancel email change' });
+    await expect(cancelButton).toBeVisible();
+
+    // Cancelling clears the pending email server-side (204).
+    await Promise.all([
+        page.waitForResponse(
+            (response) =>
+                response.url().includes('/reset-pending-email') &&
+                response.request().method() === 'POST' &&
+                response.status() === 204
+        ),
+        cancelButton.click(),
+    ]);
+
+    // The banner disappears and the email field still shows the current address.
+    await expect(page.getByText('A verification link was sent to')).toBeHidden();
+    await expect(page.getByLabel('Email')).toHaveValue(currentEmail);
+
+    // The cancellation is persistent — still gone after a reload.
+    await page.reload();
+    await expect(page.getByText('A verification link was sent to')).toBeHidden();
+    await expect(page.getByLabel('Email')).toHaveValue(currentEmail);
+});
+
+test('re-submitting the same pending email does not send another verification email', async ({
+    page,
+    request,
+}) => {
+    await goToProfilePage(page);
+    const newEmail = `dup+${Date.now()}@test.com`;
+    await page.getByLabel('Email').fill(newEmail);
+    await saveProfileForm(page);
+    const beforeCount = await waitForEmailCount(request, newEmail, 'Verify Email Address', 1);
+
+    await page.getByLabel('Email').fill(newEmail);
+    await saveProfileForm(page);
+
+    await new Promise((r) => setTimeout(r, 1000));
+    const afterCount = await countEmailsWithSubject(request, newEmail, 'Verify Email Address');
+    expect(afterCount).toBe(beforeCount);
+});
+
+test('clicking the verification link swaps the email and shows a success banner', async ({
+    page,
+}) => {
+    await goToProfilePage(page);
+    const newEmail = `verify+${Date.now()}@test.com`;
+    await page.getByLabel('Email').fill(newEmail);
+    await saveProfileForm(page);
+    const verifyUrl = await getEmailChangeVerificationUrl(page.request, newEmail);
+
+    await page.goto(verifyUrl);
+    await page.waitForURL(/\/dashboard/);
+
+    const banner = page.getByTestId('banner');
+    await expect(banner).toBeVisible();
+    await expect(banner).toContainText('Your email address has been updated successfully.');
+
+    await goToProfilePage(page);
+    await expect(page.getByLabel('Email')).toHaveValue(newEmail);
+});
+
+test('visiting another user’s verification link is forbidden', async ({ page, browser }) => {
+    await goToProfilePage(page);
+    const newEmail = `victim+${Date.now()}@test.com`;
+    await page.getByLabel('Email').fill(newEmail);
+    await saveProfileForm(page);
+    const verifyUrl = await getEmailChangeVerificationUrl(page.request, newEmail);
+
+    const other = await registerUser(browser, 'Other User', `other+${Date.now()}@test.com`);
+    try {
+        const response = await other.page.goto(verifyUrl);
+        expect(response?.status()).toBe(403);
+    } finally {
+        await other.close();
+    }
+});
+
+test('a stale verification link from a previous submission is rejected', async ({ page }) => {
+    await goToProfilePage(page);
+    const stamp = Date.now();
+    const olderEmail = `older+${stamp}@test.com`;
+    const newerEmail = `newer+${stamp}@test.com`;
+
+    await page.getByLabel('Email').fill(olderEmail);
+    await saveProfileForm(page);
+    const staleUrl = await getEmailChangeVerificationUrl(page.request, olderEmail);
+
+    await page.getByLabel('Email').fill(newerEmail);
+    await saveProfileForm(page);
+
+    const response = await page.goto(staleUrl);
+    expect(response?.status()).toBe(403);
+});
+
+test('visiting the verification link while logged out redirects to login', async ({
+    page,
+    browser,
+}) => {
+    await goToProfilePage(page);
+    const newEmail = `loggedout+${Date.now()}@test.com`;
+    await page.getByLabel('Email').fill(newEmail);
+    await saveProfileForm(page);
+    const verifyUrl = await getEmailChangeVerificationUrl(page.request, newEmail);
+
+    const anonContext = await browser.newContext();
+    try {
+        const anonPage = await anonContext.newPage();
+        await anonPage.goto(verifyUrl);
+        await anonPage.waitForURL(/\/login/);
+    } finally {
+        await anonContext.close();
+    }
+});
+
+test('delete account shows an error when the password is wrong', async ({ page }) => {
+    await goToProfilePage(page);
+    await page.getByRole('button', { name: 'Delete Account' }).click();
+    const dialog = page.getByRole('dialog');
+    await dialog.getByPlaceholder('Password').fill('not-the-real-password');
+    await Promise.all([
+        page.waitForResponse(
+            (response) =>
+                response.url().includes('/user/confirm-password') &&
+                response.request().method() === 'POST' &&
+                response.status() === 422
+        ),
+        dialog.getByRole('button', { name: 'Delete Account' }).click(),
+    ]);
+    await expect(dialog.getByRole('alert')).toBeVisible();
+    await expect(dialog).toBeVisible();
+});
+
+test('delete account succeeds with the correct password and logs the user out', async ({
+    page,
+}) => {
+    await goToProfilePage(page);
+    await page.getByRole('button', { name: 'Delete Account' }).click();
+    const dialog = page.getByRole('dialog');
+    await dialog.getByPlaceholder('Password').fill(TEST_USER_PASSWORD);
+    await Promise.all([
+        page.waitForResponse(
+            (response) =>
+                response.url().includes('/api/v1/users/') &&
+                response.request().method() === 'DELETE' &&
+                response.status() === 204
+        ),
+        dialog.getByRole('button', { name: 'Delete Account' }).click(),
+    ]);
+    await page.waitForURL(/\/login/);
 });
 
 async function createNewApiToken(page) {

e2e/shared-reports.spec.ts

@@ -469,7 +469,7 @@ test('test that creating a report with an expiration date works', async ({ page,
     await datePicker.click();
 
     // Select a date in the next month
-    const calendarGrid = page.getByRole('grid');
+    const calendarGrid = page.getByRole('gridcell').first();
     await expect(calendarGrid).toBeVisible({ timeout: 5000 });
     await page.getByRole('button', { name: /Next/i }).click();
     await page.getByRole('gridcell').filter({ hasText: /^15$/ }).first().click();
@@ -547,7 +547,7 @@ test('test that editing a report to make it public with expiration date works',
     await datePicker.click();
 
     // Select a date in the next month
-    const calendarGrid = page.getByRole('grid');
+    const calendarGrid = page.getByRole('gridcell').first();
     await expect(calendarGrid).toBeVisible({ timeout: 5000 });
     await page.getByRole('button', { name: /Next/i }).click();
     await page.getByRole('gridcell').filter({ hasText: /^20$/ }).first().click();
@@ -741,7 +741,7 @@ test('test that updating expiration date on already-public report works', async
     await datePicker.click();
 
     // Select the 25th of next month
-    const calendarGrid = page.getByRole('grid');
+    const calendarGrid = page.getByRole('gridcell').first();
     await expect(calendarGrid).toBeVisible({ timeout: 5000 });
     await page.getByRole('button', { name: /Next/i }).click();
     await page.getByRole('gridcell').filter({ hasText: /^25$/ }).first().click();

e2e/time.spec.ts

@@ -462,7 +462,7 @@ test('test that setting a date in the create modal works', async ({ page }) => {
     await startDatePicker.click();
 
     // Wait for calendar to appear
-    const calendarGrid = page.getByRole('grid');
+    const calendarGrid = page.getByRole('gridcell').first();
     await expect(calendarGrid).toBeVisible({ timeout: 5000 });
 
     // Navigate to previous month and select the 15th (a day that's always in the middle of the month)
@@ -515,7 +515,7 @@ test('test that updating the date via the time entry row range selector works',
     await startDatePicker.click();
 
     // Wait for the calendar to appear and select a day
-    const calendarGrid = page.getByRole('grid');
+    const calendarGrid = page.getByRole('gridcell').first();
     await expect(calendarGrid).toBeVisible({ timeout: 5000 });
 
     // Navigate to previous month and select the 5th
@@ -568,7 +568,7 @@ test('test that updating the end date via the time entry row range selector work
     await endDatePicker.click();
 
     // Wait for the calendar to appear
-    const calendarGrid = page.getByRole('grid');
+    const calendarGrid = page.getByRole('gridcell').first();
     await expect(calendarGrid).toBeVisible({ timeout: 5000 });
 
     // Navigate to next month and select the 20th (to ensure end > start)

e2e/timetracker.spec.ts

@@ -293,7 +293,7 @@ test('test that setting an end time with a different date via the timetracker ra
     await endDatePicker.click();
 
     // Calendar should appear
-    const calendarGrid = page.getByRole('grid');
+    const calendarGrid = page.getByRole('gridcell').first();
     await expect(calendarGrid).toBeVisible({ timeout: 5000 });
 
     // Navigate to the next month and select a day to ensure end > start

e2e/utils/api.ts

@@ -649,6 +649,19 @@ export async function createTimeEntryWithTimestampsViaApi(
 // User profile helpers
 // ──────────────────────────────────────────────────
 
+export async function getCurrentUserViaApi(ctx: TestContext) {
+    const response = await ctx.request.get(`${PLAYWRIGHT_BASE_URL}/api/v1/users/me`);
+    expect(response.status()).toBe(200);
+    const body = await response.json();
+    return body.data as {
+        id: string;
+        name: string;
+        email: string;
+        timezone: string;
+        week_start: string;
+    };
+}
+
 export async function updateUserProfileViaWeb(
     page: Page,
     settings: { timezone?: string; week_start?: string }

e2e/utils/mailpit.ts

@@ -81,3 +81,64 @@ export async function getPasswordResetUrl(
 
     return resetUrlMatch![1].replace(/&/g, '&');
 }
+
+/**
+ * Count emails matching the given subject sent to the given address.
+ */
+export async function countEmailsWithSubject(
+    request: APIRequestContext,
+    recipientEmail: string,
+    subject: string
+): Promise<number> {
+    const searchResult = await searchEmails(
+        request,
+        `to:${encodeURIComponent(recipientEmail)} subject:"${subject}"`
+    );
+    return searchResult.messages.length;
+}
+
+/**
+ * Poll Mailpit until the count of matching emails reaches `min`, or 5 attempts
+ * (~2.5s) elapse. Returns the final count.
+ */
+export async function waitForEmailCount(
+    request: APIRequestContext,
+    recipientEmail: string,
+    subject: string,
+    min: number
+): Promise<number> {
+    let count = 0;
+    for (let attempt = 0; attempt < 5; attempt++) {
+        count = await countEmailsWithSubject(request, recipientEmail, subject);
+        if (count >= min) break;
+        await new Promise((r) => setTimeout(r, 500));
+    }
+    return count;
+}
+
+/**
+ * Find the email-change verification URL from a Mailpit email sent to the given address.
+ * Retries a few times to allow for email delivery delay.
+ */
+export async function getEmailChangeVerificationUrl(
+    request: APIRequestContext,
+    recipientEmail: string
+): Promise<string> {
+    let searchResult: { messages: Array<{ ID: string }> } = { messages: [] };
+
+    for (let attempt = 0; attempt < 5; attempt++) {
+        searchResult = await searchEmails(
+            request,
+            `to:${encodeURIComponent(recipientEmail)} subject:"Verify Email Address"`
+        );
+        if (searchResult.messages.length > 0) break;
+        await new Promise((resolve) => setTimeout(resolve, 500));
+    }
+    expect(searchResult.messages.length).toBeGreaterThan(0);
+
+    const message = await getMessage(request, searchResult.messages[0].ID);
+    const verifyUrlMatch = message.HTML.match(/href="([^"]*verify-email-change[^"]*)"/);
+    expect(verifyUrlMatch).toBeTruthy();
+
+    return verifyUrlMatch![1].replace(/&amp;/g, '&');
+}

package.json

@@ -18,61 +18,62 @@
         "format:check": "prettier --check './**/*.{js,jsx,cjs,mjs,ts,tsx,cts,mts,vue}'"
     },
     "devDependencies": {
-        "@eslint/eslintrc": "^3.2.0",
-        "@eslint/js": "^9.19.0",
-        "@inertiajs/vue3": "^2.0.0",
-        "@playwright/test": "^1.41.1",
-        "@tailwindcss/forms": "^0.5.9",
-        "@tailwindcss/typography": "^0.5.15",
-        "@types/chroma-js": "^3.1.0",
-        "@types/node": "^22.10.10",
-        "@vitejs/plugin-vue": "^6.0.3",
-        "@vue/tsconfig": "^0.8.0",
-        "autoprefixer": "^10.4.20",
-        "axios": "^1.6.4",
-        "eslint-plugin-unused-imports": "^4.1.4",
+        "@eslint/eslintrc": "^3.3.5",
+        "@eslint/js": "^9.39.4",
+        "@inertiajs/vue3": "^2.3.23",
+        "@playwright/test": "^1.60.0",
+        "@tailwindcss/forms": "^0.5.11",
+        "@tailwindcss/typography": "^0.5.19",
+        "@types/chroma-js": "^3.1.2",
+        "@types/node": "^22.19.19",
+        "@vitejs/plugin-vue": "^6.0.6",
+        "@vue/tsconfig": "^0.8.1",
+        "autoprefixer": "^10.5.0",
+        "axios": "^1.16.0",
+        "eslint-plugin-unused-imports": "^4.4.1",
         "laravel-vite-plugin": "^2.1.0",
-        "openapi-zod-client": "^1.16.2",
-        "postcss": "^8.4.47",
+        "openapi-zod-client": "^1.18.3",
+        "postcss": "^8.5.14",
         "postcss-import": "^15.1.0",
         "postcss-nesting": "^12.1.5",
-        "tailwindcss": "^3.4.13",
-        "typescript": "^5.7.3",
-        "vite": "^7.0.0",
+        "tailwindcss": "^3.4.19",
+        "typescript": "^5.9.3",
+        "vite": "^7.3.3",
         "vite-plugin-checker": "^0.12.0",
-        "vue": "^3.5.0",
-        "vue-tsc": "^3.0.0"
+        "vue": "^3.5.34",
+        "vue-tsc": "^3.2.8"
     },
     "dependencies": {
-        "@floating-ui/core": "^1.6.0",
-        "@floating-ui/vue": "^1.0.6",
-        "@heroicons/vue": "^2.1.1",
-        "@rushstack/eslint-patch": "^1.10.5",
+        "@floating-ui/core": "^1.7.5",
+        "@floating-ui/vue": "^1.1.11",
+        "@heroicons/vue": "^2.2.0",
+        "@lucide/vue": "^1.14.0",
+        "@rushstack/eslint-patch": "^1.16.1",
         "@tailwindcss/container-queries": "^0.1.1",
-        "@tanstack/vue-form": "^1.3.1",
-        "@tanstack/vue-query": "^5.56.2",
-        "@tanstack/vue-query-devtools": "^5.58.0",
-        "@tanstack/vue-table": "^8.21.2",
+        "@tanstack/vue-form": "^1.32.0",
+        "@tanstack/vue-query": "^5.100.10",
+        "@tanstack/vue-query-devtools": "^5.91.0",
+        "@tanstack/vue-table": "^8.21.3",
         "@vue/eslint-config-prettier": "^10.2.0",
-        "@vue/eslint-config-typescript": "^14.3.0",
-        "@vueuse/core": "^14.2.1",
-        "@vueuse/integrations": "^14.0.0",
+        "@vue/eslint-config-typescript": "^14.7.0",
+        "@vueuse/core": "^14.3.0",
+        "@vueuse/integrations": "^14.3.0",
         "@zodios/core": "^10.9.6",
-        "chroma-js": "3.1.2",
+        "chroma-js": "^3.2.0",
         "class-variance-authority": "^0.7.1",
         "clsx": "^2.1.1",
-        "dayjs": "^1.11.11",
+        "dayjs": "^1.11.20",
         "echarts": "^6.0.0",
-        "focus-trap": "^8.0.0",
-        "lucide-vue-next": "^0.487.0",
-        "parse-duration": "^2.0.1",
-        "pinia": "^3.0.0",
-        "radix-vue": "^1.9.6",
-        "reka-ui": "^2.8.2",
-        "tailwind-merge": "^2.6.0",
+        "focus-trap": "^8.2.0",
+        "parse-duration": "^2.1.6",
+        "pinia": "^3.0.4",
+        "radix-vue": "^1.9.17",
+        "reka-ui": "^2.9.7",
+        "tailwind-merge": "^2.6.1",
         "tailwindcss-animate": "^1.0.7",
-        "vue-echarts": "^8.0.0",
-        "zod": "^3.23.8"
+        "vue-draggable-plus": "^0.6.1",
+        "vue-echarts": "^8.0.1",
+        "zod": "^3.25.76"
     },
     "overrides": {
         "vite-plugin-checker": {

playwright/fixtures.ts

@@ -32,6 +32,9 @@ export const test = baseTest.extend<
         const email = `john+${Date.now()}_${Math.floor(Math.random() * 10000)}@doe.com`;
         const password = TEST_USER_PASSWORD;
         const name = 'John Doe';
+        const timezone = await page.evaluate(
+            () => Intl.DateTimeFormat().resolvedOptions().timeZone
+        );
 
         // Use page.context().request() so cookies are automatically shared with the page
         const request = page.context().request;
@@ -64,6 +67,7 @@ export const test = baseTest.extend<
                 password,
                 password_confirmation: password,
                 terms: 'on',
+                timezone,
             },
             maxRedirects: 0,
         });

resources/js/Components/Banner.vue

@@ -5,6 +5,15 @@ import { usePage } from '@inertiajs/vue3';
 const ALLOWED_STYLES = ['success', 'danger', 'info', 'warning'] as const;
 type BannerStyle = (typeof ALLOWED_STYLES)[number];
 
+withDefaults(
+    defineProps<{
+        // Render as a self-contained rounded alert that sits inside a card
+        // (e.g. the auth card on login/register) instead of a full-width page banner.
+        card?: boolean;
+    }>(),
+    { card: false }
+);
+
 const page = usePage<{
     flash: {
         bannerText?: string;
@@ -26,10 +35,16 @@ const show = ref(true);
         <div
             v-if="show && message"
             data-testid="banner"
-            class="bg-secondary border-b border-border-secondary">
-            <div class="mx-auto py-1 px-3 sm:px-6 lg:px-8">
+            :class="
+                card
+                    ? 'bg-secondary border border-border-secondary rounded-lg mb-4'
+                    : 'bg-secondary border-b border-border-secondary'
+            ">
+            <div :class="card ? 'py-2 px-3' : 'mx-auto py-1 px-3 sm:px-6 lg:px-8'">
                 <div class="flex items-center justify-between flex-wrap">
-                    <div class="w-0 flex-1 flex items-center min-w-0">
+                    <div
+                        class="w-0 flex-1 flex min-w-0"
+                        :class="card ? 'items-start' : 'items-center'">
                         <span class="flex">
                             <svg
                                 v-if="style === 'success'"
@@ -74,7 +89,9 @@ const show = ref(true);
                             </svg>
                         </span>
 
-                        <p class="ms-3 font-medium text-sm text-text-primary truncate">
+                        <p
+                            class="ms-3 font-medium text-sm text-text-primary"
+                            :class="{ truncate: !card }">
                             {{ message }}
                         </p>
                     </div>

resources/js/Components/Common/Member/MemberCombobox.vue

@@ -2,7 +2,7 @@
 import { computed, nextTick, ref, watch } from 'vue';
 import { useMembersQuery } from '@/utils/useMembersQuery';
 import { UserIcon } from '@heroicons/vue/24/solid';
-import { ChevronDown } from 'lucide-vue-next';
+import { ChevronDown } from '@lucide/vue';
 import type { ProjectMember } from '@/packages/api/src';
 import type { Member } from '@/packages/api/src';
 import {

resources/js/Components/Common/Project/ProjectDropdown.vue

@@ -10,7 +10,7 @@ import {
     ComboboxRoot,
     ComboboxViewport,
 } from 'radix-vue';
-import { Check, Plus } from 'lucide-vue-next';
+import { Check, Plus } from '@lucide/vue';
 import type { CreateClientBody, CreateProjectBody, Project } from '@/packages/api/src';
 import { UseFocusTrap } from '@vueuse/integrations/useFocusTrap/component';
 import ProjectCreateModal from '@/packages/ui/src/Project/ProjectCreateModal.vue';

resources/js/Components/Common/Project/ProjectEditModal.vue

@@ -12,7 +12,7 @@ import ClientDropdown from '@/packages/ui/src/Client/ClientDropdown.vue';
 import { useClientsQuery } from '@/utils/useClientsQuery';
 import ProjectColorSelector from '@/packages/ui/src/Project/ProjectColorSelector.vue';
 import { Button } from '@/packages/ui/src/Buttons';
-import { ChevronDown } from 'lucide-vue-next';
+import { ChevronDown } from '@lucide/vue';
 import { UserCircleIcon } from '@heroicons/vue/20/solid';
 import EstimatedTimeSection from '@/packages/ui/src/EstimatedTimeSection.vue';
 import { Field, FieldGroup, FieldLabel } from '@/packages/ui/src/field';

resources/js/Components/Common/Reporting/ReportingOverview.vue

@@ -5,7 +5,7 @@ import {
     EllipsisVerticalIcon,
     LockClosedIcon,
 } from '@heroicons/vue/20/solid';
-import { SaveIcon } from 'lucide-vue-next';
+import { SaveIcon } from '@lucide/vue';
 import { getOrganizationCurrencyString } from '@/utils/money';
 import {
     formatReportingDuration,

resources/js/Components/Common/Task/TaskCreateModal.vue

@@ -11,7 +11,7 @@ import EstimatedTimeSection from '@/packages/ui/src/EstimatedTimeSection.vue';
 import { isAllowedToPerformPremiumAction } from '@/utils/billing';
 import { Field, FieldGroup, FieldLabel } from '@/packages/ui/src/field';
 import { Button } from '@/packages/ui/src/Buttons';
-import { ChevronDown } from 'lucide-vue-next';
+import { ChevronDown } from '@lucide/vue';
 import { FolderIcon } from '@heroicons/vue/20/solid';
 
 const { createTask } = useTasksStore();

resources/js/Components/ui/alert-dialog/AlertDialogAction.vue

@@ -2,7 +2,7 @@
 import { buttonVariants } from '@/packages/ui/src';
 import { AlertDialogAction, type AlertDialogActionProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
-import { twMerge } from 'tailwind-merge';
+import { cn } from '@/lib/utils';
 const props = defineProps<AlertDialogActionProps & { class?: HTMLAttributes['class'] }>();
 
 const delegatedProps = computed(() => {
@@ -13,7 +13,7 @@ const delegatedProps = computed(() => {
 </script>
 
 <template>
-    <AlertDialogAction v-bind="delegatedProps" :class="twMerge(buttonVariants(), props.class)">
+    <AlertDialogAction v-bind="delegatedProps" :class="cn(buttonVariants(), props.class)">
         <slot />
     </AlertDialogAction>
 </template>

resources/js/Components/ui/alert-dialog/AlertDialogCancel.vue

@@ -2,7 +2,7 @@
 import { buttonVariants } from '@/packages/ui/src';
 import { AlertDialogCancel, type AlertDialogCancelProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
-import { twMerge } from 'tailwind-merge';
+import { cn } from '@/lib/utils';
 
 const props = defineProps<AlertDialogCancelProps & { class?: HTMLAttributes['class'] }>();
 
@@ -16,7 +16,7 @@ const delegatedProps = computed(() => {
 <template>
     <AlertDialogCancel
         v-bind="delegatedProps"
-        :class="twMerge(buttonVariants({ variant: 'outline' }), 'mt-2 sm:mt-0', props.class)">
+        :class="cn(buttonVariants({ variant: 'outline' }), 'mt-2 sm:mt-0', props.class)">
         <slot />
     </AlertDialogCancel>
 </template>

resources/js/Layouts/AppLayout.vue

@@ -18,7 +18,7 @@ import {
     XMarkIcon,
     DocumentTextIcon,
 } from '@heroicons/vue/20/solid';
-import { PanelLeft } from 'lucide-vue-next';
+import { PanelLeft } from '@lucide/vue';
 import NavigationSidebarItem from '@/Components/NavigationSidebarItem.vue';
 import UserSettingsIcon from '@/Components/UserSettingsIcon.vue';
 import MainContainer from '@/packages/ui/src/MainContainer.vue';

resources/js/Pages/Auth/Login.vue

@@ -37,8 +37,6 @@ const page = usePage<{
 <template>
     <Head title="Log in" />
 
-    <Banner />
-
     <AuthenticationCard>
         <template #logo>
             <AuthenticationCardLogo />
@@ -52,6 +50,8 @@ const page = usePage<{
             </Link>
         </template>
 
+        <Banner card />
+
         <div v-if="status" class="mb-4 font-medium text-sm text-green-400">
             {{ status }}
         </div>

resources/js/Pages/Auth/Register.vue

@@ -42,8 +42,6 @@ const page = usePage<{
 <template>
     <Head title="Register" />
 
-    <Banner />
-
     <AuthenticationCard>
         <template #logo>
             <AuthenticationCardLogo />
@@ -58,6 +56,8 @@ const page = usePage<{
             </Link>
         </template>
 
+        <Banner card />
+
         <div
             v-if="page.props.flash?.message"
             class="bg-red-400 text-black text-center w-full px-3 py-1 mb-4 rounded-lg">

resources/js/Pages/Profile/Partials/DeleteUserForm.vue

@@ -1,40 +1,57 @@
 <script setup lang="ts">
 import { ref } from 'vue';
-import { useForm } from '@inertiajs/vue3';
+import axios from 'axios';
 import ActionSection from '@/Components/ActionSection.vue';
 import DangerButton from '@/packages/ui/src/Buttons/DangerButton.vue';
 import DialogModal from '@/packages/ui/src/DialogModal.vue';
 import { Field, FieldError } from '@/packages/ui/src/field';
 import SecondaryButton from '@/packages/ui/src/Buttons/SecondaryButton.vue';
 import TextInput from '@/packages/ui/src/Input/TextInput.vue';
+import { useDeleteUserMutation, useUserQuery } from '@/utils/useUserQuery';
+
+const { user } = useUserQuery();
+const deleteUserMutation = useDeleteUserMutation();
 
 const confirmingUserDeletion = ref(false);
-const passwordInput = ref<HTMLElement | null>(null);
+const passwordInput = ref<HTMLInputElement | null>(null);
+const password = ref('');
+const passwordError = ref('');
+const processing = ref(false);
 
-const form = useForm({
-    password: '',
-});
-
-const confirmUserDeletion = () => {
+function confirmUserDeletion() {
     confirmingUserDeletion.value = true;
-
     setTimeout(() => passwordInput.value?.focus(), 250);
-};
+}
 
-const deleteUser = () => {
-    form.delete(route('current-user.destroy'), {
-        preserveScroll: true,
-        onSuccess: () => closeModal(),
-        onError: () => passwordInput.value?.focus(),
-        onFinish: () => form.reset(),
-    });
-};
+async function deleteUser() {
+    if (!user.value || processing.value) return;
+    processing.value = true;
+    passwordError.value = '';
+    try {
+        await axios.post(route('password.confirm'), { password: password.value });
+    } catch (error) {
+        processing.value = false;
+        if (axios.isAxiosError(error) && error.response?.status === 422) {
+            passwordError.value = error.response.data?.errors?.password?.[0] ?? 'Invalid password.';
+        } else {
+            passwordError.value = 'Could not confirm password. Please try again.';
+        }
+        passwordInput.value?.focus();
+        return;
+    }
+    try {
+        await deleteUserMutation.mutateAsync(user.value.id);
+        window.location.href = '/';
+    } catch {
+        processing.value = false;
+    }
+}
 
-const closeModal = () => {
+function closeModal() {
     confirmingUserDeletion.value = false;
-
-    form.reset();
-};
+    password.value = '';
+    passwordError.value = '';
+}
 </script>
 
 <template>
@@ -66,16 +83,14 @@ const closeModal = () => {
                     <Field class="mt-4">
                         <TextInput
                             ref="passwordInput"
-                            v-model="form.password"
+                            v-model="password"
                             type="password"
                             class="block w-3/4"
                             placeholder="Password"
                             autocomplete="current-password"
                             @keyup.enter="deleteUser" />
 
-                        <FieldError v-if="form.errors.password">{{
-                            form.errors.password
-                        }}</FieldError>
+                        <FieldError v-if="passwordError">{{ passwordError }}</FieldError>
                     </Field>
                 </template>
 
@@ -84,8 +99,8 @@ const closeModal = () => {
 
                     <DangerButton
                         class="ms-3"
-                        :class="{ 'opacity-25': form.processing }"
-                        :disabled="form.processing"
+                        :class="{ 'opacity-25': processing }"
+                        :disabled="processing"
                         @click="deleteUser">
                         Delete Account
                     </DangerButton>

resources/js/Pages/Profile/Partials/UpdateProfileInformationForm.vue

@@ -1,93 +1,190 @@
 <script setup lang="ts">
-import { ref } from 'vue';
-import { Link, router, useForm, usePage } from '@inertiajs/vue3';
+import { computed, onBeforeUnmount, ref, watch } from 'vue';
+import { usePage } from '@inertiajs/vue3';
+import axios from 'axios';
 import ActionMessage from '@/Components/ActionMessage.vue';
 import FormSection from '@/Components/FormSection.vue';
-import { Field, FieldLabel, FieldError } from '@/packages/ui/src/field';
+import { Field, FieldError, FieldLabel } from '@/packages/ui/src/field';
+import { Button } from '@/packages/ui/src/Buttons';
 import PrimaryButton from '@/packages/ui/src/Buttons/PrimaryButton.vue';
 import SecondaryButton from '@/packages/ui/src/Buttons/SecondaryButton.vue';
 import TextInput from '@/packages/ui/src/Input/TextInput.vue';
-import type { User } from '@/types/models';
+import {
+    useResendUserEmailVerificationMutation,
+    useResetUserPendingEmailMutation,
+    useUpdateUserMutation,
+    useUserQuery,
+} from '@/utils/useUserQuery';
+import type { UpdateUserBody, User } from '@/packages/api/src';
 
-const props = defineProps<{
-    user: User;
-}>();
+const { user } = useUserQuery();
+const updateUser = useUpdateUserMutation();
+const resendVerification = useResendUserEmailVerificationMutation();
+const resetPendingEmail = useResetUserPendingEmailMutation();
 
-const form = useForm({
-    _method: 'PUT',
-    name: props.user.name,
-    email: props.user.email,
-    photo: null as File | null,
-    timezone: props.user.timezone,
-    week_start: props.user.week_start,
-});
+const name = ref('');
+const email = ref('');
+const timezone = ref('');
+const weekStart = ref('');
 
-const verificationLinkSent = ref<boolean | null>(null);
-const photoPreview = ref<ArrayBuffer | undefined | string | null>(null);
+const photoBase64 = ref<string | null>(null);
+const photoPreview = ref<string | null>(null);
 const photoInput = ref<HTMLInputElement | null>(null);
 
-const updateProfileInformation = () => {
-    if (photoInput.value && photoInput.value.files && photoInput.value.files?.length > 0) {
-        form.photo = photoInput.value?.files[0] ?? null;
+const recentlySaved = ref(false);
+const resendCooldown = ref(false);
+let resendCooldownTimer: ReturnType<typeof setTimeout> | null = null;
+
+function seedForm(u: User) {
+    name.value = u.name;
+    email.value = u.email;
+    timezone.value = u.timezone;
+    weekStart.value = u.week_start;
+}
+
+watch(
+    user,
+    (u, prev) => {
+        if (u && prev === undefined) seedForm(u);
+    },
+    { immediate: true }
+);
+
+const isUserLoaded = computed(() => user.value !== undefined);
+const isSaveDisabled = computed(() => !isUserLoaded.value || updateUser.isPending.value);
+const pendingEmail = computed(() => user.value?.pending_email ?? null);
+const hasUploadedPhoto = computed(() => {
+    const url = user.value?.profile_photo_url;
+    return !!url && !url.includes('ui-avatars.com');
+});
+
+const fieldErrors = computed<Record<string, string>>(() => {
+    const err = updateUser.error.value;
+    if (!axios.isAxiosError(err) || err.response?.status !== 422) return {};
+    const raw = err.response.data?.errors as Record<string, string[]> | undefined;
+    if (!raw) return {};
+    const flat: Record<string, string> = {};
+    for (const [key, messages] of Object.entries(raw)) {
+        if (Array.isArray(messages) && messages[0]) flat[key] = messages[0];
+    }
+    return flat;
+});
+
+function buildPayload(): UpdateUserBody {
+    if (!user.value) return {};
+    const body: UpdateUserBody = {};
+    if (name.value !== user.value.name) body.name = name.value;
+
+    const typedEmail = email.value.trim().toLowerCase();
+    const currentEmail = user.value.email.toLowerCase();
+    const currentPending = (user.value.pending_email ?? '').toLowerCase();
+    if (typedEmail !== currentEmail && typedEmail !== currentPending) {
+        body.email = email.value.trim();
     }
 
-    form.post(route('user-profile-information.update'), {
-        errorBag: 'updateProfileInformation',
-        preserveScroll: true,
-        onSuccess: () => clearPhotoFileInput(),
-    });
-};
+    if (timezone.value !== user.value.timezone) body.timezone = timezone.value;
+    if (weekStart.value !== user.value.week_start) {
+        body.week_start = weekStart.value as UpdateUserBody['week_start'];
+    }
+    if (photoBase64.value !== null) body.photo = photoBase64.value;
+    return body;
+}
 
-const sendEmailVerification = () => {
-    verificationLinkSent.value = true;
-};
+function clearPhotoInput() {
+    if (photoInput.value) photoInput.value.value = '';
+    photoBase64.value = null;
+    photoPreview.value = null;
+}
 
-const selectNewPhoto = () => {
+function selectNewPhoto() {
+    if (!isUserLoaded.value) return;
     photoInput.value?.click();
-};
+}
 
-const updatePhotoPreview = () => {
-    if (photoInput.value?.files) {
-        const photo = photoInput.value?.files[0];
-        if (!photo) return;
+function readSelectedPhoto() {
+    if (!isUserLoaded.value) return;
+    const file = photoInput.value?.files?.[0];
+    if (!file) return;
+    const reader = new FileReader();
+    reader.onload = (e) => {
+        const dataUrl = e.target?.result as string;
+        photoBase64.value = dataUrl;
+        photoPreview.value = dataUrl;
+    };
+    reader.readAsDataURL(file);
+}
 
-        const reader = new FileReader();
-
-        reader.onload = (e) => {
-            photoPreview.value = e.target?.result;
-        };
-
-        reader.readAsDataURL(photo);
+async function save() {
+    if (isSaveDisabled.value || !user.value) return;
+    const body = buildPayload();
+    if (Object.keys(body).length === 0) {
+        flashSaved();
+        return;
     }
-};
-
-const deletePhoto = () => {
-    router.delete(route('current-user-photo.destroy'), {
-        preserveScroll: true,
-        onSuccess: () => {
-            photoPreview.value = null;
-            clearPhotoFileInput();
-        },
-    });
-};
-
-const clearPhotoFileInput = () => {
-    if (photoInput.value?.value) {
-        photoInput.value.value = '';
+    try {
+        const updated = await updateUser.mutateAsync({ userId: user.value.id, body });
+        seedForm(updated);
+        clearPhotoInput();
+        flashSaved();
+    } catch {
+        // 422: field errors render via fieldErrors. Other errors: toast handled in the mutation.
     }
-};
+}
+
+async function removePhoto() {
+    if (!isUserLoaded.value || updateUser.isPending.value || !user.value) return;
+    try {
+        await updateUser.mutateAsync({ userId: user.value.id, body: { photo: null } });
+        clearPhotoInput();
+    } catch {
+        // notification handled by mutation
+    }
+}
+
+async function clickResend() {
+    if (!user.value || resendCooldown.value || resendVerification.isPending.value) return;
+    try {
+        await resendVerification.mutateAsync(user.value.id);
+        resendCooldown.value = true;
+        if (resendCooldownTimer) clearTimeout(resendCooldownTimer);
+        resendCooldownTimer = setTimeout(() => {
+            resendCooldown.value = false;
+        }, 5000);
+    } catch {
+        // notification handled by mutation
+    }
+}
+
+async function clickCancelEmailChange() {
+    if (!user.value || resetPendingEmail.isPending.value) return;
+    try {
+        // Clears pending_email on the server; the pending banner hides once the
+        // me query refetches. The email field already shows the current address.
+        await resetPendingEmail.mutateAsync(user.value.id);
+    } catch {
+        // notification handled by mutation
+    }
+}
+
+function flashSaved() {
+    recentlySaved.value = true;
+    setTimeout(() => (recentlySaved.value = false), 2000);
+}
+
+onBeforeUnmount(() => {
+    if (resendCooldownTimer) clearTimeout(resendCooldownTimer);
+});
 
 const page = usePage<{
-    jetstream: {
-        managesProfilePhotos: boolean;
-        hasEmailVerification: boolean;
-    };
+    jetstream: { managesProfilePhotos: boolean };
+    timezones: Record<string, string>;
+    weekdays: Record<string, string>;
 }>();
 </script>
 
 <template>
-    <FormSection @submitted="updateProfileInformation">
-        <template #title> Profile Information</template>
+    <FormSection @submitted="save">
+        <template #title>Profile Information</template>
 
         <template #description>
             Update your account's profile information and email address.
@@ -96,44 +193,51 @@ const page = usePage<{
         <template #form>
             <!-- Profile Photo -->
             <div v-if="page.props.jetstream.managesProfilePhotos" class="col-span-6 sm:col-span-4">
-                <!-- Profile Photo File Input -->
                 <input
                     id="photo"
                     ref="photoInput"
                     type="file"
+                    accept="image/jpeg,image/png"
                     class="hidden"
-                    @change="updatePhotoPreview" />
+                    :disabled="!isUserLoaded"
+                    @change="readSelectedPhoto" />
 
                 <FieldLabel for="photo">Photo</FieldLabel>
 
-                <!-- Current Profile Photo -->
                 <div v-show="!photoPreview" class="mt-2">
                     <img
+                        v-if="user"
                         :src="user.profile_photo_url"
                         :alt="user.name"
                         class="rounded-full h-20 w-20 object-cover" />
                 </div>
 
-                <!-- New Profile Photo Preview -->
                 <div v-show="photoPreview" class="mt-2">
                     <span
                         class="block rounded-full w-20 h-20 bg-cover bg-no-repeat bg-center"
                         :style="'background-image: url(\'' + photoPreview + '\');'" />
                 </div>
 
-                <SecondaryButton class="mt-2 me-2" type="button" @click.prevent="selectNewPhoto">
+                <SecondaryButton
+                    class="mt-2 me-2"
+                    type="button"
+                    :disabled="!isUserLoaded"
+                    @click.prevent="selectNewPhoto">
                     Select A New Photo
                 </SecondaryButton>
 
                 <SecondaryButton
-                    v-if="user.profile_photo_path"
+                    v-if="hasUploadedPhoto"
                     type="button"
                     class="mt-2"
-                    @click.prevent="deletePhoto">
+                    :disabled="!isUserLoaded || updateUser.isPending.value"
+                    @click.prevent="removePhoto">
                     Remove Photo
                 </SecondaryButton>
 
-                <FieldError v-if="form.errors.photo">{{ form.errors.photo }}</FieldError>
+                <FieldError v-if="fieldErrors.photo" class="mt-2">
+                    {{ fieldErrors.photo }}
+                </FieldError>
             </div>
 
             <!-- Name -->
@@ -141,12 +245,13 @@ const page = usePage<{
                 <FieldLabel for="name">Name</FieldLabel>
                 <TextInput
                     id="name"
-                    v-model="form.name"
+                    v-model="name"
                     type="text"
                     class="block w-full"
                     required
+                    :disabled="!isUserLoaded"
                     autocomplete="name" />
-                <FieldError v-if="form.errors.name">{{ form.errors.name }}</FieldError>
+                <FieldError v-if="fieldErrors.name">{{ fieldErrors.name }}</FieldError>
             </Field>
 
             <!-- Email -->
@@ -154,34 +259,39 @@ const page = usePage<{
                 <FieldLabel for="email">Email</FieldLabel>
                 <TextInput
                     id="email"
-                    v-model="form.email"
+                    v-model="email"
                     type="email"
                     class="block w-full"
                     required
+                    :disabled="!isUserLoaded"
                     autocomplete="username" />
-                <FieldError v-if="form.errors.email">{{ form.errors.email }}</FieldError>
+                <FieldError v-if="fieldErrors.email">{{ fieldErrors.email }}</FieldError>
 
-                <div
-                    v-if="
-                        page.props.jetstream.hasEmailVerification && user.email_verified_at === null
-                    ">
-                    <p class="text-sm mt-2 text-text-primary">
-                        Your email address is unverified.
-
-                        <Link
-                            :href="route('verification.send')"
-                            method="post"
-                            as="button"
-                            class="underline text-sm text-text-secondary hover:text-text-secondary rounded-md focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-indigo-500 dark:focus:ring-offset-gray-800"
-                            @click.prevent="sendEmailVerification">
-                            Click here to re-send the verification email.
-                        </Link>
+                <div v-if="pendingEmail" class="mt-2 text-sm">
+                    <p class="text-text-primary">
+                        A verification link was sent to
+                        <span class="font-medium">{{ pendingEmail }}</span
+                        >. Click the link in the email to confirm the change.
                     </p>
-
-                    <div
-                        v-show="verificationLinkSent"
-                        class="mt-2 font-medium text-sm text-green-400">
-                        A new verification link has been sent to your email address.
+                    <div class="mt-2 -ms-3 flex flex-wrap items-center gap-x-1 gap-y-1">
+                        <Button
+                            v-if="!resendCooldown"
+                            variant="ghost"
+                            size="sm"
+                            type="button"
+                            :disabled="!isUserLoaded || resendVerification.isPending.value"
+                            @click="clickResend">
+                            Resend verification email
+                        </Button>
+                        <p v-else class="ms-3 font-medium text-green-400">Verification email sent.</p>
+                        <Button
+                            variant="ghost"
+                            size="sm"
+                            type="button"
+                            :disabled="!isUserLoaded || resetPendingEmail.isPending.value"
+                            @click="clickCancelEmailChange">
+                            Cancel email change
+                        </Button>
                     </div>
                 </div>
             </Field>
@@ -191,19 +301,20 @@ const page = usePage<{
                 <FieldLabel for="timezone">Timezone</FieldLabel>
                 <select
                     id="timezone"
-                    v-model="form.timezone"
+                    v-model="timezone"
                     name="timezone"
                     required
+                    :disabled="!isUserLoaded"
                     class="block w-full border-input-border bg-input-background text-text-primary focus:border-input-border-active rounded-md shadow-sm">
                     <option value="" disabled>Select a Timezone</option>
                     <option
-                        v-for="(timezoneTranslated, timezoneKey) in $page.props.timezones"
-                        :key="timezoneKey"
-                        :value="timezoneKey">
+                        v-for="(timezoneTranslated, timezoneValue) in page.props.timezones"
+                        :key="timezoneValue"
+                        :value="timezoneValue">
                         {{ timezoneTranslated }}
                     </option>
                 </select>
-                <FieldError v-if="form.errors.timezone">{{ form.errors.timezone }}</FieldError>
+                <FieldError v-if="fieldErrors.timezone">{{ fieldErrors.timezone }}</FieldError>
             </Field>
 
             <!-- Week start -->
@@ -211,26 +322,27 @@ const page = usePage<{
                 <FieldLabel for="week_start">Start of the week</FieldLabel>
                 <select
                     id="week_start"
-                    v-model="form.week_start"
+                    v-model="weekStart"
                     name="week_start"
                     required
+                    :disabled="!isUserLoaded"
                     class="block w-full border-input-border bg-input-background text-text-primary focus:border-input-border-active rounded-md shadow-sm">
                     <option value="" disabled>Select a week day</option>
                     <option
-                        v-for="(weekdayTranslated, weekdayKey) in $page.props.weekdays"
-                        :key="weekdayKey"
-                        :value="weekdayKey">
+                        v-for="(weekdayTranslated, weekdayValue) in page.props.weekdays"
+                        :key="weekdayValue"
+                        :value="weekdayValue">
                         {{ weekdayTranslated }}
                     </option>
                 </select>
-                <FieldError v-if="form.errors.week_start">{{ form.errors.week_start }}</FieldError>
+                <FieldError v-if="fieldErrors.week_start">{{ fieldErrors.week_start }}</FieldError>
             </Field>
         </template>
 
         <template #actions>
-            <ActionMessage :on="form.recentlySuccessful" class="me-3"> Saved. </ActionMessage>
+            <ActionMessage :on="recentlySaved" class="me-3"> Saved. </ActionMessage>
 
-            <PrimaryButton :class="{ 'opacity-25': form.processing }" :disabled="form.processing">
+            <PrimaryButton :class="{ 'opacity-25': isSaveDisabled }" :disabled="isSaveDisabled">
                 Save
             </PrimaryButton>
         </template>

resources/js/Pages/Profile/Show.vue

@@ -39,7 +39,7 @@ const page = usePage<{
         <div>
             <div class="max-w-7xl mx-auto py-10 sm:px-6 lg:px-8">
                 <div v-if="page.props.jetstream.canUpdateProfileInformation">
-                    <UpdateProfileInformationForm :user="page.props.auth.user" />
+                    <UpdateProfileInformationForm />
 
                     <SectionBorder />
                 </div>

resources/js/packages/api/package.json

@@ -12,6 +12,7 @@
     },
     "scripts": {
         "build": "vite build",
+        "watch": "vite build --watch",
         "test": "echo \"Error: no test specified\" && exit 1"
     },
     "files": [
@@ -28,7 +29,7 @@
     "author": "solidtime",
     "license": "AGPL-3.0",
     "devDependencies": {
-        "vite-plugin-dts": "^4.0.3"
+        "vite-plugin-dts": "^4.5.4"
     },
     "peerDependencies": {
         "@zodios/core": "^10.9.6",

resources/js/packages/api/src/index.ts

@@ -122,6 +122,9 @@ export type CreateInvoiceBody = ZodiosBodyByAlias<SolidTimeApi, 'createInvoice'>
 
 export type UpdateInvoiceBody = ZodiosBodyByAlias<SolidTimeApi, 'updateInvoice'>;
 
+export type User = ZodiosResponseByAlias<SolidTimeApi, 'getMe'>['data'];
+export type UpdateUserBody = ZodiosBodyByAlias<SolidTimeApi, 'updateUser'>;
+
 const api = createApiClient('/api', { validate: 'none' });
 
 export { createApiClient, api };

resources/js/packages/api/src/openapi.json.client.ts

@@ -688,11 +688,22 @@ const UserResource = z
         id: z.string(),
         name: z.string(),
         email: z.string(),
+        pending_email: z.union([z.string(), z.null()]),
         profile_photo_url: z.string(),
         timezone: z.string(),
         week_start: Weekday,
     })
     .passthrough();
+const UserUpdateRequest = z
+    .object({
+        name: z.string(),
+        email: z.string(),
+        photo: z.union([z.string(), z.null()]),
+        timezone: z.string(),
+        week_start: Weekday,
+    })
+    .partial()
+    .passthrough();
 const PersonalMembershipResource = z
     .object({
         id: z.string(),
@@ -764,6 +775,7 @@ export const schemas = {
     TimeEntryUpdateMultipleRequest,
     TimeEntryUpdateRequest,
     UserResource,
+    UserUpdateRequest,
     PersonalMembershipResource,
 };
 
@@ -1886,6 +1898,54 @@ const endpoints = makeApi([
             },
         ],
     },
+    {
+        method: 'post',
+        path: '/v1/organizations/:organization/invoices/:invoice/copy',
+        alias: 'copyInvoice',
+        requestFormat: 'json',
+        parameters: [
+            {
+                name: 'body',
+                type: 'Body',
+                schema: z.object({ reference: z.string() }).passthrough(),
+            },
+            {
+                name: 'organization',
+                type: 'Path',
+                schema: z.string(),
+            },
+            {
+                name: 'invoice',
+                type: 'Path',
+                schema: z.string(),
+            },
+        ],
+        response: z.object({ data: DetailedInvoiceResource }).passthrough(),
+        errors: [
+            {
+                status: 401,
+                description: `Unauthenticated`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 403,
+                description: `Authorization error`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 404,
+                description: `Not found`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 422,
+                description: `Validation error`,
+                schema: z
+                    .object({ message: z.string(), errors: z.record(z.array(z.string())) })
+                    .passthrough(),
+            },
+        ],
+    },
     {
         method: 'get',
         path: '/v1/organizations/:organization/invoices/:invoice',
@@ -4419,7 +4479,7 @@ The report is considered public if the `is_public` field is set to &#x
         method: 'get',
         path: '/v1/users/me',
         alias: 'getMe',
-        description: `This endpoint is independent of organization.`,
+        description: `This endpoint is independent of the organization.`,
         requestFormat: 'json',
         response: z.object({ data: UserResource }).passthrough(),
         errors: [
@@ -4435,6 +4495,150 @@ The report is considered public if the `is_public` field is set to &#x
             },
         ],
     },
+    {
+        method: 'put',
+        path: '/v1/users/:user',
+        alias: 'updateUser',
+        description: `This endpoint is independent of the organization.`,
+        requestFormat: 'json',
+        parameters: [
+            {
+                name: 'body',
+                type: 'Body',
+                schema: UserUpdateRequest,
+            },
+            {
+                name: 'user',
+                type: 'Path',
+                schema: z.string(),
+            },
+        ],
+        response: z.object({ data: UserResource }).passthrough(),
+        errors: [
+            {
+                status: 401,
+                description: `Unauthenticated`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 403,
+                description: `Authorization error`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 422,
+                description: `Validation error`,
+                schema: z
+                    .object({ message: z.string(), errors: z.record(z.array(z.string())) })
+                    .passthrough(),
+            },
+        ],
+    },
+    {
+        method: 'delete',
+        path: '/v1/users/:user',
+        alias: 'deleteUser',
+        description: `This endpoint is independent of the organization.`,
+        requestFormat: 'json',
+        parameters: [
+            {
+                name: 'user',
+                type: 'Path',
+                schema: z.string(),
+            },
+        ],
+        response: z.void(),
+        errors: [
+            {
+                status: 400,
+                description: `API exception`,
+                schema: z
+                    .object({ error: z.boolean(), key: z.string(), message: z.string() })
+                    .passthrough(),
+            },
+            {
+                status: 401,
+                description: `Unauthenticated`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 403,
+                description: `Authorization error`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 404,
+                description: `Not found`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+        ],
+    },
+    {
+        method: 'post',
+        path: '/v1/users/:user/reset-pending-email',
+        alias: 'resetUserPendingEmail',
+        description: `This endpoint is independent of the organization.`,
+        requestFormat: 'json',
+        parameters: [
+            {
+                name: 'user',
+                type: 'Path',
+                schema: z.string(),
+            },
+        ],
+        response: z.void(),
+        errors: [
+            {
+                status: 401,
+                description: `Unauthenticated`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 403,
+                description: `Authorization error`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 404,
+                description: `Not found`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+        ],
+    },
+    {
+        method: 'post',
+        path: '/v1/users/:user/resend-email-verification',
+        alias: 'resendUserEmailVerification',
+        description: `This endpoint is independent of the organization.`,
+        requestFormat: 'json',
+        parameters: [
+            {
+                name: 'user',
+                type: 'Path',
+                schema: z.string(),
+            },
+        ],
+        response: z.void(),
+        errors: [
+            {
+                status: 400,
+                description: `API exception`,
+                schema: z
+                    .object({ error: z.boolean(), key: z.string(), message: z.string() })
+                    .passthrough(),
+            },
+            {
+                status: 401,
+                description: `Unauthenticated`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+            {
+                status: 403,
+                description: `Authorization error`,
+                schema: z.object({ message: z.string() }).passthrough(),
+            },
+        ],
+    },
     {
         method: 'get',
         path: '/v1/users/me/api-tokens',

resources/js/packages/ui/package.json

@@ -48,10 +48,10 @@
     "author": "solidtime",
     "license": "AGPL-3.0",
     "devDependencies": {
-        "@types/chroma-js": "^3.1.0",
+        "@types/chroma-js": "^3.1.2",
         "@zodios/core": "^10.9.6",
-        "vite-plugin-dts": "^4.0.3",
-        "zod": "^3.23.8"
+        "vite-plugin-dts": "^4.5.4",
+        "zod": "^3.25.76"
     },
     "peerDependencies": {
         "@floating-ui/vue": "^1.1.4",
@@ -64,7 +64,7 @@
         "class-variance-authority": "^0.7.1",
         "clsx": "^2.1.1",
         "dayjs": "^1.11.13",
-        "lucide-vue-next": ">=0.453.0",
+        "@lucide/vue": ">=1.0.0",
         "@internationalized/date": "^3.0.0",
         "parse-duration": "^2.0.1",
         "radix-vue": "^1.9.0",

resources/js/packages/ui/src/Client/ClientDropdown.vue

@@ -11,7 +11,7 @@ import {
 } from 'radix-vue';
 import { UseFocusTrap } from '@vueuse/integrations/useFocusTrap/component';
 import Dropdown from '@/packages/ui/src/Input/Dropdown.vue';
-import { Check, Plus } from 'lucide-vue-next';
+import { Check, Plus } from '@lucide/vue';
 
 const model = defineModel<string | null>({
     default: null,

resources/js/packages/ui/src/FullCalendar/CalendarSettingsPopover.vue

@@ -2,7 +2,7 @@
 import { Popover, PopoverContent, PopoverTrigger, Button } from '..';
 import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '..';
 import { Field, FieldLabel } from '../field';
-import { Settings } from 'lucide-vue-next';
+import { Settings } from '@lucide/vue';
 import { ref, watch } from 'vue';
 import type { CalendarSettings } from './calendarSettings';
 

resources/js/packages/ui/src/FullCalendar/CalendarToolbar.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { Button } from '..';
-import { ChevronLeft, ChevronRight } from 'lucide-vue-next';
+import { ChevronLeft, ChevronRight } from '@lucide/vue';
 import { Tabs, TabsList } from '../tabs';
 import TabBarItem from '../TabBar/TabBarItem.vue';
 import CalendarSettingsPopover from './CalendarSettingsPopover.vue';

resources/js/packages/ui/src/Input/BillableRateInput.vue

@@ -24,7 +24,7 @@ const billableRateInput = ref<HTMLInputElement | null>(null);
 useFocus(billableRateInput, { initialValue: props.focus });
 
 function formatValue(modelValue: number | null) {
-    return modelValue ? modelValue / 100 : 0;
+    return modelValue ? modelValue / 100 : null;
 }
 </script>
 
@@ -43,7 +43,7 @@ function formatValue(modelValue: number | null) {
                 currencyDisplay: 'code',
                 currencySign: 'accounting',
             }"
-            @update:model-value="(value) => (model = value * 100)">
+            @update:model-value="(value) => (model = value ? value * 100 : null)">
             <NumberFieldContent>
                 <NumberFieldDecrement />
                 <NumberFieldInput placeholder="Billable Rate" />

resources/js/packages/ui/src/Input/DatePicker.vue

@@ -9,7 +9,7 @@ import {
 import { Popover, PopoverContent, PopoverTrigger } from '@/packages/ui/src/popover';
 import { Calendar } from '..';
 import { Button } from '@/packages/ui/src/Buttons';
-import { CalendarIcon, XIcon } from 'lucide-vue-next';
+import { CalendarIcon, XIcon } from '@lucide/vue';
 import { parseDate, type DateValue } from '@internationalized/date';
 import type { Organization } from '@/packages/api/src';
 

resources/js/packages/ui/src/Input/DateRangePicker.vue

@@ -3,7 +3,7 @@ import { Popover, PopoverContent, PopoverTrigger } from '../popover';
 import Button from '../Buttons/Button.vue';
 import { RangeCalendar } from '../range-calendar';
 import { CalendarDate } from '@internationalized/date';
-import { CalendarIcon } from 'lucide-vue-next';
+import { CalendarIcon } from '@lucide/vue';
 import { computed, ref, inject, type ComputedRef, watch } from 'vue';
 import { twMerge } from 'tailwind-merge';
 import {

resources/js/packages/ui/src/Project/ProjectCreateModal.vue

@@ -10,7 +10,7 @@ import { useFocus } from '@vueuse/core';
 import ClientDropdown from '@/packages/ui/src/Client/ClientDropdown.vue';
 import ProjectColorSelector from '@/packages/ui/src/Project/ProjectColorSelector.vue';
 import { Button } from '@/packages/ui/src/Buttons';
-import { ChevronDown } from 'lucide-vue-next';
+import { ChevronDown } from '@lucide/vue';
 import { UserCircleIcon } from '@heroicons/vue/20/solid';
 import EstimatedTimeSection from '@/packages/ui/src/EstimatedTimeSection.vue';
 import { Field, FieldGroup, FieldLabel } from '../field';

resources/js/packages/ui/src/accordion/AccordionTrigger.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { cn } from '../utils/cn';
-import { ChevronDown } from 'lucide-vue-next';
+import { ChevronDown } from '@lucide/vue';
 import { AccordionHeader, AccordionTrigger, type AccordionTriggerProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
 

resources/js/packages/ui/src/calendar/CalendarCell.vue

@@ -1,7 +1,7 @@
 <script lang="ts" setup>
 import { CalendarCell, type CalendarCellProps, useForwardProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
-import { twMerge } from 'tailwind-merge';
+import { cn } from '../utils/cn';
 
 const props = defineProps<CalendarCellProps & { class?: HTMLAttributes['class'] }>();
 
@@ -17,7 +17,7 @@ const forwardedProps = useForwardProps(delegatedProps);
 <template>
     <CalendarCell
         :class="
-            twMerge(
+            cn(
                 'relative p-0 text-center text-sm focus-within:relative focus-within:z-20 [&:has([data-selected])]:rounded-md [&:has([data-selected])]:bg-accent [&:has([data-selected][data-outside-view])]:bg-accent/50',
                 props.class
             )

resources/js/packages/ui/src/calendar/CalendarNextButton.vue

@@ -1,6 +1,6 @@
 <script lang="ts" setup>
 import { cn, buttonVariants } from '@/packages/ui/src/index';
-import { ChevronRight } from 'lucide-vue-next';
+import { ChevronRight } from '@lucide/vue';
 import { CalendarNext, type CalendarNextProps, useForwardProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
 

resources/js/packages/ui/src/calendar/CalendarPrevButton.vue

@@ -1,6 +1,6 @@
 <script lang="ts" setup>
 import { cn, buttonVariants } from '@/packages/ui/src';
-import { ChevronLeft } from 'lucide-vue-next';
+import { ChevronLeft } from '@lucide/vue';
 import { CalendarPrev, type CalendarPrevProps, useForwardProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
 

resources/js/packages/ui/src/command/CommandInput.vue

@@ -2,7 +2,7 @@
 import type { ListboxFilterProps } from 'reka-ui';
 import type { HTMLAttributes } from 'vue';
 import { reactiveOmit } from '@vueuse/core';
-import { Search } from 'lucide-vue-next';
+import { Search } from '@lucide/vue';
 import { ListboxFilter, useForwardProps } from 'reka-ui';
 import { cn } from '../utils/cn';
 import { useCommand } from '.';

resources/js/packages/ui/src/context-menu/ContextMenuCheckboxItem.vue

@@ -2,7 +2,7 @@
 import type { ContextMenuCheckboxItemEmits, ContextMenuCheckboxItemProps } from 'reka-ui';
 import type { HTMLAttributes } from 'vue';
 import { reactiveOmit } from '@vueuse/core';
-import { Check } from 'lucide-vue-next';
+import { Check } from '@lucide/vue';
 import { ContextMenuCheckboxItem, ContextMenuItemIndicator, useForwardPropsEmits } from 'reka-ui';
 import { cn } from '../utils/cn';
 

resources/js/packages/ui/src/context-menu/ContextMenuRadioItem.vue

@@ -2,7 +2,7 @@
 import type { ContextMenuRadioItemEmits, ContextMenuRadioItemProps } from 'reka-ui';
 import type { HTMLAttributes } from 'vue';
 import { reactiveOmit } from '@vueuse/core';
-import { Circle } from 'lucide-vue-next';
+import { Circle } from '@lucide/vue';
 import { ContextMenuItemIndicator, ContextMenuRadioItem, useForwardPropsEmits } from 'reka-ui';
 import { cn } from '../utils/cn';
 

resources/js/packages/ui/src/context-menu/ContextMenuSubTrigger.vue

@@ -2,7 +2,7 @@
 import type { ContextMenuSubTriggerProps } from 'reka-ui';
 import type { HTMLAttributes } from 'vue';
 import { reactiveOmit } from '@vueuse/core';
-import { ChevronRight } from 'lucide-vue-next';
+import { ChevronRight } from '@lucide/vue';
 import { ContextMenuSubTrigger, useForwardProps } from 'reka-ui';
 import { cn } from '../utils/cn';
 

resources/js/packages/ui/src/dialog/DialogScrollContent.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { cn } from '../utils/cn';
-import { X } from 'lucide-vue-next';
+import { X } from '@lucide/vue';
 import {
     DialogClose,
     DialogContent,

resources/js/packages/ui/src/dropdown-menu/DropdownMenuCheckboxItem.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { cn } from '../utils/cn';
-import { Check } from 'lucide-vue-next';
+import { Check } from '@lucide/vue';
 import {
     DropdownMenuCheckboxItem,
     type DropdownMenuCheckboxItemEmits,

resources/js/packages/ui/src/dropdown-menu/DropdownMenuRadioItem.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { cn } from '../utils/cn';
-import { Circle } from 'lucide-vue-next';
+import { Circle } from '@lucide/vue';
 import {
     DropdownMenuItemIndicator,
     DropdownMenuRadioItem,

resources/js/packages/ui/src/dropdown-menu/DropdownMenuSubTrigger.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { cn } from '../utils/cn';
-import { ChevronRight } from 'lucide-vue-next';
+import { ChevronRight } from '@lucide/vue';
 import { DropdownMenuSubTrigger, type DropdownMenuSubTriggerProps, useForwardProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
 

resources/js/packages/ui/src/number-field/NumberFieldDecrement.vue

@@ -1,7 +1,7 @@
 <script setup lang="ts">
 import type { NumberFieldDecrementProps } from 'reka-ui';
 import { cn } from '../utils/cn';
-import { Minus } from 'lucide-vue-next';
+import { Minus } from '@lucide/vue';
 import { NumberFieldDecrement, useForwardProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
 

resources/js/packages/ui/src/number-field/NumberFieldIncrement.vue

@@ -1,7 +1,7 @@
 <script setup lang="ts">
 import type { NumberFieldIncrementProps } from 'reka-ui';
 import { cn } from '../utils/cn';
-import { Plus } from 'lucide-vue-next';
+import { Plus } from '@lucide/vue';
 import { NumberFieldIncrement, useForwardProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
 

resources/js/packages/ui/src/range-calendar/RangeCalendarNextButton.vue

@@ -1,6 +1,6 @@
 <script lang="ts" setup>
 import { cn, buttonVariants } from '@/packages/ui/src';
-import { ChevronRight } from 'lucide-vue-next';
+import { ChevronRight } from '@lucide/vue';
 import { RangeCalendarNext, type RangeCalendarNextProps, useForwardProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
 

resources/js/packages/ui/src/range-calendar/RangeCalendarPrevButton.vue

@@ -1,6 +1,6 @@
 <script lang="ts" setup>
 import { cn, buttonVariants } from '@/packages/ui/src';
-import { ChevronLeft } from 'lucide-vue-next';
+import { ChevronLeft } from '@lucide/vue';
 import { RangeCalendarPrev, type RangeCalendarPrevProps, useForwardProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
 

resources/js/packages/ui/src/select/SelectItem.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { cn } from '../utils/cn';
-import { Check } from 'lucide-vue-next';
+import { Check } from '@lucide/vue';
 import {
     SelectItem,
     SelectItemIndicator,

resources/js/packages/ui/src/select/SelectScrollDownButton.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { cn } from '../utils/cn';
-import { ChevronDown } from 'lucide-vue-next';
+import { ChevronDown } from '@lucide/vue';
 import { SelectScrollDownButton, type SelectScrollDownButtonProps, useForwardProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
 

resources/js/packages/ui/src/select/SelectScrollUpButton.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { cn } from '../utils/cn';
-import { ChevronUp } from 'lucide-vue-next';
+import { ChevronUp } from '@lucide/vue';
 import { SelectScrollUpButton, type SelectScrollUpButtonProps, useForwardProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
 

resources/js/packages/ui/src/select/SelectTrigger.vue

@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { cn } from '../utils/cn';
-import { ChevronDown } from 'lucide-vue-next';
+import { ChevronDown } from '@lucide/vue';
 import { SelectIcon, SelectTrigger, type SelectTriggerProps, useForwardProps } from 'reka-ui';
 import { computed, type HTMLAttributes } from 'vue';
 

resources/js/packages/ui/vite.config.js

@@ -19,7 +19,7 @@ export default defineConfig({
             // into your library
             external: [
                 'vue',
-                'lucide-vue-next',
+                '@lucide/vue',
                 '@floating-ui/vue',
                 '@heroicons/vue',
                 /^@heroicons\/vue\/.*/,

resources/js/types/models.d.ts

@@ -63,6 +63,7 @@ export interface User {
     id: string;
     name: string;
     email: string;
+    pending_email: string | null;
     email_verified_at: string | null;
     password?: string;
     remember_token?: string | null;

resources/js/types/models.ts

@@ -80,6 +80,7 @@ export interface User {
     id: string;
     name: string;
     email: string;
+    pending_email: string | null;
     email_verified_at: string | null;
     password?: string;
     remember_token?: string | null;

resources/js/utils/useUserQuery.ts

@@ -0,0 +1,113 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/vue-query';
+import { computed } from 'vue';
+import axios from 'axios';
+import { api, type UpdateUserBody, type User } from '@/packages/api/src';
+import { useNotificationsStore } from '@/utils/notification';
+
+const ME_QUERY_KEY = ['me'] as const;
+
+export function useUserQuery() {
+    const query = useQuery({
+        queryKey: ME_QUERY_KEY,
+        queryFn: async () => {
+            const response = await api.getMe();
+            return response.data;
+        },
+        staleTime: 1000 * 30,
+    });
+
+    const user = computed<User | undefined>(() => query.data.value);
+
+    return { ...query, user };
+}
+
+export function useUpdateUserMutation() {
+    const queryClient = useQueryClient();
+    const { addNotification } = useNotificationsStore();
+
+    return useMutation({
+        mutationFn: async ({
+            userId,
+            body,
+        }: {
+            userId: string;
+            body: UpdateUserBody;
+        }): Promise<User> => {
+            try {
+                const response = await api.updateUser(body, { params: { user: userId } });
+                return response.data;
+            } catch (error) {
+                // 422 field errors are rendered inline by the form; suppress the toast for those.
+                // Re-throw the AxiosError so consumers can read response.data.errors.
+                if (!axios.isAxiosError(error) || error.response?.status !== 422) {
+                    addNotification(
+                        'error',
+                        'Failed to update profile',
+                        axios.isAxiosError(error)
+                            ? (error.response?.data?.message ?? 'Please try again later.')
+                            : 'Please try again later.'
+                    );
+                }
+                throw error;
+            }
+        },
+        onSuccess: () => {
+            queryClient.invalidateQueries({ queryKey: ME_QUERY_KEY });
+        },
+    });
+}
+
+export function useDeleteUserMutation() {
+    const { addNotification } = useNotificationsStore();
+
+    return useMutation({
+        mutationFn: async (userId: string) => {
+            try {
+                await api.deleteUser(undefined, { params: { user: userId } });
+            } catch (error) {
+                if (!axios.isAxiosError(error) || error.response?.status !== 422) {
+                    addNotification(
+                        'error',
+                        'Failed to delete account',
+                        axios.isAxiosError(error)
+                            ? (error.response?.data?.message ?? 'Please try again later.')
+                            : 'Please try again later.'
+                    );
+                }
+                throw error;
+            }
+        },
+    });
+}
+
+export function useResendUserEmailVerificationMutation() {
+    const { handleApiRequestNotifications } = useNotificationsStore();
+
+    return useMutation({
+        mutationFn: async (userId: string) => {
+            return handleApiRequestNotifications(
+                () => api.resendUserEmailVerification(undefined, { params: { user: userId } }),
+                'Verification email sent',
+                'Failed to resend verification email'
+            );
+        },
+    });
+}
+
+export function useResetUserPendingEmailMutation() {
+    const queryClient = useQueryClient();
+    const { handleApiRequestNotifications } = useNotificationsStore();
+
+    return useMutation({
+        mutationFn: async (userId: string) => {
+            return handleApiRequestNotifications(
+                () => api.resetUserPendingEmail(undefined, { params: { user: userId } }),
+                'Email change canceled',
+                'Failed to cancel email change'
+            );
+        },
+        onSuccess: () => {
+            queryClient.invalidateQueries({ queryKey: ME_QUERY_KEY });
+        },
+    });
+}

routes/api.php

@@ -64,6 +64,7 @@ Route::prefix('v1')->name('v1.')->group(static function (): void {
             Route::put('/users/{user}', [UserController::class, 'update'])->name('update');
             Route::post('/users/{user}/resend-email-verification', [UserController::class, 'resendEmailVerification'])->name('resend-email-verification');
             Route::delete('/users/{user}', [UserController::class, 'destroy'])->name('destroy');
+            Route::post('/users/{user}/reset-pending-email', [UserController::class, 'resetPendingEmail'])->name('reset-pending-email');
         });
 
         // Api token routes

tests/Feature/CreateOrganizationTest.php

@@ -34,10 +34,10 @@ class CreateOrganizationTest extends TestCase
         // Assert
         $response->assertStatus(302);
         /** @var Organization|null $newOrganization */
-        $ownedTeams = $user->fresh()->ownedTeams;
-        $this->assertCount(2, $ownedTeams);
-        $this->assertTrue($ownedTeams->contains('name', 'Test Organization'));
-        $newOrganization = $ownedTeams->firstWhere('name', 'Test Organization');
+        $ownedOrganizations = $user->fresh()->ownedOrganizations;
+        $this->assertCount(2, $ownedOrganizations);
+        $this->assertTrue($ownedOrganizations->contains('name', 'Test Organization'));
+        $newOrganization = $ownedOrganizations->firstWhere('name', 'Test Organization');
         /** @var Member $member */
         $member = Member::query()->whereBelongsTo($user, 'user')->whereBelongsTo($newOrganization, 'organization')->firstOrFail();
         $this->assertSame(Role::Owner->value, $member->role);

tests/Feature/DeleteOrganizationTest.php

@@ -36,15 +36,15 @@ class DeleteOrganizationTest extends TestCase
 
         // Assert
         $this->assertNull($organization->fresh());
-        $this->assertCount(1, $otherUser->fresh()->teams);
-        $this->assertFalse($otherUser->fresh()->teams->first()->is($organization));
+        $this->assertCount(1, $otherUser->fresh()->organizations);
+        $this->assertFalse($otherUser->fresh()->organizations->first()->is($organization));
     }
 
     public function test_personal_organizations_can_be_deleted_but_user_gets_an_new_one_if_this_is_the_only_one_left(): void
     {
         // Arrange
         $user = User::factory()->withPersonalOrganization()->create();
-        $organization = $user->currentTeam;
+        $organization = $user->currentOrganization;
         $this->actingAs($user);
 
         // Act
@@ -55,7 +55,7 @@ class DeleteOrganizationTest extends TestCase
         $this->assertDatabaseMissing(Organization::class, [
             'id' => $organization->getKey(),
         ]);
-        $this->assertTrue($user->currentTeam->isNot($organization));
+        $this->assertTrue($user->currentOrganization->isNot($organization));
     }
 
     public function test_organization_can_not_be_deleted_if_user_is_not_owner(): void

tests/Feature/InviteTeamMemberTest.php

@@ -24,7 +24,7 @@ class InviteTeamMemberTest extends TestCase
         $this->actingAs($user = User::factory()->withPersonalOrganization()->create());
 
         // Act
-        $response = $this->post('/teams/'.$user->currentTeam->id.'/members', [
+        $response = $this->post('/teams/'.$user->currentOrganization->id.'/members', [
             'email' => 'test@example.com',
             'role' => 'admin',
         ]);
@@ -42,7 +42,7 @@ class InviteTeamMemberTest extends TestCase
 
         $this->actingAs($user = User::factory()->withPersonalOrganization()->create());
 
-        $invitation = $user->currentTeam->teamInvitations()->create([
+        $invitation = $user->currentOrganization->organizationInvitations()->create([
             'email' => 'test@example.com',
             'role' => 'admin',
         ]);
@@ -52,7 +52,7 @@ class InviteTeamMemberTest extends TestCase
 
         // Assert
         $response->assertStatus(403);
-        $this->assertCount(1, $user->currentTeam->fresh()->teamInvitations);
+        $this->assertCount(1, $user->currentOrganization->fresh()->organizationInvitations);
     }
 
     public function test_team_member_invitations_can_be_accepted(): void
@@ -61,7 +61,7 @@ class InviteTeamMemberTest extends TestCase
         Mail::fake();
         $owner = User::factory()->withPersonalOrganization()->create();
         $user = User::factory()->withPersonalOrganization()->create();
-        $invitation = $owner->currentTeam->teamInvitations()->create([
+        $invitation = $owner->currentOrganization->organizationInvitations()->create([
             'email' => $user->email,
             'role' => Role::Employee->value,
         ]);
@@ -76,10 +76,10 @@ class InviteTeamMemberTest extends TestCase
         $response = $this->get($acceptUrl);
 
         // Assert
-        $this->assertCount(0, $owner->currentTeam->fresh()->teamInvitations);
+        $this->assertCount(0, $owner->currentOrganization->fresh()->organizationInvitations);
         $user->refresh();
         $this->assertCount(2, $user->organizations);
-        $this->assertContains($owner->currentTeam->getKey(), $user->organizations->pluck('id'));
+        $this->assertContains($owner->currentOrganization->getKey(), $user->organizations->pluck('id'));
     }
 
     public function test_team_member_invitations_of_placeholder_can_be_accepted_and_migrates_date_to_real_user(): void
@@ -88,15 +88,15 @@ class InviteTeamMemberTest extends TestCase
         Mail::fake();
         $placeholder = User::factory()->placeholder()->create();
         $owner = User::factory()->withPersonalOrganization()->create();
-        $placeholderMember = Member::factory()->role(Role::Placeholder)->forOrganization($owner->currentTeam)->forUser($placeholder)->create();
+        $placeholderMember = Member::factory()->role(Role::Placeholder)->forOrganization($owner->currentOrganization)->forUser($placeholder)->create();
 
-        $timeEntries = TimeEntry::factory()->forOrganization($owner->currentTeam)->forMember($placeholderMember)->createMany(5);
+        $timeEntries = TimeEntry::factory()->forOrganization($owner->currentOrganization)->forMember($placeholderMember)->createMany(5);
 
         $user = User::factory()->withPersonalOrganization()->create([
             'email' => $placeholder->email,
         ]);
 
-        $invitation = $owner->currentTeam->teamInvitations()->create([
+        $invitation = $owner->currentOrganization->organizationInvitations()->create([
             'email' => $user->email,
             'role' => Role::Employee->value,
         ]);
@@ -114,9 +114,9 @@ class InviteTeamMemberTest extends TestCase
         $response->assertRedirect();
         $user->refresh();
         $this->assertDatabaseMissing(User::class, ['id' => $placeholder->id]);
-        $this->assertCount(0, $owner->currentTeam->fresh()->teamInvitations);
+        $this->assertCount(0, $owner->currentOrganization->fresh()->organizationInvitations);
         $this->assertCount(2, $user->organizations);
-        $this->assertContains($owner->currentTeam->getKey(), $user->organizations->pluck('id'));
+        $this->assertContains($owner->currentOrganization->getKey(), $user->organizations->pluck('id'));
         $this->assertCount(5, $user->timeEntries);
     }
 
@@ -126,7 +126,7 @@ class InviteTeamMemberTest extends TestCase
         Mail::fake();
         $owner = User::factory()->withPersonalOrganization()->create();
         $user = User::factory()->withPersonalOrganization()->create();
-        $invitation = $owner->currentTeam->teamInvitations()->create([
+        $invitation = $owner->currentOrganization->organizationInvitations()->create([
             'email' => 'firstname.lastname@mail.test',
             'role' => Role::Employee->value,
         ]);
@@ -141,7 +141,7 @@ class InviteTeamMemberTest extends TestCase
         $response = $this->get($acceptUrl);
 
         // Assert
-        $this->assertCount(1, $owner->currentTeam->fresh()->teamInvitations);
+        $this->assertCount(1, $owner->currentOrganization->fresh()->organizationInvitations);
         $user->refresh();
         $this->assertCount(1, $user->organizations);
     }

tests/Feature/LeaveTeamTest.php

@@ -17,17 +17,17 @@ class LeaveTeamTest extends TestCase
         // Arrange
         $user = User::factory()->withPersonalOrganization()->create();
 
-        $user->currentTeam->users()->attach(
+        $user->currentOrganization->users()->attach(
             $otherUser = User::factory()->create(), ['role' => 'admin']
         );
 
         $this->actingAs($otherUser);
 
         // Act
-        $response = $this->delete('/teams/'.$user->currentTeam->id.'/members/'.$otherUser->id);
+        $response = $this->delete('/teams/'.$user->currentOrganization->id.'/members/'.$otherUser->id);
 
         // Assert
         $response->assertStatus(403);
-        $this->assertCount(2, $user->currentTeam->fresh()->users);
+        $this->assertCount(2, $user->currentOrganization->fresh()->users);
     }
 }

tests/Feature/ProfileInformationTest.php

@@ -108,10 +108,9 @@ class ProfileInformationTest extends TestCase
         $response = $this->get($verificationUrl);
 
         // Assert
-        $response->assertRedirect(route('dashboard', [
-            'bannerStyle' => 'success',
-            'bannerText' => 'Your email address has been updated successfully.',
-        ]));
+        $response->assertRedirect(route('dashboard'));
+        $response->assertSessionHas('bannerStyle', 'success');
+        $response->assertSessionHas('bannerText', 'Your email address has been updated successfully.');
         $user = $user->fresh();
         $this->assertEquals('new.email@example.com', $user->email);
         $this->assertNull($user->pending_email);
@@ -144,6 +143,40 @@ class ProfileInformationTest extends TestCase
         $this->assertEquals('new.email@example.com', $user->pending_email);
     }
 
+    public function test_pending_email_verification_redirects_with_danger_banner_when_email_already_in_use(): void
+    {
+        // Arrange
+        User::factory()->create([
+            'email' => 'taken@example.com',
+            'is_placeholder' => false,
+        ]);
+        $user = User::factory()->create([
+            'email' => 'current@example.com',
+            'pending_email' => 'taken@example.com',
+        ]);
+        $this->actingAs($user);
+        $verificationUrl = URL::temporarySignedRoute(
+            'users.verify-email-change',
+            now()->addMinutes(60),
+            [
+                'user' => $user->getKey(),
+                'email' => 'taken@example.com',
+            ],
+            false
+        );
+
+        // Act
+        $response = $this->get($verificationUrl);
+
+        // Assert
+        $response->assertRedirect(route('dashboard'));
+        $response->assertSessionHas('bannerStyle', 'danger');
+        $response->assertSessionHas('bannerText', 'The email address is already in use.');
+        $user = $user->fresh();
+        $this->assertEquals('current@example.com', $user->email);
+        $this->assertEquals('taken@example.com', $user->pending_email);
+    }
+
     public function test_stale_pending_email_verification_link_is_rejected(): void
     {
         // Arrange

tests/Feature/RemoveTeamMemberTest.php

@@ -17,12 +17,12 @@ class RemoveTeamMemberTest extends TestCase
         // Arrange
         $this->actingAs($user = User::factory()->withPersonalOrganization()->create());
 
-        $user->currentTeam->users()->attach(
+        $user->currentOrganization->users()->attach(
             $otherUser = User::factory()->create(), ['role' => 'admin']
         );
 
         // Act
-        $response = $this->delete('/teams/'.$user->currentTeam->id.'/members/'.$otherUser->id);
+        $response = $this->delete('/teams/'.$user->currentOrganization->id.'/members/'.$otherUser->id);
 
         // Assert
         $response->assertStatus(403);

tests/Feature/UpdateTeamMemberRoleTest.php

@@ -19,12 +19,12 @@ class UpdateTeamMemberRoleTest extends TestCase
         $user = User::factory()->withPersonalOrganization()->create();
         $this->actingAs($user);
 
-        $user->currentTeam->users()->attach(
+        $user->currentOrganization->users()->attach(
             $otherUser = User::factory()->create(), ['role' => 'admin']
         );
 
         // Act
-        $response = $this->put('/teams/'.$user->currentTeam->id.'/members/'.$otherUser->id, [
+        $response = $this->put('/teams/'.$user->currentOrganization->id.'/members/'.$otherUser->id, [
             'role' => Role::Employee->value,
         ]);
 

tests/Feature/UpdateTeamTest.php

@@ -32,15 +32,15 @@ class UpdateTeamTest extends TestCase
         $this->actingAs($user);
 
         // Act
-        $response = $this->put('/teams/'.$user->currentTeam->id, [
+        $response = $this->put('/teams/'.$user->currentOrganization->id, [
             'name' => 'Test Organization',
             'currency' => 'USD',
         ]);
 
         // Assert
         $response->assertValid(errorBag: 'updateTeamName');
-        $this->assertCount(1, $user->fresh()->ownedTeams);
-        $organization = $user->currentTeam->fresh();
+        $this->assertCount(1, $user->fresh()->ownedOrganizations);
+        $organization = $user->currentOrganization->fresh();
         $this->assertEquals('Test Organization', $organization->name);
         $this->assertEquals('USD', $organization->currency);
     }

tests/Unit/Endpoint/Api/V1/UserEndpointTest.php

@@ -133,6 +133,59 @@ class UserEndpointTest extends ApiEndpointTestAbstract
         });
     }
 
+    public function test_update_with_the_current_email_does_not_change_pending_email_or_send_a_mail(): void
+    {
+        // Arrange
+        Mail::fake();
+        $data = $this->createUserWithPermission();
+        $data->user->email = 'current@example.com';
+        $data->user->pending_email = null;
+        $data->user->save();
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->putJson(route('api.v1.users.update', $data->user->getKey()), [
+            'email' => 'current@example.com',
+        ]);
+
+        // Assert
+        $response->assertSuccessful();
+        $user = $data->user->fresh();
+        $this->assertSame('current@example.com', $user->email);
+        $this->assertNull($user->pending_email);
+        Mail::assertNothingSent();
+    }
+
+    public function test_update_fails_if_email_format_is_invalid(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission();
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->putJson(route('api.v1.users.update', $data->user->getKey()), [
+            'email' => 'not-an-email',
+        ]);
+
+        // Assert
+        $response->assertUnprocessable();
+        $response->assertJsonValidationErrors(['email']);
+    }
+
+    public function test_update_fails_when_not_authenticated(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission();
+
+        // Act
+        $response = $this->putJson(route('api.v1.users.update', $data->user->getKey()), [
+            'name' => 'Anonymous Edit',
+        ]);
+
+        // Assert
+        $response->assertUnauthorized();
+    }
+
     public function test_resend_email_verification_sends_pending_email_verification_email(): void
     {
         // Arrange
@@ -192,6 +245,67 @@ class UserEndpointTest extends ApiEndpointTestAbstract
         Mail::assertNotQueued(VerifyUpdatedEmailMail::class);
     }
 
+    public function test_reset_pending_email_clears_pending_email(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission();
+        $data->user->pending_email = 'new.email@example.com';
+        $data->user->save();
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->postJson(route('api.v1.users.reset-pending-email', $data->user->getKey()));
+
+        // Assert
+        $response->assertNoContent();
+        $this->assertNull($data->user->fresh()->pending_email);
+    }
+
+    public function test_reset_pending_email_fails_if_given_id_is_not_the_authenticated_user(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission();
+        $data->user->pending_email = 'new.email@example.com';
+        $data->user->save();
+        $otherData = $this->createUserWithPermission();
+        Passport::actingAs($otherData->user);
+
+        // Act
+        $response = $this->postJson(route('api.v1.users.reset-pending-email', $data->user->getKey()));
+
+        // Assert
+        $response->assertForbidden();
+        $this->assertSame('new.email@example.com', $data->user->fresh()->pending_email);
+    }
+
+    public function test_reset_pending_email_fails_when_not_authenticated(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission();
+        $data->user->pending_email = 'new.email@example.com';
+        $data->user->save();
+
+        // Act
+        $response = $this->postJson(route('api.v1.users.reset-pending-email', $data->user->getKey()));
+
+        // Assert
+        $response->assertUnauthorized();
+        $this->assertSame('new.email@example.com', $data->user->fresh()->pending_email);
+    }
+
+    public function test_reset_pending_email_fails_if_user_does_not_exist(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission();
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->postJson(route('api.v1.users.reset-pending-email', 'not-valid'));
+
+        // Assert
+        $response->assertNotFound();
+    }
+
     public function test_update_changes_user_photo_from_base64_encoded_image(): void
     {
         // Arrange
@@ -354,6 +468,94 @@ class UserEndpointTest extends ApiEndpointTestAbstract
         $response->assertJsonValidationErrors(['photo']);
     }
 
+    public function test_update_fails_if_photo_exceeds_1_megabyte(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission();
+        $photo = file_get_contents(resource_path('testfiles/test.png'));
+        $this->assertIsString($photo);
+        $photo .= str_repeat("\0", 1024 * 1024);
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->putJson(route('api.v1.users.update', $data->user->getKey()), [
+            'photo' => base64_encode($photo),
+        ]);
+
+        // Assert
+        $response->assertUnprocessable();
+        $response->assertJsonValidationErrors(['photo']);
+    }
+
+    public function test_update_with_null_photo_deletes_photo_file_and_clears_profile_photo_path(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission();
+        $photoDisk = (string) config('jetstream.profile_photo_disk', 'public');
+        $photoPath = 'profile-photos/existing.png';
+        Storage::fake($photoDisk);
+        Storage::disk($photoDisk)->put($photoPath, 'photo contents');
+        $data->user->profile_photo_path = $photoPath;
+        $data->user->save();
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->putJson(route('api.v1.users.update', $data->user->getKey()), [
+            'photo' => null,
+        ]);
+
+        // Assert
+        $response->assertSuccessful();
+        $user = $data->user->fresh();
+        $this->assertNull($user->profile_photo_path);
+        Storage::disk($photoDisk)->assertMissing($photoPath);
+    }
+
+    public function test_update_with_null_photo_is_a_noop_when_user_has_no_photo(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission();
+        $photoDisk = (string) config('jetstream.profile_photo_disk', 'public');
+        Storage::fake($photoDisk);
+        $data->user->profile_photo_path = null;
+        $data->user->save();
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->putJson(route('api.v1.users.update', $data->user->getKey()), [
+            'photo' => null,
+        ]);
+
+        // Assert
+        $response->assertSuccessful();
+        $user = $data->user->fresh();
+        $this->assertNull($user->profile_photo_path);
+    }
+
+    public function test_update_without_photo_key_leaves_existing_photo_untouched(): void
+    {
+        // Arrange
+        $data = $this->createUserWithPermission();
+        $photoDisk = (string) config('jetstream.profile_photo_disk', 'public');
+        $photoPath = 'profile-photos/existing.png';
+        Storage::fake($photoDisk);
+        Storage::disk($photoDisk)->put($photoPath, 'photo contents');
+        $data->user->profile_photo_path = $photoPath;
+        $data->user->save();
+        Passport::actingAs($data->user);
+
+        // Act
+        $response = $this->putJson(route('api.v1.users.update', $data->user->getKey()), [
+            'name' => 'Just A Name Change',
+        ]);
+
+        // Assert
+        $response->assertSuccessful();
+        $user = $data->user->fresh();
+        $this->assertSame($photoPath, $user->profile_photo_path);
+        Storage::disk($photoDisk)->assertExists($photoPath);
+    }
+
     public function test_delete_fails_if_given_user_is_not_the_authenticated_user(): void
     {
         // Arrange

tests/Unit/Filament/Resources/UserResourceTest.php

@@ -4,9 +4,11 @@ declare(strict_types=1);
 
 namespace Tests\Unit\Filament\Resources;
 
+use App\Enums\Role;
 use App\Exceptions\Api\CanNotDeleteUserWhoIsOwnerOfOrganizationWithMultipleMembers;
 use App\Filament\Resources\TimeEntryResource;
 use App\Filament\Resources\UserResource;
+use App\Models\Member;
 use App\Models\Organization;
 use App\Models\User;
 use App\Service\DeletionService;
@@ -103,7 +105,7 @@ class UserResourceTest extends FilamentTestCase
         $this->assertSame($userFake->email, $user->email);
         $this->assertSame($userFake->timezone, $user->timezone);
         $this->assertSame($userFake->week_start->value, $user->week_start->value);
-        $organization = $user->ownedTeams()->first();
+        $organization = $user->ownedOrganizations()->first();
         $this->assertNotNull($organization);
         $this->assertSame('EUR', $organization->currency);
         $this->assertTrue(Hash::check('password', $user->password));
@@ -152,7 +154,9 @@ class UserResourceTest extends FilamentTestCase
         // Arrange
         $user = User::factory()->create();
         $ownedOrganization = Organization::factory()->withOwner($user)->create();
+        Member::factory()->forOrganization($ownedOrganization)->forUser($user)->role(Role::Owner)->create();
         $organization = Organization::factory()->create();
+        Member::factory()->forOrganization($organization)->forUser($user)->role(Role::Employee)->create();
 
         // Act
         $response = Livewire::test(UserResource\RelationManagers\OrganizationsRelationManager::class, [
@@ -163,7 +167,7 @@ class UserResourceTest extends FilamentTestCase
         // Assert
         $response->assertSuccessful();
         $response->assertCanSeeTableRecords($user->organizations()->get());
-        $response->assertCanNotSeeTableRecords($user->ownedTeams()->get());
+        $response->assertCanSeeTableRecords($user->ownedOrganizations()->get());
     }
 
     public function test_can_list_related_owned_organizations(): void
@@ -171,7 +175,9 @@ class UserResourceTest extends FilamentTestCase
         // Arrange
         $user = User::factory()->create();
         $ownedOrganization = Organization::factory()->withOwner($user)->create();
+        Member::factory()->forOrganization($ownedOrganization)->forUser($user)->role(Role::Owner)->create();
         $organization = Organization::factory()->create();
+        Member::factory()->forOrganization($organization)->forUser($user)->role(Role::Employee)->create();
 
         // Act
         $response = Livewire::test(UserResource\RelationManagers\OwnedOrganizationsRelationManager::class, [
@@ -181,7 +187,7 @@ class UserResourceTest extends FilamentTestCase
 
         // Assert
         $response->assertSuccessful();
-        $response->assertCanSeeTableRecords($user->ownedTeams()->get());
-        $response->assertCanNotSeeTableRecords($user->organizations()->get());
+        $response->assertCanSeeTableRecords($user->ownedOrganizations()->get());
+        $response->assertCanNotSeeTableRecords([$organization]);
     }
 }

tests/Unit/Model/UserModelTest.php

@@ -62,6 +62,9 @@ class UserModelTest extends ModelTestAbstract
         $user->organizations()->attach($organization, [
             'role' => Role::Employee->value,
         ]);
+        $owner->organizations()->attach($organization, [
+            'role' => Role::Owner->value,
+        ]);
         $otherOrganization = Organization::factory()->create();
         $otherUser = User::factory()->create();
         $otherUser->organizations()->attach($otherOrganization, [
@@ -80,6 +83,70 @@ class UserModelTest extends ModelTestAbstract
         $this->assertContains($owner->getKey(), $userIds);
     }
 
+    public function test_is_member_of_organization_returns_true_for_user_attached_to_organization(): void
+    {
+        // Arrange
+        $organization = Organization::factory()->create();
+        $user = User::factory()->create();
+        $user->organizations()->attach($organization, [
+            'role' => Role::Employee->value,
+        ]);
+
+        // Act
+        $isMemberOfOrganization = $user->isMemberOfOrganization($organization);
+
+        // Assert
+        $this->assertTrue($isMemberOfOrganization);
+    }
+
+    public function test_is_member_of_organization_returns_false_for_user_not_attached_to_organization(): void
+    {
+        // Arrange
+        $organization = Organization::factory()->create();
+        $user = User::factory()->create();
+
+        // Act
+        $isMemberOfOrganization = $user->isMemberOfOrganization($organization);
+
+        // Assert
+        $this->assertFalse($isMemberOfOrganization);
+    }
+
+    public function test_is_member_of_organization_uses_loaded_organizations_relation(): void
+    {
+        // Arrange
+        $organization = Organization::factory()->create();
+        $user = User::factory()
+            ->attachToOrganization($organization, [
+                'role' => Role::Employee->value,
+            ])
+            ->create();
+        $user->load('organizations');
+
+        // Act
+        $isMemberOfOrganization = $user->isMemberOfOrganization($organization);
+
+        // Assert
+        $this->assertTrue($isMemberOfOrganization);
+    }
+
+    public function test_is_member_of_organization_does_not_query_when_organizations_relation_is_loaded(): void
+    {
+        // Arrange
+        $organization = Organization::factory()->create();
+        $user = User::factory()->create();
+        $user->load('organizations');
+        $user->organizations()->attach($organization, [
+            'role' => Role::Employee->value,
+        ]);
+
+        // Act
+        $isMemberOfOrganization = $user->isMemberOfOrganization($organization);
+
+        // Assert
+        $this->assertFalse($isMemberOfOrganization);
+    }
+
     public function test_it_has_many_time_entries(): void
     {
         // Arrange