From 5fada8391334ac5d2760d3c7cb1712cd459ec041 Mon Sep 17 00:00:00 2001 From: Giancarlo Buomprisco Date: Fri, 30 Aug 2024 20:43:17 +0800 Subject: [PATCH] Fix invitations to lower roles (#58) Adjusted the SQL query to include a condition for roles at the same hierarchy level. This ensures that users with the same level of permission can properly manage invitations, improving the accuracy of role-based access control. --- .../migrations/20221215192558_schema.sql | 13 ++++++++++--- .../tests/database/invitations.test.sql | 17 ++++++++++++++++- 2 files changed, 26 insertions(+), 4 deletions(-) diff --git a/apps/web/supabase/migrations/20221215192558_schema.sql b/apps/web/supabase/migrations/20221215192558_schema.sql index ab9c2652f..28a30e02f 100644 --- a/apps/web/supabase/migrations/20221215192558_schema.sql +++ b/apps/web/supabase/migrations/20221215192558_schema.sql @@ -1234,7 +1234,7 @@ select -- INSERT(invitations): -- Users can create invitations to users of an account they are --- a member of and have the 'invites.manage' permission AND the target role is not higher than the user's role +-- a member of and have the 'invites.manage' permission AND the target role is not higher than the user's role create policy invitations_create_self on public.invitations for insert to authenticated with check ( @@ -1247,14 +1247,21 @@ with account_id, 'invites.manage'::public.app_permissions ) - and public.has_same_role_hierarchy_level ( + and (public.has_more_elevated_role ( ( select auth.uid () ), account_id, role - ) + ) or public.has_same_role_hierarchy_level( + ( + select + auth.uid () + ), + account_id, + role + )) ); -- UPDATE(invitations): diff --git a/apps/web/supabase/tests/database/invitations.test.sql b/apps/web/supabase/tests/database/invitations.test.sql index 7da564484..b7a052375 100644 --- a/apps/web/supabase/tests/database/invitations.test.sql +++ b/apps/web/supabase/tests/database/invitations.test.sql @@ -8,6 +8,7 @@ select no_plan(); select makerkit.set_identifier('test', 'test@makerkit.dev'); select makerkit.set_identifier('member', 'member@makerkit.dev'); select makerkit.set_identifier('custom', 'custom@makerkit.dev'); +select makerkit.set_identifier('owner', 'owner@makerkit.dev'); select tests.authenticate_as('test'); @@ -36,6 +37,20 @@ select lives_ok( 'member should be able to create invitations for members or lower roles' ); +-- test invite exists +select isnt_empty( + $$ select * from public.invitations where account_id = makerkit.get_account_id_by_slug('makerkit') $$, + 'invitations should be listed' +); + +select tests.authenticate_as('owner'); + +-- check the owner can invite members with lower roles +select lives_ok( + $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite3@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()) $$, + 'owner should be able to create invitations' +); + -- authenticate_as the custom role select tests.authenticate_as('custom'); @@ -54,7 +69,7 @@ insert into public.role_permissions (role, permission) values ('custom-role', 'i select tests.authenticate_as('custom'); select lives_ok( - $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite3@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'custom-role', gen_random_uuid()) $$, + $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite4@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'custom-role', gen_random_uuid()) $$, 'custom role should be able to create invitations' );