zaid.marzguioui/myeasycms-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix invitations to lower roles (#58)

Browse Source 
Adjusted the SQL query to include a condition for roles at the same hierarchy level. This ensures that users with the same level of permission can properly manage invitations, improving the accuracy of role-based access control.
This commit is contained in:
Giancarlo Buomprisco
2024-08-30 20:43:17 +08:00
committed by GitHub
parent e23489d308
commit 5fada83913
2 changed files with 26 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
apps/web/supabase/migrations/20221215192558_schema.sql
View File

@@ -1234,7 +1234,7 @@ select
-- INSERT(invitations): -- INSERT(invitations):
-- Users can create invitations to users of an account they are -- Users can create invitations to users of an account they are
-- a member of and have the 'invites.manage' permission AND the target role is not higher than the user's role -- a member of and have the 'invites.manage' permission AND the target role is not higher than the user's role
create policy invitations_create_self on public.invitations for insert to authenticated create policy invitations_create_self on public.invitations for insert to authenticated
with with
check ( check (
@@ -1247,14 +1247,21 @@ with
account_id, account_id,
'invites.manage'::public.app_permissions 'invites.manage'::public.app_permissions
) )
and public.has_same_role_hierarchy_level ( and (public.has_more_elevated_role (
( (
select select
auth.uid () auth.uid ()
), ),
account_id, account_id,
role role
) ) or public.has_same_role_hierarchy_level(
(
select
auth.uid ()
),
account_id,
role
))
); );
-- UPDATE(invitations): -- UPDATE(invitations):

17
apps/web/supabase/tests/database/invitations.test.sql
View File

@@ -8,6 +8,7 @@ select no_plan();
select makerkit.set_identifier('test', 'test@makerkit.dev'); select makerkit.set_identifier('test', 'test@makerkit.dev');
select makerkit.set_identifier('member', 'member@makerkit.dev'); select makerkit.set_identifier('member', 'member@makerkit.dev');
select makerkit.set_identifier('custom', 'custom@makerkit.dev'); select makerkit.set_identifier('custom', 'custom@makerkit.dev');
select makerkit.set_identifier('owner', 'owner@makerkit.dev');
select tests.authenticate_as('test'); select tests.authenticate_as('test');
@@ -36,6 +37,20 @@ select lives_ok(
'member should be able to create invitations for members or lower roles' 'member should be able to create invitations for members or lower roles'
); );
-- test invite exists
select isnt_empty(
$$ select * from public.invitations where account_id = makerkit.get_account_id_by_slug('makerkit') $$,
'invitations should be listed'
);
select tests.authenticate_as('owner');
-- check the owner can invite members with lower roles
select lives_ok(
$$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite3@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()) $$,
'owner should be able to create invitations'
);
-- authenticate_as the custom role -- authenticate_as the custom role
select tests.authenticate_as('custom'); select tests.authenticate_as('custom');
@@ -54,7 +69,7 @@ insert into public.role_permissions (role, permission) values ('custom-role', 'i
select tests.authenticate_as('custom'); select tests.authenticate_as('custom');
select lives_ok( select lives_ok(
$$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite3@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'custom-role', gen_random_uuid()) $$, $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite4@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'custom-role', gen_random_uuid()) $$,
'custom role should be able to create invitations' 'custom role should be able to create invitations'
); );