2.23.0: Enforce Policies API for invitations and creating accounts; added WeakPassword handling; Fix dialog open/closed states (#439)

* chore: bump version to 2.22.1 and update dependencies - Updated application version from 2.22.0 to 2.22.1 in package.json. - Updated various dependencies including @marsidev/react-turnstile to 1.4.1, @stripe/react-stripe-js to 5.4.1, @stripe/stripe-js to 8.6.1, and react-hook-form to 7.70.0. - Adjusted lucide-react version to be referenced from the catalog across multiple package.json files. - Enhanced consistency in pnpm-lock.yaml and pnpm-workspace.yaml with updated package versions. * chore: bump version to 2.23.0 and update dependencies - Updated application version from 2.22.1 to 2.23.0 in package.json. - Upgraded turbo dependency from 2.7.1 to 2.7.3 in package.json and pnpm-lock.yaml. - Enhanced end-to-end testing documentation in AGENTS.md and CLAUDE.md with instructions for running tests. - Updated AuthPageObject to use a new secret for user creation in auth.po.ts. - Refactored team ownership transfer and member role update dialogs to close on success. - Improved error handling for weak passwords in AuthErrorAlert component. - Adjusted database schemas and tests to reflect changes in invitation policies and role management.
2026-01-07 17:00:11 +01:00
parent 5237d34e6f
commit d5dc6f2528
41 changed files with 2896 additions and 1922 deletions
--- a/apps/web/supabase/tests/database/invitations.test.sql
+++ b/apps/web/supabase/tests/database/invitations.test.sql
@@ -12,49 +12,53 @@ select makerkit.set_identifier('owner', 'owner@makerkit.dev');

 select makerkit.authenticate_as('test');

-select lives_ok(
+select throws_ok(
    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite1@makerkit.dev', auth.uid(),  makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()); $$,
-'owner should be able to create invitations'
+    'new row violates row-level security policy for table "invitations"',
+    'direct inserts should be blocked'
 );

-- check two invitations to the same email/account are not allowed
+-- direct inserts are blocked even for duplicates
 select throws_ok(
    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite1@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()) $$,
-    'duplicate key value violates unique constraint "invitations_email_account_id_key"'
+    'new row violates row-level security policy for table "invitations"',
+    'direct inserts should be blocked'
 );

 select makerkit.authenticate_as('member');

-- check a member cannot invite members with higher roles
+-- direct inserts are blocked regardless of role
 select throws_ok(
    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite2@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'owner', gen_random_uuid()) $$,
    'new row violates row-level security policy for table "invitations"'
 );

-- check a member can invite members with the same or lower roles
-select lives_ok(
+-- direct inserts are blocked regardless of role
+select throws_ok(
    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite2@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()) $$,
-    'member should be able to create invitations for members or lower roles'
+    'new row violates row-level security policy for table "invitations"',
+    'direct inserts should be blocked'
 );

-- test invite exists
-select isnt_empty(
+-- direct inserts should not create invitations
+select is_empty(
    $$ select * from public.invitations where account_id = makerkit.get_account_id_by_slug('makerkit') $$,
-    'invitations should be listed'
+    'invitations should not be listed when inserts are blocked'
 );

 select makerkit.authenticate_as('owner');

-- check the owner can invite members with lower roles
-select lives_ok(
+-- direct inserts are blocked regardless of role
+select throws_ok(
    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite3@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()) $$,
-    'owner should be able to create invitations'
+    'new row violates row-level security policy for table "invitations"',
+    'direct inserts should be blocked'
 );

 -- authenticate_as the custom role
 select makerkit.authenticate_as('custom');

-- it will fail because the custom role does not have the invites.manage permission
+-- direct inserts are blocked regardless of role
 select throws_ok(
    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite3@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'custom-role', gen_random_uuid()) $$,
    'new row violates row-level security policy for table "invitations"'
@@ -62,26 +66,28 @@ select throws_ok(

 set local role postgres;

-- add permissions to invite members to the custom role
+-- adding permissions should not bypass direct insert restrictions
 insert into public.role_permissions (role, permission) values ('custom-role', 'invites.manage');

 -- authenticate_as the custom role
 select makerkit.authenticate_as('custom');

-select lives_ok(
+select throws_ok(
    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite4@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'custom-role', gen_random_uuid()) $$,
-    'custom role should be able to create invitations'
-);
-
-select lives_ok(
-    $$ SELECT public.add_invitations_to_account('makerkit', ARRAY[ROW('example@makerkit.dev', 'custom-role')::public.invitation]); $$,
-    'custom role should be able to create invitations using the function public.add_invitations_to_account'
+    'new row violates row-level security policy for table "invitations"',
+    'direct inserts should be blocked'
 );

 select throws_ok(
-    $$ SELECT public.add_invitations_to_account('makerkit', ARRAY[ROW('example2@makerkit.dev', 'owner')::public.invitation]); $$,
-    'new row violates row-level security policy for table "invitations"',
-    'cannot invite members with higher roles'
+    $$ SELECT public.add_invitations_to_account('makerkit', ARRAY[ROW('example@makerkit.dev', 'custom-role')::public.invitation], auth.uid()); $$,
+    'permission denied for function add_invitations_to_account',
+    'authenticated users cannot call add_invitations_to_account'
+);
+
+select throws_ok(
+    $$ SELECT public.add_invitations_to_account('makerkit', ARRAY[ROW('example2@makerkit.dev', 'owner')::public.invitation], auth.uid()); $$,
+    'permission denied for function add_invitations_to_account',
+    'authenticated users cannot call add_invitations_to_account'
 );

 -- Foreigners should not be able to create invitations
@@ -90,15 +96,15 @@ select tests.create_supabase_user('user');

 select makerkit.authenticate_as('user');

-- it will fail because the user is not a member of the account
+-- direct inserts are blocked regardless of membership
 select throws_ok(
    $$ insert into public.invitations (email, invited_by, account_id, role, invite_token) values ('invite4@makerkit.dev', auth.uid(), makerkit.get_account_id_by_slug('makerkit'), 'member', gen_random_uuid()) $$,
    'new row violates row-level security policy for table "invitations"'
 );

 select throws_ok(
-    $$ SELECT public.add_invitations_to_account('makerkit', ARRAY[ROW('example@example.com', 'member')::public.invitation]); $$,
-    'new row violates row-level security policy for table "invitations"'
+    $$ SELECT public.add_invitations_to_account('makerkit', ARRAY[ROW('example@example.com', 'member')::public.invitation], auth.uid()); $$,
+    'permission denied for function add_invitations_to_account'
 );

 select is_empty($$