fix: ensure invitation feature is properly gated to authorized users and guests

Signed-off-by: Miguel Nogueira <me@nogueira.codes>

app/Policies/InvitationPolicy.php

@@ -11,14 +11,9 @@ class InvitationPolicy
 {
     use HandlesAuthorization;
 
-    public function viewAny(User $user): bool
+    public function viewAny(User $user): Response
     {
-
-    }
-
-    public function view(User $user, Invitation $invitation): Response
-    {
-        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to view invitations.'));
+        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to view invitation requests.'));
     }
 
     public function create(?User $user): Response
@@ -27,11 +22,13 @@ class InvitationPolicy
             return Response::allow();
         }
 
-        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to request invitations.'));
+        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to request privileged invitations.'));
     }
 
-    public function delete(User $user, Invitation $invitation): Response
+    public function update(User $user, Invitation $invitation): Response
     {
-        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to revoke invitations.'));
+        return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to update invitations.'));
     }
+
+    // no delete policy; cleanup is handled by jobs, no users can delete directly
 }