miguel456/athenahr
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: ensure invitation feature is properly gated to authorized users and guests

Browse Source 
Signed-off-by: Miguel Nogueira <me@nogueira.codes>
This commit is contained in:
Miguel Nogueira
2025-08-07 21:52:07 +01:00
parent f551576730
commit 927c9e6df0
2 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/Http/Controllers/InvitationController.php
View File

@@ -20,6 +20,8 @@ class InvitationController extends Controller
{ {
public function index() public function index()
{ {
$this->authorize('viewAny', Invitation::class);
return view('dashboard.administration.invites', [ return view('dashboard.administration.invites', [
'invites' => Invitation::all() 'invites' => Invitation::all()
]); ]);
@@ -28,6 +30,8 @@ class InvitationController extends Controller
public function requestInvite(InvitationRequest $request) public function requestInvite(InvitationRequest $request)
{ {
$this->authorize('create', Invitation::class);
$guest = Auth::guest(); $guest = Auth::guest();
$invitation = new Invitation(); $invitation = new Invitation();
@@ -65,6 +69,8 @@ class InvitationController extends Controller
public function approveInvite(ApproveInviteRequest $request, Invitation $invitation) public function approveInvite(ApproveInviteRequest $request, Invitation $invitation)
{ {
$this->authorize('update', $invitation);
$approvableStates = [ $approvableStates = [
'pending' 'pending'
]; ];
@@ -93,6 +99,8 @@ class InvitationController extends Controller
public function denyInvite(DenyInviteRequest $request, Invitation $invitation) public function denyInvite(DenyInviteRequest $request, Invitation $invitation)
{ {
$this->authorize('update', $invitation);
$declinableStates = [ $declinableStates = [
'pending' 'pending'
]; ];

17
app/Policies/InvitationPolicy.php
View File

@@ -11,14 +11,9 @@ class InvitationPolicy
{ {
use HandlesAuthorization; use HandlesAuthorization;
public function viewAny(User $user): bool public function viewAny(User $user): Response
{ {
return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to view invitation requests.'));
}
public function view(User $user, Invitation $invitation): Response
{
return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to view invitations.'));
} }
public function create(?User $user): Response public function create(?User $user): Response
@@ -27,11 +22,13 @@ class InvitationPolicy
return Response::allow(); return Response::allow();
} }
return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to request invitations.')); return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to request privileged invitations.'));
} }
public function delete(User $user, Invitation $invitation): Response public function update(User $user, Invitation $invitation): Response
{ {
return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to revoke invitations.')); return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to update invitations.'));
} }
// no delete policy; cleanup is handled by jobs, no users can delete directly
} }