miguel456/athenahr
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: ensure invitation feature is properly gated to authorized users and guests

Browse Source 
Signed-off-by: Miguel Nogueira <me@nogueira.codes>
This commit is contained in:
Miguel Nogueira
2025-08-07 21:52:07 +01:00
parent f551576730
commit 927c9e6df0
2 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/Http/Controllers/InvitationController.php
View File

@@ -20,6 +20,8 @@ class InvitationController extends Controller
{
public function index()
{
$this->authorize('viewAny', Invitation::class);
return view('dashboard.administration.invites', [
'invites' => Invitation::all()
]);
@@ -28,6 +30,8 @@ class InvitationController extends Controller
public function requestInvite(InvitationRequest $request)
{
$this->authorize('create', Invitation::class);
$guest = Auth::guest();
$invitation = new Invitation();
@@ -65,6 +69,8 @@ class InvitationController extends Controller
public function approveInvite(ApproveInviteRequest $request, Invitation $invitation)
{
$this->authorize('update', $invitation);
$approvableStates = [
'pending'
];
@@ -93,6 +99,8 @@ class InvitationController extends Controller
public function denyInvite(DenyInviteRequest $request, Invitation $invitation)
{
$this->authorize('update', $invitation);
$declinableStates = [
'pending'
];

17
app/Policies/InvitationPolicy.php
View File

@@ -11,14 +11,9 @@ class InvitationPolicy
{
use HandlesAuthorization;
public function viewAny(User $user): bool
public function viewAny(User $user): Response
{
}
public function view(User $user, Invitation $invitation): Response
{
return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to view invitations.'));
return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to view invitation requests.'));
}
public function create(?User $user): Response
@@ -27,11 +22,13 @@ class InvitationPolicy
return Response::allow();
}
return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to request invitations.'));
return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to request privileged invitations.'));
}
public function delete(User $user, Invitation $invitation): Response
public function update(User $user, Invitation $invitation): Response
{
return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to revoke invitations.'));
return $user->can('admin.manageInvitations') ? Response::allow() : Response::deny(__('You do not have permission to update invitations.'));
}
// no delete policy; cleanup is handled by jobs, no users can delete directly
}