From f551576730e80143b656d7d65571560d53239e11 Mon Sep 17 00:00:00 2001
From: Miguel Nogueira <me@nogueira.codes>
Date: Thu, 7 Aug 2025 21:21:38 +0100
Subject: [PATCH] fix: ensure invitation feature is disabled when registrations
 are not

Signed-off-by: Miguel Nogueira <me@nogueira.codes>
---
 app/Http/Controllers/InvitationController.php |  9 ++-
 app/Http/Requests/ApproveInviteRequest.php    | 27 +++++++
 app/Http/Requests/DenyInviteRequest.php       | 29 ++++++++
 app/Http/Requests/InvitationRequest.php       |  6 +-
 app/Http/Requests/ValidateInviteRequest.php   | 30 ++++++++
 .../administration/invites.blade.php          | 70 ++++++++++++-------
 6 files changed, 136 insertions(+), 35 deletions(-)
 create mode 100644 app/Http/Requests/ApproveInviteRequest.php
 create mode 100644 app/Http/Requests/DenyInviteRequest.php
 create mode 100644 app/Http/Requests/ValidateInviteRequest.php

diff --git a/app/Http/Controllers/InvitationController.php b/app/Http/Controllers/InvitationController.php
index 6016e05..fd4d365 100644
--- a/app/Http/Controllers/InvitationController.php
+++ b/app/Http/Controllers/InvitationController.php
@@ -2,7 +2,10 @@
 
 namespace App\Http\Controllers;
 
+use App\Http\Requests\ApproveInviteRequest;
+use App\Http\Requests\DenyInviteRequest;
 use App\Http\Requests\InvitationRequest;
+use App\Http\Requests\ValidateInviteRequest;
 use App\Invitation;
 use App\Mail\InviteApprovedMail;
 use App\Mail\InvitedToApp;
@@ -60,7 +63,7 @@ class InvitationController extends Controller
         return redirect()->back();
     }
 
-    public function approveInvite(Request $request, Invitation $invitation)
+    public function approveInvite(ApproveInviteRequest $request, Invitation $invitation)
     {
         $approvableStates = [
             'pending'
@@ -88,7 +91,7 @@ class InvitationController extends Controller
         }
     }
 
-    public function denyInvite(Request $request, Invitation $invitation)
+    public function denyInvite(DenyInviteRequest $request, Invitation $invitation)
     {
         $declinableStates = [
           'pending'
@@ -115,7 +118,7 @@ class InvitationController extends Controller
         return view('auth.redeem-invite', ['validationToken' => $request->route('token')]);
     }
 
-    public function validateInvite(Request $request)
+    public function validateInvite(ValidateInviteRequest $request)
     {
         $token = $request->input('validation_token');
         $email = $request->input('email');
diff --git a/app/Http/Requests/ApproveInviteRequest.php b/app/Http/Requests/ApproveInviteRequest.php
new file mode 100644
index 0000000..012fcc7
--- /dev/null
+++ b/app/Http/Requests/ApproveInviteRequest.php
@@ -0,0 +1,27 @@
+<?php
+
+namespace App\Http\Requests;
+
+use App\Facades\Options;
+use Illuminate\Foundation\Http\FormRequest;
+
+class ApproveInviteRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        return !Options::getOption('enable_registrations');
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [];
+    }
+}
diff --git a/app/Http/Requests/DenyInviteRequest.php b/app/Http/Requests/DenyInviteRequest.php
new file mode 100644
index 0000000..dc7c1f9
--- /dev/null
+++ b/app/Http/Requests/DenyInviteRequest.php
@@ -0,0 +1,29 @@
+<?php
+
+namespace App\Http\Requests;
+
+use App\Facades\Options;
+use Illuminate\Foundation\Http\FormRequest;
+
+class DenyInviteRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        return !Options::getOption('enable_registrations');
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            //
+        ];
+    }
+}
diff --git a/app/Http/Requests/InvitationRequest.php b/app/Http/Requests/InvitationRequest.php
index bcc8f8e..e228e62 100644
--- a/app/Http/Requests/InvitationRequest.php
+++ b/app/Http/Requests/InvitationRequest.php
@@ -17,11 +17,7 @@ class InvitationRequest extends FormRequest
 
     public function authorize(): bool
     {
-        if (Options::getOption('enable_registrations')) {
-            return false;
-        }
-
-        return true;
+        return !Options::getOption('enable_registrations');
     }
 
     protected function failedAuthorization()
diff --git a/app/Http/Requests/ValidateInviteRequest.php b/app/Http/Requests/ValidateInviteRequest.php
new file mode 100644
index 0000000..5c4178e
--- /dev/null
+++ b/app/Http/Requests/ValidateInviteRequest.php
@@ -0,0 +1,30 @@
+<?php
+
+namespace App\Http\Requests;
+
+use App\Facades\Options;
+use Illuminate\Foundation\Http\FormRequest;
+
+class ValidateInviteRequest extends FormRequest
+{
+    /**
+     * Determine if the user is authorized to make this request.
+     */
+    public function authorize(): bool
+    {
+        return !Options::getOption('enable_registrations');
+    }
+
+    /**
+     * Get the validation rules that apply to the request.
+     *
+     * @return array<string, \Illuminate\Contracts\Validation\ValidationRule|array<mixed>|string>
+     */
+    public function rules(): array
+    {
+        return [
+            'validation_token' => 'required|string',
+            'email' => 'required|email'
+        ];
+    }
+}
diff --git a/resources/views/dashboard/administration/invites.blade.php b/resources/views/dashboard/administration/invites.blade.php
index eaf7cf2..a3a7bcc 100644
--- a/resources/views/dashboard/administration/invites.blade.php
+++ b/resources/views/dashboard/administration/invites.blade.php
@@ -14,16 +14,30 @@
 
 @section('content')
 
+    @if(\App\Facades\Options::getOption('enable_registrations'))
+        <x-alert alert-type="danger" title="{{ __('Invitation system disabled') }}" icon="fas fa-ban">
+            <p>{!! __('The invitation system is currently disabled because sign ups are open to everyone. If you\'d like to change this, head over to App Settings > <a href=":globalSettingsLink">Global Settings</a> and disable registrations.', ['globalSettingsLink' => route('showSettings')]) !!}</p>
+        </x-alert>
+    @endif
+
     <div class="row mt-5">
         <div class="col">
             <x-card id="inviteManagement" card-title="{{ __('Invitation management system') }}" footer-style="text-muted">
 
                 <x-slot name="cardHeader">
-                    <div class="d-flex justify-content-end">
-                        <button type="button" id="inviteUserBtn" class="btn btn-success btn-sm ml-3" data-toggle="modal" data-target="#inviteUserModal">
-                            <i class="fas fa-user-plus"></i> {{ __('Invite user') }}
-                        </button>
-                    </div>
+                    @if(\App\Facades\Options::getOption('enable_registrations'))
+                        <div class="d-flex justify-content-end">
+                            <button type="button" id="inviteUserBtn" class="btn btn-success btn-sm ml-3" disabled>
+                                <i class="fas fa-user-plus"></i> {{ __('Invite user') }}
+                            </button>
+                        </div>
+                    @else
+                        <div class="d-flex justify-content-end">
+                            <button type="button" id="inviteUserBtn" class="btn btn-success btn-sm ml-3" data-toggle="modal" data-target="#inviteUserModal">
+                                <i class="fas fa-user-plus"></i> {{ __('Invite user') }}
+                            </button>
+                        </div>
+                    @endif
                 </x-slot>
 
                 @if(!empty($invites) && count($invites) > 0)
@@ -111,35 +125,37 @@
 
     </div>
 
-    <x-modal id="inviteUserModal" :modalTitle="__('Invite a User')" :modalLabel="'inviteUserModalLabel'" :includeCloseButton="true">
-        <form method="POST" action="{{ route('invitations.request') }}">
-            @csrf
-            <div class="input-group mt-3">
-                <div class="input-group-prepend">
+    @if(!\App\Facades\Options::getOption('enable_registrations'))
+        <x-modal id="inviteUserModal" :modalTitle="__('Invite a User')" :modalLabel="'inviteUserModalLabel'" :includeCloseButton="true">
+            <form method="POST" action="{{ route('invitations.request') }}">
+                @csrf
+                <div class="input-group mt-3">
+                    <div class="input-group-prepend">
                     <span class="input-group-text">
                         <i class="fas fa-envelope"></i>
                     </span>
+                    </div>
+                    <label for="inviteEmail" class="sr-only">{{ __('Email address') }}</label>
+                    <input type="email" class="form-control" id="inviteEmail" name="email" required placeholder="{{ __('Enter an email address to send the invite to') }}">
                 </div>
-                <label for="inviteEmail" class="sr-only">{{ __('Email address') }}</label>
-                <input type="email" class="form-control" id="inviteEmail" name="email" required placeholder="{{ __('Enter an email address to send the invite to') }}">
-            </div>
-            <p class="text-muted mt-2 mb-2"><i class="fas fa-info-circle"></i> {{ __('Sending an invite here will immediately create an approved invite request which will in turn send this user an email message with a link. Be aware that this will allow them to register for a new account.') }}</p>
-        </form>
+                <p class="text-muted mt-2 mb-2"><i class="fas fa-info-circle"></i> {{ __('Sending an invite here will immediately create an approved invite request which will in turn send this user an email message with a link. Be aware that this will allow them to register for a new account.') }}</p>
+            </form>
 
-        <x-slot name="modalFooter">
-            <button id="sendInviteBtn" class="btn btn-success" type="button">
-                <i class="fas fa-paper-plane"></i> {{ __('Invite') }}
-            </button>
-            <script>
-                document.addEventListener('DOMContentLoaded', function () {
-                    document.getElementById('sendInviteBtn').addEventListener('click', function () {
-                        document.querySelector('#inviteUserModal form').submit();
+            <x-slot name="modalFooter">
+                <button id="sendInviteBtn" class="btn btn-success" type="button">
+                    <i class="fas fa-paper-plane"></i> {{ __('Invite') }}
+                </button>
+                <script>
+                    document.addEventListener('DOMContentLoaded', function () {
+                        document.getElementById('sendInviteBtn').addEventListener('click', function () {
+                            document.querySelector('#inviteUserModal form').submit();
+                        });
                     });
-                });
-            </script>
-        </x-slot>
+                </script>
+            </x-slot>
 
-    </x-modal>
+        </x-modal>
+    @endif
 
 @stop