Validate privilege levels when sending /invite request (#23533)

* Validate privilege levels when sending /invite request * add acceptance tests GitOrigin-RevId: 4ccd0ad3504c3c5770f5ee2b2f6d34ef746d1430
2025-04-27 13:42:45 +00:00 · 2025-02-13 10:20:07 +01:00 · 2025-02-13 10:20:07 +01:00 · 8183c0785c
commit 8183c0785c
parent d2738fda73
2 changed files with 66 additions and 0 deletions
--- a/services/web/app/src/Features/Collaborators/CollaboratorsRouter.mjs
+++ b/services/web/app/src/Features/Collaborators/CollaboratorsRouter.mjs
@ -103,6 +103,18 @@ export default {
      }),
      CaptchaMiddleware.validateCaptcha('invite'),
      AuthenticationController.requireLogin(),
+      validate({
+        body: Joi.object({
+          email: Joi.string().required(),
+          privileges: Joi.string()
+            .valid(
+              PrivilegeLevels.READ_ONLY,
+              PrivilegeLevels.READ_AND_WRITE,
+              PrivilegeLevels.REVIEW
+            )
+            .required(),
+        }),
+      }),
      AuthorizationMiddleware.ensureUserCanAdminProject,
      CollaboratorsInviteController.inviteToProject
    )
--- a/services/web/test/acceptance/src/ProjectInviteTests.mjs
+++ b/services/web/test/acceptance/src/ProjectInviteTests.mjs
@ -361,6 +361,60 @@ describe('ProjectInviteTests', function () {
        )
      })

+      it('should fail if email is not a string', function (done) {
+        this.sendingUser.getCsrfToken(err => {
+          if (err) {
+            return done(err)
+          }
+          this.sendingUser.request.post(
+            {
+              uri: `/project/${this.projectId}/invite`,
+              json: {
+                email: {},
+                privileges: 'readAndWrite',
+              },
+            },
+            (err, response, body) => {
+              if (err) {
+                return done(err)
+              }
+              expect(response.statusCode).to.equal(400)
+              expect(response.body.validation.body.message).to.equal(
+                '"email" must be a string'
+              )
+              done()
+            }
+          )
+        })
+      })
+
+      it('should fail on invalid privileges', function (done) {
+        this.sendingUser.getCsrfToken(err => {
+          if (err) {
+            return done(err)
+          }
+          this.sendingUser.request.post(
+            {
+              uri: `/project/${this.projectId}/invite`,
+              json: {
+                email: this.email,
+                privileges: 'invalid-privilege',
+              },
+            },
+            (err, response, body) => {
+              if (err) {
+                return done(err)
+              }
+              expect(response.statusCode).to.equal(400)
+              expect(response.body.validation.body.message).to.equal(
+                '"privileges" must be one of [readOnly, readAndWrite, review]'
+              )
+              done()
+            }
+          )
+        })
+      })
+
      it('should allow the project owner to create and remove invites', function (done) {
        Async.series(
          [