Merge pull request #15446 from overleaf/ab-tie-user-enrollment

[web] Prevent a user from becoming managed by another group after linking group SSO GitOrigin-RevId: d8cb763a68ca38b4aaf1518a5f93ac5a61cec28c
2024-11-21 20:47:08 -05:00 · 2023-10-27 15:11:43 +02:00 · 2023-10-27 15:11:43 +02:00 · cd27ee3c8f
commit cd27ee3c8f
parent 665f5e37c4
1 changed files with 11 additions and 5 deletions
--- a/services/web/app/src/Features/Subscription/TeamInvitesController.js
+++ b/services/web/app/src/Features/Subscription/TeamInvitesController.js
@ -12,6 +12,7 @@ const HttpErrorHandler = require('../Errors/HttpErrorHandler')
 const PermissionsManager = require('../Authorization/PermissionsManager')
 const EmailHandler = require('../Email/EmailHandler')
 const { RateLimiter } = require('../../infrastructure/RateLimiter')
+const Modules = require('../../infrastructure/Modules')

 const rateLimiters = {
  resendGroupInvite: new RateLimiter('resend-group-invite', {
@ -90,14 +91,19 @@ async function viewInvite(req, res, next) {

      const user = await UserGetter.promises.getUser(userId)

-      if (
-        user.enrollment?.managedBy &&
-        user.enrollment?.managedBy.toString() !== subscription._id.toString()
-      ) {
+      const isUserEnrolledInDifferentGroup =
+        (
+          await Modules.promises.hooks.fire(
+            'isUserEnrolledInDifferentGroup',
+            user.enrollment,
+            subscription._id
+          )
+        )?.[0] === true
+      if (isUserEnrolledInDifferentGroup) {
        return HttpErrorHandler.forbidden(
          req,
          res,
-          'User is already managed by a different subscription'
+          'User is already enrolled in a different subscription'
        )
      }