Only constantize allow-listed invitation types for permitted_params when creating platform invitations

Author: rsmithlal

app/controllers/better_together/platform_invitations_controller.rb

@@ -116,8 +116,16 @@ def platform_invitation_params
       params.require(:platform_invitation).permit(
         :invitee_email, :platform_role_id, :community_role_id, :locale,
         :valid_from, :valid_until, :greeting, :type, :session_duration_mins,
-        *params[:platform_invitation][:type].constantize.permitted_attributes
+        *param_invitation_class.permitted_attributes
       )
     end
+
+    def param_invitation_class
+      param_type = params[:platform_invitation][:type]
+
+      Rails.application.eager_load! if Rails.env.development? # Ensure all models are loaded
+      valid_types = [ BetterTogether::PlatformInvitation, *BetterTogether::PlatformInvitation.descendants ].map(&:to_s)
+      invitation_type = param_type.constantize if valid_types.include?(param_type)
+    end
   end
 end