feat(invitations): added FF to disable invitations, added to permission groups, added workspace members admin endpoints (#2783)

* feat(invitations): added FF to disable invitations, added to permission groups, added workspace members admin endpoints

* fix failing tests

Author: waleedlatif1

apps/docs/content/docs/de/enterprise/index.mdx

@@ -70,6 +70,7 @@ Für selbst gehostete Bereitstellungen können Enterprise-Funktionen über Umgeb
 |----------|-------------|
 | `SSO_ENABLED`, `NEXT_PUBLIC_SSO_ENABLED` | Single Sign-On mit SAML/OIDC |
 | `CREDENTIAL_SETS_ENABLED`, `NEXT_PUBLIC_CREDENTIAL_SETS_ENABLED` | Polling-Gruppen für E-Mail-Trigger |
+| `DISABLE_INVITATIONS`, `NEXT_PUBLIC_DISABLE_INVITATIONS` | Workspace-/Organisations-Einladungen global deaktivieren |
 
 <Callout type="warn">
   BYOK ist nur im gehosteten Sim Studio verfügbar. Selbst gehostete Deployments konfigurieren AI-Provider-Schlüssel direkt über Umgebungsvariablen.

apps/docs/content/docs/en/enterprise/index.mdx

@@ -17,7 +17,7 @@ Define permission groups to control what features and integrations team members
 
 - **Allowed Model Providers** - Restrict which AI providers users can access (OpenAI, Anthropic, Google, etc.)
 - **Allowed Blocks** - Control which workflow blocks are available
-- **Platform Settings** - Hide Knowledge Base, disable MCP tools, or disable custom tools
+- **Platform Settings** - Hide Knowledge Base, disable MCP tools, disable custom tools, or disable invitations
 
 ### Setup
 
@@ -68,6 +68,7 @@ For self-hosted deployments, enterprise features can be enabled via environment
 | `ACCESS_CONTROL_ENABLED`, `NEXT_PUBLIC_ACCESS_CONTROL_ENABLED` | Permission groups for access restrictions |
 | `SSO_ENABLED`, `NEXT_PUBLIC_SSO_ENABLED` | Single Sign-On with SAML/OIDC |
 | `CREDENTIAL_SETS_ENABLED`, `NEXT_PUBLIC_CREDENTIAL_SETS_ENABLED` | Polling Groups for email triggers |
+| `DISABLE_INVITATIONS`, `NEXT_PUBLIC_DISABLE_INVITATIONS` | Globally disable workspace/organization invitations |
 
 ### Organization Management
 
@@ -87,6 +88,23 @@ curl -X POST https://your-instance/api/v1/admin/organizations/{orgId}/members \
   -d '{"userId": "user-id-here", "role": "admin"}'
 ```
 
+### Workspace Members
+
+When invitations are disabled, use the Admin API to manage workspace memberships directly:
+
+```bash
+# Add a user to a workspace
+curl -X POST https://your-instance/api/v1/admin/workspaces/{workspaceId}/members \
+  -H "x-admin-key: YOUR_ADMIN_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{"userId": "user-id-here", "permissions": "write"}'
+
+# Remove a user from a workspace
+curl -X DELETE "https://your-instance/api/v1/admin/workspaces/{workspaceId}/members?userId=user-id-here" \
+  -H "x-admin-key: YOUR_ADMIN_API_KEY"
+```
+
 ### Notes
 
 - Enabling `ACCESS_CONTROL_ENABLED` automatically enables organizations, as access control requires organization membership.
+- When `DISABLE_INVITATIONS` is set, users cannot send invitations. Use the Admin API to manage workspace and organization memberships instead.

apps/docs/content/docs/es/enterprise/index.mdx

@@ -70,6 +70,7 @@ Para implementaciones self-hosted, las funciones enterprise se pueden activar me
 |----------|-------------|
 | `SSO_ENABLED`, `NEXT_PUBLIC_SSO_ENABLED` | Inicio de sesión único con SAML/OIDC |
 | `CREDENTIAL_SETS_ENABLED`, `NEXT_PUBLIC_CREDENTIAL_SETS_ENABLED` | Grupos de sondeo para activadores de correo electrónico |
+| `DISABLE_INVITATIONS`, `NEXT_PUBLIC_DISABLE_INVITATIONS` | Desactivar globalmente invitaciones a espacios de trabajo/organizaciones |
 
 <Callout type="warn">
   BYOK solo está disponible en Sim Studio alojado. Las implementaciones autoalojadas configuran las claves de proveedor de IA directamente a través de variables de entorno.

apps/docs/content/docs/fr/enterprise/index.mdx

@@ -70,6 +70,7 @@ Pour les déploiements auto-hébergés, les fonctionnalités entreprise peuvent
 |----------|-------------|
 | `SSO_ENABLED`, `NEXT_PUBLIC_SSO_ENABLED` | Authentification unique avec SAML/OIDC |
 | `CREDENTIAL_SETS_ENABLED`, `NEXT_PUBLIC_CREDENTIAL_SETS_ENABLED` | Groupes de sondage pour les déclencheurs d'e-mail |
+| `DISABLE_INVITATIONS`, `NEXT_PUBLIC_DISABLE_INVITATIONS` | Désactiver globalement les invitations aux espaces de travail/organisations |
 
 <Callout type="warn">
   BYOK est uniquement disponible sur Sim Studio hébergé. Les déploiements auto-hébergés configurent les clés de fournisseur d'IA directement via les variables d'environnement.

apps/docs/content/docs/ja/enterprise/index.mdx

@@ -69,6 +69,7 @@ Sim Studioのホストキーの代わりに、AIモデルプロバイダー用
 |----------|-------------|
 | `SSO_ENABLED`、`NEXT_PUBLIC_SSO_ENABLED` | SAML/OIDCによるシングルサインオン |
 | `CREDENTIAL_SETS_ENABLED`、`NEXT_PUBLIC_CREDENTIAL_SETS_ENABLED` | メールトリガー用のポーリンググループ |
+| `DISABLE_INVITATIONS`、`NEXT_PUBLIC_DISABLE_INVITATIONS` | ワークスペース/組織への招待をグローバルに無効化 |
 
 <Callout type="warn">
   BYOKはホスト型Sim Studioでのみ利用可能です。セルフホスト型デプロイメントでは、環境変数を介してAIプロバイダーキーを直接設定します。

apps/docs/content/docs/zh/enterprise/index.mdx

@@ -69,6 +69,7 @@ Sim Studio 企业版为需要更高安全性、合规性和管理能力的组织
 |----------|-------------|
 | `SSO_ENABLED`，`NEXT_PUBLIC_SSO_ENABLED` | 使用 SAML/OIDC 的单点登录 |
 | `CREDENTIAL_SETS_ENABLED`，`NEXT_PUBLIC_CREDENTIAL_SETS_ENABLED` | 用于邮件触发器的轮询组 |
+| `DISABLE_INVITATIONS`，`NEXT_PUBLIC_DISABLE_INVITATIONS` | 全局禁用工作区/组织邀请 |
 
 <Callout type="warn">
   BYOK 仅适用于托管版 Sim Studio。自托管部署需通过环境变量直接配置 AI 提供商密钥。

apps/sim/app/api/organizations/[id]/invitations/route.ts

@@ -26,6 +26,10 @@ import { getBaseUrl } from '@/lib/core/utils/urls'
 import { sendEmail } from '@/lib/messaging/email/mailer'
 import { quickValidateEmail } from '@/lib/messaging/email/validation'
 import { hasWorkspaceAdminAccess } from '@/lib/workspaces/permissions/utils'
+import {
+  InvitationsNotAllowedError,
+  validateInvitationsAllowed,
+} from '@/executor/utils/permission-check'
 
 const logger = createLogger('OrganizationInvitations')
 
@@ -116,6 +120,8 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       return NextResponse.json({ error: 'Unauthorized' }, { status: 401 })
     }
 
+    await validateInvitationsAllowed(session.user.id)
+
     const { id: organizationId } = await params
     const url = new URL(request.url)
     const validateOnly = url.searchParams.get('validate') === 'true'
@@ -427,6 +433,10 @@ export async function POST(request: NextRequest, { params }: { params: Promise<{
       },
     })
   } catch (error) {
+    if (error instanceof InvitationsNotAllowedError) {
+      return NextResponse.json({ error: error.message }, { status: 403 })
+    }
+
     logger.error('Failed to create organization invitations', {
       organizationId: (await params).id,
       error,
@@ -486,10 +496,7 @@ export async function DELETE(
         and(
           eq(invitation.id, invitationId),
           eq(invitation.organizationId, organizationId),
-          or(
-            eq(invitation.status, 'pending'),
-            eq(invitation.status, 'rejected') // Allow cancelling rejected invitations too
-          )
+          or(eq(invitation.status, 'pending'), eq(invitation.status, 'rejected'))
         )
       )
       .returning()

apps/sim/app/api/v1/admin/index.ts

@@ -17,6 +17,12 @@
  *   Workspaces:
  *   GET    /api/v1/admin/workspaces                         - List all workspaces
  *   GET    /api/v1/admin/workspaces/:id                     - Get workspace details
+ *   GET    /api/v1/admin/workspaces/:id/members             - List workspace members
+ *   POST   /api/v1/admin/workspaces/:id/members             - Add/update workspace member
+ *   DELETE /api/v1/admin/workspaces/:id/members?userId=X    - Remove workspace member
+ *   GET    /api/v1/admin/workspaces/:id/members/:mid        - Get workspace member details
+ *   PATCH  /api/v1/admin/workspaces/:id/members/:mid        - Update workspace member permissions
+ *   DELETE /api/v1/admin/workspaces/:id/members/:mid        - Remove workspace member by ID
  *   GET    /api/v1/admin/workspaces/:id/workflows           - List workspace workflows
  *   DELETE /api/v1/admin/workspaces/:id/workflows           - Delete all workspace workflows
  *   GET    /api/v1/admin/workspaces/:id/folders             - List workspace folders
@@ -95,6 +101,7 @@ export type {
   AdminWorkflowDetail,
   AdminWorkspace,
   AdminWorkspaceDetail,
+  AdminWorkspaceMember,
   DbMember,
   DbOrganization,
   DbSubscription,

apps/sim/app/api/v1/admin/types.ts

@@ -518,6 +518,22 @@ export interface AdminMemberDetail extends AdminMember {
   billingBlocked: boolean
 }
 
+// =============================================================================
+// Workspace Member Types
+// =============================================================================
+
+export interface AdminWorkspaceMember {
+  id: string
+  workspaceId: string
+  userId: string
+  permissions: 'admin' | 'write' | 'read'
+  createdAt: string
+  updatedAt: string
+  userName: string
+  userEmail: string
+  userImage: string | null
+}
+
 // =============================================================================
 // User Billing Types
 // =============================================================================