Skip to content

feat(invitations): added FF to disable invitations, added to permission groups, added workspace members admin endpoints #2783

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
waleedlatif1 merged 2 commits into from
Jan 13, 2026
Merged

feat(invitations): added FF to disable invitations, added to permission groups, added workspace members admin endpoints #2783

waleedlatif1 merged 2 commits into from
Jan 13, 2026

Conversation

@waleedlatif1
Copy link
Collaborator

@waleedlatif1 waleedlatif1 commented Jan 13, 2026

Summary

  • added FF to disable invitations, added to permission groups, added workspace members admin endpoints

Type of Change

  • New Feature

Testing

Tested manually

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

@waleedlatif1
feat(invitations): added FF to disable invitations, added to permissi…
684563b 
…on groups, added workspace members admin endpoints
@vercel
Copy link

vercel bot commented Jan 13, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Review Updated (UTC)
docs Skipped Skipped Jan 13, 2026 3:17am

@greptile-apps
Copy link
Contributor

greptile-apps bot commented Jan 13, 2026

Greptile Overview

Greptile Summary

Overview

This PR adds comprehensive invitation control features through three mechanisms:

  1. Global Feature Flag (DISABLE_INVITATIONS) - Server and client-side environment variables to disable invitations globally
  2. Permission Group Control (disableInvitations) - Fine-grained control per permission group for enterprise customers
  3. Admin API Endpoints - New workspace member management endpoints as a workaround when invitations are disabled

Key Changes

Backend

  • Added isInvitationsDisabled feature flag to feature-flags.ts and environment configuration
  • Added disableInvitations property to PermissionGroupConfig with proper default (false)
  • Implemented validateInvitationsAllowed() function checking both feature flag and permission group config
  • Added validation to organization and workspace invitation POST endpoints with proper 403 error handling
  • Created new admin API endpoints:
    • GET/POST/DELETE /api/v1/admin/workspaces/[id]/members - List, add, remove workspace members
    • GET/PATCH/DELETE /api/v1/admin/workspaces/[id]/members/[memberId] - Individual member operations

Frontend

  • Added isInvitationsDisabled to usePermissionConfig() hook combining feature flag and permission group settings
  • Updated UI components to conditionally hide invitation elements:
    • Team management invitation card
    • Workspace header "Invite" badge
    • Context menu "Invite to Workspace" option
  • Added "Invitations" toggle to Access Control permission group configuration UI

Documentation & Deployment

  • Updated enterprise documentation with DISABLE_INVITATIONS feature and Admin API examples
  • Added environment variables to Helm values.yaml
  • Translated documentation to 5 additional languages (de, es, fr, ja, zh)

Implementation Quality

Strengths

  • Defense in depth: Combines UI hiding, API validation, and permission checks
  • Consistent error handling: Uses proper HTTP 403 status with InvitationsNotAllowedError
  • Admin workaround: Provides Admin API as an alternative when invitations are disabled
  • Proper separation: Feature flag for global disable, permission groups for per-user control
  • Complete feature: All invitation entry points are covered (org invitations, workspace invitations, context menu, headers)
  • Documentation: Well-documented with clear examples for self-hosted deployments

Architecture

The implementation follows established patterns in the codebase:

  • Uses existing permission group infrastructure
  • Follows Admin API authentication patterns with withAdminAuthParams middleware
  • Consistent with other feature flags (SSO, access control, organizations)
  • Proper React hooks usage with memoization

Testing Considerations

While the PR mentions "Tested manually", automated tests would be valuable for:

  • Invitation validation when feature flag is enabled
  • Invitation validation when permission group disables invitations
  • Admin API workspace member CRUD operations
  • UI conditional rendering based on isInvitationsDisabled

Security Analysis

  • Admin API endpoints properly authenticated with ADMIN_API_KEY
  • Uses constant-time comparison for API key validation
  • Permission checks happen at multiple layers (UI, API, database)
  • No SQL injection risks (uses Drizzle ORM with parameterized queries)
  • Input validation present in admin endpoints (permissions type checking, user/workspace existence)

Confidence Score: 5/5

  • This PR is safe to merge with minimal risk - well-architected feature with proper validation and error handling
  • Score reflects the high quality implementation: comprehensive feature coverage across frontend and backend, proper security validation at multiple layers, consistent error handling with appropriate HTTP status codes, well-documented Admin API workaround, follows established codebase patterns, and includes documentation updates. No logic errors, security vulnerabilities, or architectural concerns identified during thorough review.
  • No files require special attention - all implementations follow best practices and existing patterns

Important Files Changed

File Analysis

Filename Score Overview
apps/sim/lib/core/config/feature-flags.ts 5/5 Added isInvitationsDisabled feature flag to globally disable invitations - clean implementation
apps/sim/lib/core/config/env.ts 5/5 Added DISABLE_INVITATIONS and NEXT_PUBLIC_DISABLE_INVITATIONS environment variables - properly configured
apps/sim/hooks/use-permission-config.ts 5/5 Added isInvitationsDisabled hook combining feature flag and permission group config - good separation of concerns
apps/sim/executor/utils/permission-check.ts 5/5 Added validateInvitationsAllowed function with proper error handling for both FF and permission groups
apps/sim/app/api/organizations/[id]/invitations/route.ts 5/5 Added invitation validation to POST endpoint - properly catches and returns 403 for blocked invitations
apps/sim/app/api/workspaces/invitations/route.ts 5/5 Added invitation validation to workspace POST endpoint - consistent error handling
apps/sim/app/api/v1/admin/workspaces/[id]/members/route.ts 5/5 New admin endpoint to manage workspace members - well-structured CRUD operations with proper validation
apps/sim/app/api/v1/admin/workspaces/[id]/members/[memberId]/route.ts 5/5 New admin endpoint for individual member operations - GET, PATCH, DELETE properly implemented
apps/sim/app/workspace/[workspaceId]/w/components/sidebar/components/access-control/access-control.tsx 5/5 Added disableInvitations toggle to permission group configuration UI - complete feature implementation

Sequence Diagram

sequenceDiagram
    participant User
    participant Frontend
    participant API
    participant PermissionCheck
    participant FeatureFlags
    participant PermissionGroup
    participant DB

    Note over User,DB: Invitation Disabled via Feature Flag
    User->>Frontend: Attempt to send invitation
    Frontend->>Frontend: Check usePermissionConfig()
    Frontend->>FeatureFlags: getEnv('NEXT_PUBLIC_DISABLE_INVITATIONS')
    FeatureFlags-->>Frontend: isInvitationsDisabled=true
    Frontend->>User: Hide invitation UI elements

    Note over User,DB: Invitation Disabled via Permission Group
    User->>Frontend: Attempt to send invitation (UI visible)
    Frontend->>API: POST /api/organizations/[id]/invitations
    API->>PermissionCheck: validateInvitationsAllowed(userId)
    PermissionCheck->>FeatureFlags: Check isInvitationsDisabled
    FeatureFlags-->>PermissionCheck: false (FF not set)
    PermissionCheck->>DB: getUserPermissionConfig(userId)
    DB->>PermissionGroup: Get user's permission group
    PermissionGroup-->>DB: config.disableInvitations=true
    DB-->>PermissionCheck: Permission config
    PermissionCheck-->>API: Throw InvitationsNotAllowedError
    API-->>Frontend: 403 Forbidden
    Frontend-->>User: Error: Invitations not allowed

    Note over User,DB: Admin API Workaround
    User->>Frontend: Use Admin API (invitations disabled)
    Frontend->>API: POST /api/v1/admin/workspaces/[id]/members
    API->>API: Authenticate with x-admin-key
    API->>DB: Insert workspace permission
    DB-->>API: Success
    API-->>Frontend: Member added
    Frontend-->>User: Success
Loading

greptile-apps[bot]
greptile-apps bot reviewed Jan 13, 2026
View reviewed changes
Copy link
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No files reviewed, no comments

Edit Code Review Agent Settings | Greptile

@waleedlatif1 waleedlatif1 merged commit 46417dd into staging Jan 13, 2026
10 checks passed
@waleedlatif1 waleedlatif1 deleted the feat/perms branch January 13, 2026 03:33
@waleedlatif1 waleedlatif1 mentioned this pull request Jan 13, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@waleedlatif1