fix: org invite scoping

myftija · myftija · commit 61b72193f36c · 2025-09-25T16:39:13.000+02:00
Fixes some scoping issues with team invites.
diff --git a/apps/webapp/app/models/member.server.ts b/apps/webapp/app/models/member.server.ts
@@ -120,10 +120,17 @@ export async function inviteMembers({
   });
 }
 
-export async function getInviteFromToken({ token }: { token: string }) {
+export async function getInviteFromToken({ token, userId }: { token: string; userId: string }) {
   return await prisma.orgMemberInvite.findFirst({
     where: {
       token,
+      organization: {
+        members: {
+          some: {
+            userId,
+          },
+        },
+      },
     },
     include: {
       organization: true,
@@ -153,6 +160,13 @@ export async function acceptInvite({ userId, inviteId }: { userId: string; invit
     const invite = await tx.orgMemberInvite.delete({
       where: {
         id: inviteId,
+        organization: {
+          members: {
+            some: {
+              userId,
+            },
+          },
+        },
       },
       include: {
         organization: {
@@ -188,6 +202,13 @@ export async function acceptInvite({ userId, inviteId }: { userId: string; invit
     const remainingInvites = await tx.orgMemberInvite.findMany({
       where: {
         email: invite.email,
+        organization: {
+          members: {
+            some: {
+              userId,
+            },
+          },
+        },
       },
     });
 
@@ -201,6 +222,13 @@ export async function declineInvite({ userId, inviteId }: { userId: string; invi
     const declinedInvite = await prisma.orgMemberInvite.delete({
       where: {
         id: inviteId,
+        organization: {
+          members: {
+            some: {
+              userId,
+            },
+          },
+        },
       },
       include: {
         organization: true,
@@ -217,17 +245,25 @@ export async function declineInvite({ userId, inviteId }: { userId: string; invi
     const remainingInvites = await prisma.orgMemberInvite.findMany({
       where: {
         email: user!.email,
+        organization: {
+          members: {
+            some: {
+              userId,
+            },
+          },
+        },
       },
     });
 
     return { remainingInvites, organization: declinedInvite.organization };
   });
 }
 
-export async function resendInvite({ inviteId }: { inviteId: string }) {
+export async function resendInvite({ inviteId, userId }: { inviteId: string; userId: string }) {
   return await prisma.orgMemberInvite.update({
     where: {
       id: inviteId,
+      inviterId: userId,
     },
     data: {
       updatedAt: new Date(),
@@ -241,24 +277,24 @@ export async function resendInvite({ inviteId }: { inviteId: string }) {
 
 export async function revokeInvite({
   userId,
-  slug,
+  orgSlug,
   inviteId,
 }: {
   userId: string;
-  slug: string;
+  orgSlug: string;
   inviteId: string;
 }) {
-  const org = await prisma.organization.findFirst({
-    where: { slug, members: { some: { userId } } },
-  });
-
-  if (!org) {
-    throw new Error("User does not have access to this organization");
-  }
   const invite = await prisma.orgMemberInvite.delete({
     where: {
       id: inviteId,
-      organizationId: org.id,
+      organization: {
+        slug: orgSlug,
+        members: {
+          some: {
+            userId,
+          },
+        },
+      },
     },
     select: {
       email: true,
diff --git a/apps/webapp/app/routes/invite-accept.tsx b/apps/webapp/app/routes/invite-accept.tsx
@@ -18,7 +18,13 @@ export async function loader({ request }: LoaderFunctionArgs) {
     );
   }
 
-  const invite = await getInviteFromToken({ token });
+  if (!user) {
+    return redirectWithSuccessMessage("/", request, "Please log in to accept the invite.", {
+      ephemeral: false,
+    });
+  }
+
+  const invite = await getInviteFromToken({ token, userId: user.id });
   if (!invite) {
     return redirectWithErrorMessage(
       "/",
@@ -28,12 +34,6 @@ export async function loader({ request }: LoaderFunctionArgs) {
     );
   }
 
-  if (!user) {
-    return redirectWithSuccessMessage("/", request, "Please log in to accept the invite.", {
-      ephemeral: false,
-    });
-  }
-
   if (invite.email !== user.email) {
     return redirectWithErrorMessage(
       "/",
diff --git a/apps/webapp/app/routes/invite-resend.tsx b/apps/webapp/app/routes/invite-resend.tsx
@@ -1,5 +1,5 @@
 import { parse } from "@conform-to/zod";
-import { ActionFunction, json } from "@remix-run/server-runtime";
+import { type ActionFunction, json } from "@remix-run/server-runtime";
 import { env } from "process";
 import { z } from "zod";
 import { resendInvite } from "~/models/member.server";
@@ -25,6 +25,7 @@ export const action: ActionFunction = async ({ request }) => {
   try {
     const invite = await resendInvite({
       inviteId: submission.value.inviteId,
+      userId,
     });
 
     try {
diff --git a/apps/webapp/app/routes/invite-revoke.tsx b/apps/webapp/app/routes/invite-revoke.tsx
@@ -1,5 +1,5 @@
 import { parse } from "@conform-to/zod";
-import { ActionFunction, json } from "@remix-run/server-runtime";
+import { type ActionFunction, json } from "@remix-run/server-runtime";
 import { z } from "zod";
 import { revokeInvite } from "~/models/member.server";
 import { redirectWithSuccessMessage } from "~/models/message.server";
@@ -24,7 +24,7 @@ export const action: ActionFunction = async ({ request }) => {
   try {
     const { email, organization } = await revokeInvite({
       userId,
-      slug: submission.value.slug,
+      orgSlug: submission.value.slug,
       inviteId: submission.value.inviteId,
     });
 
