Merge pull request #3738 from appwrite/fix-unaccepted-invitation-access

Fix unaccepted invitations giving access to projects
2024-10-02 02:07:04 +13:00 · 2022-09-01 12:50:14 +02:00 · 2022-09-01 12:50:14 +02:00 · 26b6584a39
commit 26b6584a39
parent 4ee3385f53 4e3bfc81b6
4 changed files with 74 additions and 0 deletions
--- a/src/Appwrite/Auth/Auth.php
+++ b/src/Appwrite/Auth/Auth.php
@ -427,6 +427,10 @@ class Auth
        }

        foreach ($user->getAttribute('memberships', []) as $node) {
+            if (!isset($node['confirm']) || !$node['confirm']) {
+                continue;
+            }
+
            if (isset($node['teamId']) && isset($node['roles'])) {
                $roles[] = Role::team($node['teamId'])->toString();

--- a/tests/e2e/Services/Teams/TeamsConsoleClientTest.php
+++ b/tests/e2e/Services/Teams/TeamsConsoleClientTest.php
@ -63,4 +63,67 @@ class TeamsConsoleClientTest extends Scope

        $this->assertEquals(204, $response['headers']['status-code']);
    }
+
+    /**
+     * @depends testCreateTeam
+     */
+    public function testTeamMembershipPerms($data): array
+    {
+        $teamUid = $data['teamUid'] ?? '';
+        $teamName = $data['teamName'] ?? '';
+        $email = uniqid() . 'friend@localhost.test';
+        $name = 'Friend User';
+        $password = 'password';
+
+        // Create a user account before we create a invite so we can check if the user has permissions when it shouldn't
+        $user = $this->client->call(Client::METHOD_POST, '/account', [
+            'content-type' => 'application/json',
+            'x-appwrite-project' => 'console'], [
+            'userId' => 'unique()',
+            'email' => $email,
+            'password' => $password,
+            'name' => $name,
+            ], false);
+
+        $this->assertEquals(201, $user['headers']['status-code']);
+
+        /**
+         * Test for SUCCESS
+         */
+        $response = $this->client->call(Client::METHOD_POST, '/teams/' . $teamUid . '/memberships', array_merge([
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ], $this->getHeaders()), [
+            'email' => $email,
+            'name' => $name,
+            'roles' => ['admin', 'editor'],
+            'url' => 'http://localhost:5000/join-us#title'
+        ]);
+
+        $this->assertEquals(201, $response['headers']['status-code']);
+
+        $response = $this->client->call(Client::METHOD_GET, '/users', array_merge([
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ], $this->getHeaders()));
+        $this->assertEquals(401, $response['headers']['status-code']);
+
+        $response = $this->client->call(Client::METHOD_GET, '/teams/' . $teamUid . '/memberships', array_merge([
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ], $this->getHeaders()));
+
+        $this->assertEquals(200, $response['headers']['status-code']);
+
+        $ownerMembershipUid = $response['body']['memberships'][1]['$id'];
+
+        $response = $this->client->call(Client::METHOD_DELETE, '/teams/' . $teamUid . '/memberships/' . $ownerMembershipUid, array_merge([
+            'origin' => 'http://localhost',
+            'content-type' => 'application/json',
+            'x-appwrite-project' => $this->getProject()['$id'],
+        ], $this->getHeaders()));
+        $this->assertEquals(204, $response['headers']['status-code']);
+
+        return $data;
+    }
 }
--- a/tests/unit/Auth/AuthTest.php
+++ b/tests/unit/Auth/AuthTest.php
@ -353,6 +353,7 @@ class AuthTest extends TestCase
            '$id' => ID::custom('123'),
            'memberships' => [
                [
+                    'confirm' => true,
                    'teamId' => ID::custom('abc'),
                    'roles' => [
                        'administrator',
@ -360,6 +361,7 @@ class AuthTest extends TestCase
                    ]
                ],
                [
+                    'confirm' => true,
                    'teamId' => ID::custom('def'),
                    'roles' => [
                        'guest'
@ -387,6 +389,7 @@ class AuthTest extends TestCase
            '$id' => ID::custom('123'),
            'memberships' => [
                [
+                    'confirm' => true,
                    'teamId' => ID::custom('abc'),
                    'roles' => [
                        'administrator',
@ -394,6 +397,7 @@ class AuthTest extends TestCase
                    ]
                ],
                [
+                    'confirm' => true,
                    'teamId' => ID::custom('def'),
                    'roles' => [
                        'guest'
@ -421,6 +425,7 @@ class AuthTest extends TestCase
            '$id' => ID::custom('123'),
            'memberships' => [
                [
+                    'confirm' => true,
                    'teamId' => ID::custom('abc'),
                    'roles' => [
                        'administrator',
@ -428,6 +433,7 @@ class AuthTest extends TestCase
                    ]
                ],
                [
+                    'confirm' => true,
                    'teamId' => ID::custom('def'),
                    'roles' => [
                        'guest'
--- a/tests/unit/Messaging/MessagingChannelsTest.php
+++ b/tests/unit/Messaging/MessagingChannelsTest.php
@ -54,6 +54,7 @@ class MessagingChannelsTest extends TestCase
                    '$id' => ID::custom('user' . $this->connectionsCount),
                    'memberships' => [
                        [
+                            'confirm' => true,
                            'teamId' => ID::custom('team' . $i),
                            'roles' => [
                                empty($index % 2)