Validate group inputs on invites

michaeljguarino · michaeljguarino · commit e506b1340477 · 2025-07-09T14:11:52.000-04:00
Prevents a very difficult but theoretically possible insertion of a group id into invite requests
diff --git a/apps/core/lib/core/services/accounts.ex b/apps/core/lib/core/services/accounts.ex
@@ -290,6 +290,14 @@ defmodule Core.Services.Accounts do
       |> allow(user, :create)
       |> when_ok(:insert)
     end)
+    |> add_operation(:validate, fn %{invite: invite} ->
+      with %Invite{groups: [_ | _] = groups} <- Core.Repo.preload(invite, [:groups]),
+           true <- Enum.any?(groups, & &1.account_id != aid) do
+        {:error, "you cannot invite users to groups in other accounts"}
+      else
+        _ -> {:ok, invite}
+      end
+    end)
     |> execute(extract: :invite)
     |> notify(:create, user)
   end
diff --git a/apps/core/lib/core/services/base.ex b/apps/core/lib/core/services/base.ex
@@ -18,6 +18,7 @@ defmodule Core.Services.Base do
       _ -> []
     end
   end
+  def find_bindings(%User{id: id}), do: [%{user_id: id}]
   def find_bindings(_), do: []
 
   def ok(val), do: {:ok, val}
diff --git a/apps/core/test/services/accounts_test.exs b/apps/core/test/services/accounts_test.exs
@@ -338,6 +338,29 @@ defmodule Core.Services.AccountsTest do
       assert invite.account_id == account.id
     end
 
+    test "you can invite users into an accounts groups", %{user: user, account: account} do
+      group = insert(:group, account: account)
+      {:ok, invite} = Accounts.create_invite(%{
+        email: "some@example.com",
+        invite_groups: [%{group_id: group.id}]
+      }, user)
+
+      assert invite.email == "some@example.com"
+      assert invite.secure_id
+      assert invite.account_id == account.id
+
+      %{groups: [%{id: id}]} = Core.Repo.preload(invite, [:groups])
+      assert id == group.id
+    end
+
+    test "you cannot invite users into another account's groups", %{user: user} do
+      group = insert(:group)
+      {:error, _} = Accounts.create_invite(%{
+        email: "some@example.com",
+        invite_groups: [%{group_id: group.id}]
+      }, user)
+    end
+
     test "it will not accept invalid emails", %{user: user} do
       {:error, _} = Accounts.create_invite(%{email: "invalidemail"}, user)
     end
diff --git a/apps/graphql/test/mutations/repository_mutation_test.exs b/apps/graphql/test/mutations/repository_mutation_test.exs
@@ -337,8 +337,8 @@ defmodule GraphQl.RepositoryMutationsTest do
       assert provider["redirectUris"] == ["example.com"]
       assert provider["configuration"]["issuer"] == "https://oidc.plural.sh/"
 
-      [%{"group" => g}] = provider["bindings"]
-      assert g["id"] == group.id
+      assert Enum.any?(provider["bindings"], & get_in(&1, ["group", "id"]) == group.id)
+      assert Enum.any?(provider["bindings"], & get_in(&1, ["user", "id"]) == installation.user.id)
     end
 
     test "it will create an user-bound oidc provider" do
@@ -385,8 +385,8 @@ defmodule GraphQl.RepositoryMutationsTest do
       assert provider["redirectUris"] == ["example.com"]
       assert provider["configuration"]["issuer"] == "https://oidc.plural.sh/"
 
-      [%{"group" => g}] = provider["bindings"]
-      assert g["id"] == group.id
+      assert Enum.any?(provider["bindings"], & get_in(&1, ["group", "id"]) == group.id)
+      assert Enum.any?(provider["bindings"], & get_in(&1, ["user", "id"]) == user.id)
     end
   end
 
