Merge pull request #466 from buster-so/dallin/bus-1353-restrict-invite-if-toggled-in-organization

Dallin/bus-1353-restrict-invite-if-toggled-in-organization
2025-07-10 07:41:35 -07:00 · 2025-07-10 07:41:35 -07:00 · 7a5b5e28b8
parent e00736712c caad613297
commit 7a5b5e28b8
6 changed files with 47 additions and 0 deletions
--- a/apps/api/libs/database/src/models.rs
+++ b/apps/api/libs/database/src/models.rs
@ -343,6 +343,9 @@ pub struct Organization {
    pub updated_at: DateTime<Utc>,
    pub deleted_at: Option<DateTime<Utc>>,
    pub payment_required: bool,
+    pub domains: Option<Vec<String>>,
+    pub restrict_new_user_invitations: bool,
+    pub default_role: UserOrganizationRole,
 }

 #[derive(
--- a/apps/api/libs/database/src/schema.rs
+++ b/apps/api/libs/database/src/schema.rs
@ -438,6 +438,9 @@ diesel::table! {
 }

 diesel::table! {
+    use diesel::sql_types::*;
+    use super::sql_types::UserOrganizationRoleEnum;
+
    organizations (id) {
        id -> Uuid,
        name -> Text,
@ -446,6 +449,9 @@ diesel::table! {
        updated_at -> Timestamptz,
        deleted_at -> Nullable<Timestamptz>,
        payment_required -> Bool,
+        domains -> Nullable<Array<Text>>,
+        restrict_new_user_invitations -> Bool,
+        default_role -> UserOrganizationRoleEnum,
    }
 }

--- a/apps/api/libs/handlers/src/organizations/post_organization_handler.rs
+++ b/apps/api/libs/handlers/src/organizations/post_organization_handler.rs
@ -34,6 +34,9 @@ pub async fn post_organization_handler(name: String, user: AuthenticatedUser) ->
        updated_at: now,
        deleted_at: None,
        payment_required: true,
+        domains: None,
+        restrict_new_user_invitations: false,
+        default_role: UserOrganizationRole::RestrictedQuerier,
    };

    insert_into(organizations::table)
--- a/apps/api/libs/handlers/src/users/invite_user_handler.rs
+++ b/apps/api/libs/handlers/src/users/invite_user_handler.rs
@ -51,6 +51,35 @@ pub async fn invite_user_handler(
        .context("Failed to find organization")?;
    let organization_name = organization.name;

+    // Check if the organization has restricted new user invitations
+    if organization.restrict_new_user_invitations {
+        // Get the inviting user's role in the organization
+        let inviter_org_membership = inviting_user
+            .organizations
+            .iter()
+            .find(|org| org.id == organization_id)
+            .context("Inviting user is not a member of the organization")?;
+
+        // Check if the user has admin permissions
+        match inviter_org_membership.role {
+            UserOrganizationRole::WorkspaceAdmin | UserOrganizationRole::DataAdmin => {
+                // User has permission to invite, continue
+                tracing::info!(
+                    user_id = %inviting_user.id,
+                    organization_id = %organization_id,
+                    role = ?inviter_org_membership.role,
+                    "Admin user bypassing invitation restriction"
+                );
+            }
+            _ => {
+                // User does not have permission to invite
+                return Err(anyhow::anyhow!(
+                    "New user invitations have been restricted by the organization administrators. Only workspace admins and data admins can send invites."
+                ));
+            }
+        }
+    }
+
    let inviter_id = inviting_user.id;
    let now = Utc::now();
    let mut successful_emails: Vec<String> = Vec::new();
--- a/apps/api/server/src/routes/rest/routes/users/get_user.rs
+++ b/apps/api/server/src/routes/rest/routes/users/get_user.rs
@ -120,6 +120,9 @@ pub async fn get_user_information(user_id: &Uuid) -> Result<UserInfoObject> {
                organizations::updated_at,
                organizations::deleted_at,
                organizations::payment_required,
+                organizations::domains,
+                organizations::restrict_new_user_invitations,
+                organizations::default_role,
            )
                .nullable(),
            users_to_organizations::role.nullable(),
--- a/apps/api/server/src/routes/ws/ws_utils.rs
+++ b/apps/api/server/src/routes/ws/ws_utils.rs
@ -410,6 +410,9 @@ pub async fn get_user_information(user_id: &Uuid) -> Result<UserInfoObject> {
                organizations::updated_at,
                organizations::deleted_at,
                organizations::payment_required,
+                organizations::domains,
+                organizations::restrict_new_user_invitations,
+                organizations::default_role,
            )
                .nullable(),
            users_to_organizations::role.nullable(),