Check role access when inviting users

2026-01-28 22:00:51 +00:00 · 2025-10-27 20:51:16 -07:00
parent 52dc8e011c
commit 9e5c9d9c34
1 changed files with 22 additions and 1 deletions
--- a/server/routers/user/inviteUser.ts
+++ b/server/routers/user/inviteUser.ts
@@ -1,7 +1,7 @@
 import { Request, Response, NextFunction } from "express";
 import { z } from "zod";
 import { db } from "@server/db";
-import { orgs, userInvites, userOrgs, users } from "@server/db";
+import { orgs, roles, userInvites, userOrgs, users } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import response from "@server/lib/response";
 import HttpCode from "@server/types/HttpCode";
@@ -109,6 +109,27 @@ export async function inviteUser(
            );
        }

+        // Validate that the roleId belongs to the target organization
+        const [role] = await db
+            .select()
+            .from(roles)
+            .where(
+                and(
+                    eq(roles.roleId, roleId),
+                    eq(roles.orgId, orgId)
+                )
+            )
+            .limit(1);
+
+        if (!role) {
+            return next(
+                createHttpError(
+                    HttpCode.BAD_REQUEST,
+                    "Invalid role ID or role does not belong to this organization"
+                )
+            );
+        }
+
        if (build == "saas") {
            const usage = await usageService.getUsage(orgId, FeatureId.USERS);
            if (!usage) {