feat(group/project): Only org admin/owners can invite new users (#2212)

javirln · web-flow · commit ebb0be4ab80e · 2025-07-07T16:30:30.000+02:00
Signed-off-by: Javier Rodriguez &lt;javier@chainloop.dev&gt;
diff --git a/app/controlplane/cmd/wire_gen.go b/app/controlplane/cmd/wire_gen.go
diff --git a/app/controlplane/pkg/authz/authz.go b/app/controlplane/pkg/authz/authz.go
@@ -35,22 +35,23 @@ const (
 
 	// Resources
 
-	ResourceWorkflowContract      = "workflow_contract"
-	ResourceCASArtifact           = "cas_artifact"
-	ResourceCASBackend            = "cas_backend"
-	ResourceReferrer              = "referrer"
-	ResourceAvailableIntegration  = "integration_available"
-	ResourceRegisteredIntegration = "integration_registered"
-	ResourceAttachedIntegration   = "integration_attached"
-	ResourceOrgMetric             = "metrics_org"
-	ResourceRobotAccount          = "robot_account"
-	ResourceWorkflowRun           = "workflow_run"
-	ResourceWorkflow              = "workflow"
-	Organization                  = "organization"
-	ResourceGroup                 = "group"
-	ResourceGroupMembership       = "group_membership"
-	ResourceProjectAPIToken       = "project_api_token"
-	ResourceProjectMembership     = "project_membership"
+	ResourceWorkflowContract        = "workflow_contract"
+	ResourceCASArtifact             = "cas_artifact"
+	ResourceCASBackend              = "cas_backend"
+	ResourceReferrer                = "referrer"
+	ResourceAvailableIntegration    = "integration_available"
+	ResourceRegisteredIntegration   = "integration_registered"
+	ResourceAttachedIntegration     = "integration_attached"
+	ResourceOrgMetric               = "metrics_org"
+	ResourceRobotAccount            = "robot_account"
+	ResourceWorkflowRun             = "workflow_run"
+	ResourceWorkflow                = "workflow"
+	Organization                    = "organization"
+	ResourceGroup                   = "group"
+	ResourceGroupMembership         = "group_membership"
+	ResourceProjectAPIToken         = "project_api_token"
+	ResourceProjectMembership       = "project_membership"
+	ResourceOrganizationInvitations = "organization_invitations"
 
 	// We have for now three roles, viewer, admin and owner
 	// The owner of an org
@@ -158,6 +159,8 @@ var (
 	PolicyProjectAddMemberships    = &Policy{ResourceProjectMembership, ActionCreate}
 	PolicyProjectUpdateMemberships = &Policy{ResourceProjectMembership, ActionUpdate}
 	PolicyProjectRemoveMemberships = &Policy{ResourceProjectMembership, ActionDelete}
+	// Organization Invitations
+	PolicyOrganizationInvitationsCreate = &Policy{ResourceOrganizationInvitations, ActionCreate}
 )
 
 // RolesMap The default list of policies for each role
@@ -200,6 +203,8 @@ var RolesMap = map[Role][]*Policy{
 		// We do a manual check in the artifact upload endpoint
 		// so we need the actual policy in place skipping it is not enough
 		PolicyArtifactUpload,
+		// We manually check this policy to be able to know if the user can invite users to the system
+		PolicyOrganizationInvitationsCreate,
 		// + all the policies from the viewer role inherited automatically
 	},
 	// RoleOrgMember is an org-scoped role that enables RBAC in the underlying resources. Users with this role at
diff --git a/app/controlplane/pkg/biz/group.go b/app/controlplane/pkg/biz/group.go
@@ -166,7 +166,8 @@ type UpdateMemberMaintainerStatusOpts struct {
 
 type GroupUseCase struct {
 	// logger is used to log messages.
-	logger *log.Helper
+	logger   *log.Helper
+	enforcer *authz.Enforcer
 	// Repositories
 	groupRepo         GroupRepo
 	membershipRepo    MembershipRepo
@@ -177,7 +178,7 @@ type GroupUseCase struct {
 	auditorUC       *AuditorUseCase
 }
 
-func NewGroupUseCase(logger log.Logger, groupRepo GroupRepo, membershipRepo MembershipRepo, userRepo UserRepo, orgInvitationUC *OrgInvitationUseCase, auditorUC *AuditorUseCase, invitationRepo OrgInvitationRepo) *GroupUseCase {
+func NewGroupUseCase(logger log.Logger, groupRepo GroupRepo, membershipRepo MembershipRepo, userRepo UserRepo, orgInvitationUC *OrgInvitationUseCase, auditorUC *AuditorUseCase, invitationRepo OrgInvitationRepo, enforcer *authz.Enforcer) *GroupUseCase {
 	return &GroupUseCase{
 		logger:            log.NewHelper(log.With(logger, "component", "biz/group")),
 		groupRepo:         groupRepo,
@@ -186,6 +187,7 @@ func NewGroupUseCase(logger log.Logger, groupRepo GroupRepo, membershipRepo Memb
 		orgInvitationUC:   orgInvitationUC,
 		auditorUC:         auditorUC,
 		orgInvitationRepo: invitationRepo,
+		enforcer:          enforcer,
 	}
 }
 
@@ -501,6 +503,21 @@ func (uc *GroupUseCase) handleNonExistingUser(ctx context.Context, orgID, groupI
 		return nil, NewErrAlreadyExistsStr("user is already invited to the organization")
 	}
 
+	// Check if the requester is an admin or owner of the organization
+	requesterMembership, err := uc.membershipRepo.FindByOrgAndUser(ctx, orgID, opts.RequesterID)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check requester's role: %w", err)
+	}
+
+	pass, err := uc.enforcer.Enforce(string(requesterMembership.Role), authz.PolicyOrganizationInvitationsCreate)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check requester's role: %w", err)
+	}
+
+	if !pass {
+		return nil, NewErrValidationStr("only organization admins or owners can invite new users")
+	}
+
 	// Create an organization invitation with group context
 	invitationContext := &OrgInvitationContext{
 		GroupIDToJoin:   groupID,
diff --git a/app/controlplane/pkg/biz/group_integration_test.go b/app/controlplane/pkg/biz/group_integration_test.go
@@ -566,7 +566,7 @@ func (s *groupMembersIntegrationTestSuite) SetupTest() {
 	assert.NoError(err)
 
 	// Add user to organization
-	_, err = s.Membership.Create(ctx, s.org.ID, s.user.ID)
+	_, err = s.Membership.Create(ctx, s.org.ID, s.user.ID, biz.WithMembershipRole(authz.RoleAdmin))
 	assert.NoError(err)
 
 	// Create a group for membership tests
diff --git a/app/controlplane/pkg/biz/project.go b/app/controlplane/pkg/biz/project.go
@@ -52,7 +52,8 @@ type ProjectsRepo interface {
 
 // ProjectUseCase is a use case for projects
 type ProjectUseCase struct {
-	logger *log.Helper
+	logger   *log.Helper
+	enforcer *authz.Enforcer
 	// Use Cases
 	auditorUC       *AuditorUseCase
 	groupUC         *GroupUseCase
@@ -142,7 +143,7 @@ type AddMemberToProjectResult struct {
 	InvitationSent bool
 }
 
-func NewProjectsUseCase(logger log.Logger, projectsRepository ProjectsRepo, membershipRepository MembershipRepo, auditorUC *AuditorUseCase, groupUC *GroupUseCase, membershipUC *MembershipUseCase, orgInvitationUC *OrgInvitationUseCase, orgInvitationRepo OrgInvitationRepo) *ProjectUseCase {
+func NewProjectsUseCase(logger log.Logger, projectsRepository ProjectsRepo, membershipRepository MembershipRepo, auditorUC *AuditorUseCase, groupUC *GroupUseCase, membershipUC *MembershipUseCase, orgInvitationUC *OrgInvitationUseCase, orgInvitationRepo OrgInvitationRepo, enforcer *authz.Enforcer) *ProjectUseCase {
 	return &ProjectUseCase{
 		logger:               servicelogger.ScopedHelper(logger, "biz/project"),
 		projectsRepository:   projectsRepository,
@@ -152,6 +153,7 @@ func NewProjectsUseCase(logger log.Logger, projectsRepository ProjectsRepo, memb
 		membershipUC:         membershipUC,
 		orgInvitationUC:      orgInvitationUC,
 		orgInvitationRepo:    orgInvitationRepo,
+		enforcer:             enforcer,
 	}
 }
 
@@ -337,6 +339,7 @@ func (uc *ProjectUseCase) addUserToProject(ctx context.Context, orgID uuid.UUID,
 }
 
 // handleNonExistingUser creates an invitation for a user not yet in the organization with project context
+// Only sends an invitation if the requester is an admin or owner of the organization
 func (uc *ProjectUseCase) handleNonExistingUser(ctx context.Context, orgID, projectID uuid.UUID, opts *AddMemberToProjectOpts) (*AddMemberToProjectResult, error) {
 	// Check if the user email is already invited to the organization
 	invitation, err := uc.orgInvitationRepo.PendingInvitation(ctx, orgID, opts.UserEmail)
@@ -349,6 +352,21 @@ func (uc *ProjectUseCase) handleNonExistingUser(ctx context.Context, orgID, proj
 		return nil, NewErrAlreadyExistsStr("user is already invited to the organization")
 	}
 
+	// Check if the requester is an admin or owner of the organization
+	requesterMembership, err := uc.membershipUC.FindByOrgAndUser(ctx, orgID.String(), opts.RequesterID.String())
+	if err != nil {
+		return nil, fmt.Errorf("failed to check requester's role: %w", err)
+	}
+
+	pass, err := uc.enforcer.Enforce(string(requesterMembership.Role), authz.PolicyOrganizationInvitationsCreate)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check requester's role: %w", err)
+	}
+
+	if !pass {
+		return nil, NewErrValidationStr("only organization admins or owners can invite new users")
+	}
+
 	// Create an organization invitation with project context
 	invitationContext := &OrgInvitationContext{
 		ProjectIDToJoin: projectID,
diff --git a/app/controlplane/pkg/biz/project_integration_test.go b/app/controlplane/pkg/biz/project_integration_test.go
@@ -309,7 +309,7 @@ func (s *projectMembersIntegrationTestSuite) TestAddMemberToProject() {
 		result, err := s.Project.AddMemberToProject(ctx, uuid.MustParse(s.org.ID), opts)
 		s.NoError(err)
 		s.NotNil(result)
-		s.True(result.InvitationSent, "An invitation should be sent for users not in the organization")
+		s.True(result.InvitationSent, "An invitation should be sent for users not in the organization when requester is an org admin")
 		s.Nil(result.Membership, "No membership should be created directly")
 
 		// Verify an invitation was created
@@ -334,23 +334,73 @@ func (s *projectMembersIntegrationTestSuite) TestAddMemberToProject() {
 		s.Equal(authz.RoleProjectViewer, foundInvitation.Context.ProjectRole)
 	})
 
-	s.Run("add member who is already in the project", func() {
-		// Try to add user2 again (who we added in the first test)
-		opts := &biz.AddMemberToProjectOpts{
+	s.Run("project admin (non-org admin) should not be able to invite new users", func() {
+		// Create a project admin who is not an org admin
+		projectAdminUser, err := s.User.UpsertByEmail(ctx, "project-admin@example.com", nil)
+		require.NoError(s.T(), err)
+
+		// Add user to organization as a regular member (not org admin)
+		_, err = s.Membership.Create(ctx, s.org.ID, projectAdminUser.ID, biz.WithMembershipRole(authz.RoleOrgMember), biz.WithCurrentMembership())
+		require.NoError(s.T(), err)
+
+		// Add user to project as a project admin
+		projectAdminOpts := &biz.AddMemberToProjectOpts{
 			ProjectReference: projectRef,
-			UserEmail:        "add-user2@example.com",
-			RequesterID:      uuid.MustParse(s.user.ID),
+			UserEmail:        "project-admin@example.com",
+			RequesterID:      uuid.MustParse(s.user.ID), // Using the org admin to add them
 			Role:             authz.RoleProjectAdmin,
 		}
+		_, err = s.Project.AddMemberToProject(ctx, uuid.MustParse(s.org.ID), projectAdminOpts)
+		require.NoError(s.T(), err)
 
-		_, err := s.Project.AddMemberToProject(ctx, uuid.MustParse(s.org.ID), opts)
+		// Create a new user who is not in the organization
+		nonExistingEmail := "not-in-org-2@example.com"
+		_, err = s.User.UpsertByEmail(ctx, nonExistingEmail, nil)
+		require.NoError(s.T(), err)
+
+		// Try to add the non-existing user using the project admin
+		opts := &biz.AddMemberToProjectOpts{
+			ProjectReference: projectRef,
+			UserEmail:        nonExistingEmail,
+			RequesterID:      uuid.MustParse(projectAdminUser.ID),
+			Role:             authz.RoleProjectViewer,
+		}
+
+		// The invitation should be rejected
+		_, err = s.Project.AddMemberToProject(ctx, uuid.MustParse(s.org.ID), opts)
 		s.Error(err)
-		s.True(biz.IsErrAlreadyExists(err))
+		s.True(biz.IsErrValidation(err))
+		s.Contains(err.Error(), "only organization admins or owners can invite new users")
+	})
 
-		// Verify the number of members hasn't changed
-		_, count, err := s.Project.ListMembers(ctx, uuid.MustParse(s.org.ID), projectRef, nil)
+	s.Run("org owner should be able to invite new users", func() {
+		// Create an org owner
+		orgOwnerUser, err := s.User.UpsertByEmail(ctx, "org-owner@example.com", nil)
+		require.NoError(s.T(), err)
+
+		// Add user to organization as an owner
+		_, err = s.Membership.Create(ctx, s.org.ID, orgOwnerUser.ID, biz.WithMembershipRole(authz.RoleOwner), biz.WithCurrentMembership())
+		require.NoError(s.T(), err)
+
+		// Create a new user who is not in the organization
+		nonExistingEmail := "not-in-org-3@example.com"
+		_, err = s.User.UpsertByEmail(ctx, nonExistingEmail, nil)
+		require.NoError(s.T(), err)
+
+		// Try to add the non-existing user using the org owner
+		opts := &biz.AddMemberToProjectOpts{
+			ProjectReference: projectRef,
+			UserEmail:        nonExistingEmail,
+			RequesterID:      uuid.MustParse(orgOwnerUser.ID),
+			Role:             authz.RoleProjectViewer,
+		}
+
+		// The invitation should be sent successfully
+		result, err := s.Project.AddMemberToProject(ctx, uuid.MustParse(s.org.ID), opts)
 		s.NoError(err)
-		s.Equal(2, count) // still the original 2 members
+		s.NotNil(result)
+		s.True(result.InvitationSent, "An invitation should be sent for users not in the organization when requester is an org owner")
+		s.Nil(result.Membership, "No membership should be created directly")
 	})
 }
 
diff --git a/app/controlplane/pkg/biz/testhelpers/wire_gen.go b/app/controlplane/pkg/biz/testhelpers/wire_gen.go
