From 2ab8a4ae6d3c1073f7de2e6204d276069617a73e Mon Sep 17 00:00:00 2001
From: Domagoj Kriskovic <dom.kriskovic@overleaf.com>
Date: Thu, 13 Feb 2025 10:20:07 +0100
Subject: [PATCH] Validate privilege levels when sending /invite request
 (#23533)

* Validate privilege levels when sending /invite request

* add acceptance tests

GitOrigin-RevId: 4ccd0ad3504c3c5770f5ee2b2f6d34ef746d1430
---
 .../Collaborators/CollaboratorsRouter.mjs     | 12 +++++
 .../acceptance/src/ProjectInviteTests.mjs     | 54 +++++++++++++++++++
 2 files changed, 66 insertions(+)

diff --git a/services/web/app/src/Features/Collaborators/CollaboratorsRouter.mjs b/services/web/app/src/Features/Collaborators/CollaboratorsRouter.mjs
index a057e1d8fe..63a88c10e2 100644
--- a/services/web/app/src/Features/Collaborators/CollaboratorsRouter.mjs
+++ b/services/web/app/src/Features/Collaborators/CollaboratorsRouter.mjs
@@ -103,6 +103,18 @@ export default {
       }),
       CaptchaMiddleware.validateCaptcha('invite'),
       AuthenticationController.requireLogin(),
+      validate({
+        body: Joi.object({
+          email: Joi.string().required(),
+          privileges: Joi.string()
+            .valid(
+              PrivilegeLevels.READ_ONLY,
+              PrivilegeLevels.READ_AND_WRITE,
+              PrivilegeLevels.REVIEW
+            )
+            .required(),
+        }),
+      }),
       AuthorizationMiddleware.ensureUserCanAdminProject,
       CollaboratorsInviteController.inviteToProject
     )
diff --git a/services/web/test/acceptance/src/ProjectInviteTests.mjs b/services/web/test/acceptance/src/ProjectInviteTests.mjs
index 319d8f9ed1..df13d71d37 100644
--- a/services/web/test/acceptance/src/ProjectInviteTests.mjs
+++ b/services/web/test/acceptance/src/ProjectInviteTests.mjs
@@ -361,6 +361,60 @@ describe('ProjectInviteTests', function () {
         )
       })
 
+      it('should fail if email is not a string', function (done) {
+        this.sendingUser.getCsrfToken(err => {
+          if (err) {
+            return done(err)
+          }
+          this.sendingUser.request.post(
+            {
+              uri: `/project/${this.projectId}/invite`,
+              json: {
+                email: {},
+                privileges: 'readAndWrite',
+              },
+            },
+            (err, response, body) => {
+              if (err) {
+                return done(err)
+              }
+              expect(response.statusCode).to.equal(400)
+              expect(response.body.validation.body.message).to.equal(
+                '"email" must be a string'
+              )
+              done()
+            }
+          )
+        })
+      })
+
+      it('should fail on invalid privileges', function (done) {
+        this.sendingUser.getCsrfToken(err => {
+          if (err) {
+            return done(err)
+          }
+          this.sendingUser.request.post(
+            {
+              uri: `/project/${this.projectId}/invite`,
+              json: {
+                email: this.email,
+                privileges: 'invalid-privilege',
+              },
+            },
+            (err, response, body) => {
+              if (err) {
+                return done(err)
+              }
+              expect(response.statusCode).to.equal(400)
+              expect(response.body.validation.body.message).to.equal(
+                '"privileges" must be one of [readOnly, readAndWrite, review]'
+              )
+              done()
+            }
+          )
+        })
+      })
+
       it('should allow the project owner to create and remove invites', function (done) {
         Async.series(
           [