Do not allow for users to self-resolve their own invitations (#3709)

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
mindersec · Jun 25, 2024 · 98373ad · 98373ad
1 parent 8500b71
commit 98373ad
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/internal/controlplane/handlers_user.go b/internal/controlplane/handlers_user.go
@@ -333,6 +333,11 @@ func (s *Server) ResolveInvitation(ctx context.Context, req *pb.ResolveInvitatio
 		return nil, status.Errorf(codes.Internal, "failed to get invitation: %s", err)
 	}
 
+	// Check if the user is trying to resolve their own invitation
+	if err = isUserSelfResolving(ctx, s.store, userInvite); err != nil {
+		return nil, err
+	}
+
 	// Check if the invitation is expired
 	if invite.IsExpired(userInvite.UpdatedAt) {
 		return nil, util.UserVisibleError(codes.PermissionDenied, "invitation expired")
@@ -405,3 +410,19 @@ func (s *Server) acceptInvitation(ctx context.Context, userInvite db.GetInvitati
 	}
 	return nil
 }
+
+// isUserSelfResolving is used to prevent if the user is trying to resolve an invitation they created
+func isUserSelfResolving(ctx context.Context, store db.Store, i db.GetInvitationByCodeRow) error {
+	// Get current user data
+	currentUser, err := store.GetUserBySubject(ctx, auth.GetUserSubjectFromContext(ctx))
+	if err != nil {
+		return status.Errorf(codes.Internal, "failed to get user: %s", err)
+	}
+
+	// Check if the user is trying to resolve their own invitation
+	if currentUser.ID == i.Sponsor {
+		return util.UserVisibleError(codes.InvalidArgument, "user cannot resolve their own invitation")
+	}
+
+	return nil
+}