coolify/app/Livewire/Team/InviteLink.php

<?php

namespace App\Livewire\Team;

use App\Models\TeamInvitation;
use App\Models\User;
use Illuminate\Foundation\Auth\Access\AuthorizesRequests;
use Illuminate\Notifications\Messages\MailMessage;
use Illuminate\Support\Facades\Crypt;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Str;
use Livewire\Component;
use Visus\Cuid2\Cuid2;

class InviteLink extends Component
{
    use AuthorizesRequests;

    public string $email;

    public string $role = 'member';

    protected $rules = [
        'email' => 'required|email',
        'role' => 'required|string',
    ];

    public function mount()
    {
        $this->email = isDev() ? 'test3@example.com' : '';
    }

    public function viaEmail()
    {
        $this->generateInviteLink(sendEmail: true);
    }

    public function viaLink()
    {
        $this->generateInviteLink(sendEmail: false);
    }

    private function generateInviteLink(bool $sendEmail = false)
    {
        try {
            $this->authorize('manageInvitations', currentTeam());
            $this->validate();

            // Prevent privilege escalation: users cannot invite someone with higher privileges
            $userRole = auth()->user()->role();
            if (is_null($userRole) || ($userRole === 'member' && in_array($this->role, ['admin', 'owner']))) {
                throw new \Exception('Members cannot invite admins or owners.');
            }
            if ($userRole === 'admin' && $this->role === 'owner') {
                throw new \Exception('Admins cannot invite owners.');
            }

            $this->email = strtolower($this->email);

            $member_emails = currentTeam()->members()->get()->pluck('email');
            if ($member_emails->contains($this->email)) {
                return handleError(livewire: $this, customErrorMessage: "$this->email is already a member of ".currentTeam()->name.'.');
            }
            $uuid = new Cuid2(32);
            $link = url('/').config('constants.invitation.link.base_url').$uuid;
            $user = User::whereEmail($this->email)->first();

            if (is_null($user)) {
                $password = Str::password();
                $user = User::create([
                    'name' => str($this->email)->before('@'),
                    'email' => $this->email,
                    'password' => Hash::make($password),
                    'force_password_reset' => true,
                ]);
                $token = Crypt::encryptString("{$user->email}@@@$password");
                $link = route('auth.link', ['token' => $token]);
            }
            $invitation = TeamInvitation::whereEmail($this->email)->first();
            if (! is_null($invitation)) {
                $invitationValid = $invitation->isValid();
                if ($invitationValid) {
                    return handleError(livewire: $this, customErrorMessage: "Pending invitation already exists for $this->email.");
                } else {
                    $invitation->delete();
                }
            }

            $invitation = TeamInvitation::firstOrCreate([
                'team_id' => currentTeam()->id,
                'uuid' => $uuid,
                'email' => $this->email,
                'role' => $this->role,
                'link' => $link,
                'via' => $sendEmail ? 'email' : 'link',
            ]);
            if ($sendEmail) {
                $mail = new MailMessage;
                $mail->view('emails.invitation-link', [
                    'team' => currentTeam()->name,
                    'invitation_link' => $link,
                ]);
                $mail->subject('You have been invited to '.currentTeam()->name.' on '.config('app.name').'.');
                send_user_an_email($mail, $this->email);
                $this->dispatch('success', 'Invitation sent via email.');
                $this->dispatch('refreshInvitations');

                return;
            } else {
                $this->dispatch('success', 'Invitation link generated.');
                $this->dispatch('refreshInvitations');
            }
        } catch (\Throwable $e) {
            $error_message = $e->getMessage();
            if ($e->getCode() === '23505') {
                $error_message = 'Invitation already sent.';
            }

            return handleError(error: $e, livewire: $this, customErrorMessage: $error_message);
        }
    }
}
roles 2023-06-09 13:55:21 +00:00			`<?php`

wip: migrate to livewire 3 2023-12-07 18:06:32 +00:00			`namespace App\Livewire\Team;`
roles 2023-06-09 13:55:21 +00:00
			`use App\Models\TeamInvitation;`
			`use App\Models\User;`
feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 08:27:31 +00:00			`use Illuminate\Foundation\Auth\Access\AuthorizesRequests;`
fix: invitation 2023-09-15 09:19:36 +00:00			`use Illuminate\Notifications\Messages\MailMessage;`
			`use Illuminate\Support\Facades\Crypt;`
			`use Illuminate\Support\Facades\Hash;`
			`use Illuminate\Support\Str;`
Fix styling 2024-06-10 20:43:34 +00:00			`use Livewire\Component;`
			`use Visus\Cuid2\Cuid2;`
roles 2023-06-09 13:55:21 +00:00
			`class InviteLink extends Component`
			`{`
feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 08:27:31 +00:00			`use AuthorizesRequests;`

roles 2023-06-09 13:55:21 +00:00			`public string $email;`
Fix styling 2024-06-10 20:43:34 +00:00
updates 2023-06-12 10:00:01 +00:00			`public string $role = 'member';`
testing php storm code cleanup and styling 2023-08-08 09:51:36 +00:00
fix: allow invitations via email 2024-05-31 09:03:43 +00:00			`protected $rules = [`
			`'email' => 'required\|email',`
			`'role' => 'required\|string',`
			`];`
Fix styling 2024-06-10 20:43:34 +00:00
roles 2023-06-09 13:55:21 +00:00			`public function mount()`
			`{`
show public key of generated private key 2023-08-27 13:23:47 +00:00			`$this->email = isDev() ? 'test3@example.com' : '';`
roles 2023-06-09 13:55:21 +00:00			`}`
testing php storm code cleanup and styling 2023-08-08 09:51:36 +00:00
updates 2023-06-12 10:00:01 +00:00			`public function viaEmail()`
			`{`
refactor(invitation): rename methods for consistency and enhance invitation deletion logic 2025-06-25 09:45:55 +00:00			`$this->generateInviteLink(sendEmail: true);`
updates 2023-06-12 10:00:01 +00:00			`}`
testing php storm code cleanup and styling 2023-08-08 09:51:36 +00:00
fix: invitation 2023-09-15 09:19:36 +00:00			`public function viaLink()`
			`{`
refactor(invitation): rename methods for consistency and enhance invitation deletion logic 2025-06-25 09:45:55 +00:00			`$this->generateInviteLink(sendEmail: false);`
fix: invitation 2023-09-15 09:19:36 +00:00			`}`
Fix styling 2024-06-10 20:43:34 +00:00
refactor(invitation): rename methods for consistency and enhance invitation deletion logic 2025-06-25 09:45:55 +00:00			`private function generateInviteLink(bool $sendEmail = false)`
roles 2023-06-09 13:55:21 +00:00			`{`
			`try {`
feat(acl): Change views/backend code to able to use proper ACL's later on. Currently it is not enabled. 2025-08-26 08:27:31 +00:00			`$this->authorize('manageInvitations', currentTeam());`
fix: allow invitations via email 2024-05-31 09:03:43 +00:00			`$this->validate();`
fix: critical privilege escalation in team invitation system This commit addresses a critical security vulnerability where low-privileged users (members) could invite high-privileged users (admins/owners) to teams, allowing them to escalate their own privileges through password reset. Root Causes Fixed: 1. TeamPolicy authorization checks were commented out, allowing all team members to manage invitations instead of just admins/owners 2. Missing role elevation checks in InviteLink component allowed members to invite users with higher privileges Security Fixes: 1. app/Policies/TeamPolicy.php - Uncommented and enforced authorization checks for: * update() - Only admins/owners can update team settings * delete() - Only admins/owners can delete teams * manageMembers() - Only admins/owners can manage team members * viewAdmin() - Only admins/owners can view admin panel * manageInvitations() - Only admins/owners can manage invitations 2. app/Livewire/Team/InviteLink.php - Added explicit role elevation checks to prevent: * Members from inviting admins or owners * Admins from inviting owners (defense-in-depth) - Validates that inviter has sufficient privileges for target role Test Coverage: 1. tests/Feature/TeamPolicyTest.php - 24 comprehensive tests covering all policy methods - Tests for owner, admin, member, and non-member access - Specific tests for the privilege escalation vulnerability 2. tests/Feature/TeamInvitationPrivilegeEscalationTest.php - 11 tests covering all role elevation scenarios - Tests member → admin/owner escalation (blocked) - Tests admin → owner escalation (blocked) - Tests valid invitation paths for each role Impact: - Prevents privilege escalation attacks - Protects all Coolify instances from unauthorized access - Enforces proper role hierarchy in team management References: - Identified by Aikido AI whitebox pentest service - CVE: Pending assignment - Severity: Critical 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-15 09:42:25 +00:00
			`// Prevent privilege escalation: users cannot invite someone with higher privileges`
			`$userRole = auth()->user()->role();`
fix(user): complete User model fixes for non-web contexts - Fix currentTeam() to return null instead of crashing when no session - Fix role() to use $this->currentTeam() instead of global helper - Add roleInTeam() method for explicit team context - Remove unused otherTeams() method - Fix InviteLink authorization bypass when role() returns null - Fix confirmEmailChange() null safety for currentTeam() - Fix ActivityMonitor to handle null currentTeam with fallback chain 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2025-12-28 12:26:52 +00:00			`if (is_null($userRole) \|\| ($userRole === 'member' && in_array($this->role, ['admin', 'owner']))) {`
fix: critical privilege escalation in team invitation system This commit addresses a critical security vulnerability where low-privileged users (members) could invite high-privileged users (admins/owners) to teams, allowing them to escalate their own privileges through password reset. Root Causes Fixed: 1. TeamPolicy authorization checks were commented out, allowing all team members to manage invitations instead of just admins/owners 2. Missing role elevation checks in InviteLink component allowed members to invite users with higher privileges Security Fixes: 1. app/Policies/TeamPolicy.php - Uncommented and enforced authorization checks for: * update() - Only admins/owners can update team settings * delete() - Only admins/owners can delete teams * manageMembers() - Only admins/owners can manage team members * viewAdmin() - Only admins/owners can view admin panel * manageInvitations() - Only admins/owners can manage invitations 2. app/Livewire/Team/InviteLink.php - Added explicit role elevation checks to prevent: * Members from inviting admins or owners * Admins from inviting owners (defense-in-depth) - Validates that inviter has sufficient privileges for target role Test Coverage: 1. tests/Feature/TeamPolicyTest.php - 24 comprehensive tests covering all policy methods - Tests for owner, admin, member, and non-member access - Specific tests for the privilege escalation vulnerability 2. tests/Feature/TeamInvitationPrivilegeEscalationTest.php - 11 tests covering all role elevation scenarios - Tests member → admin/owner escalation (blocked) - Tests admin → owner escalation (blocked) - Tests valid invitation paths for each role Impact: - Prevents privilege escalation attacks - Protects all Coolify instances from unauthorized access - Enforces proper role hierarchy in team management References: - Identified by Aikido AI whitebox pentest service - CVE: Pending assignment - Severity: Critical 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-15 09:42:25 +00:00			`throw new \Exception('Members cannot invite admins or owners.');`
			`}`
			`if ($userRole === 'admin' && $this->role === 'owner') {`
fix: admins should now invite owner 2024-10-24 18:57:30 +00:00			`throw new \Exception('Admins cannot invite owners.');`
			`}`
fix: critical privilege escalation in team invitation system This commit addresses a critical security vulnerability where low-privileged users (members) could invite high-privileged users (admins/owners) to teams, allowing them to escalate their own privileges through password reset. Root Causes Fixed: 1. TeamPolicy authorization checks were commented out, allowing all team members to manage invitations instead of just admins/owners 2. Missing role elevation checks in InviteLink component allowed members to invite users with higher privileges Security Fixes: 1. app/Policies/TeamPolicy.php - Uncommented and enforced authorization checks for: * update() - Only admins/owners can update team settings * delete() - Only admins/owners can delete teams * manageMembers() - Only admins/owners can manage team members * viewAdmin() - Only admins/owners can view admin panel * manageInvitations() - Only admins/owners can manage invitations 2. app/Livewire/Team/InviteLink.php - Added explicit role elevation checks to prevent: * Members from inviting admins or owners * Admins from inviting owners (defense-in-depth) - Validates that inviter has sufficient privileges for target role Test Coverage: 1. tests/Feature/TeamPolicyTest.php - 24 comprehensive tests covering all policy methods - Tests for owner, admin, member, and non-member access - Specific tests for the privilege escalation vulnerability 2. tests/Feature/TeamInvitationPrivilegeEscalationTest.php - 11 tests covering all role elevation scenarios - Tests member → admin/owner escalation (blocked) - Tests admin → owner escalation (blocked) - Tests valid invitation paths for each role Impact: - Prevents privilege escalation attacks - Protects all Coolify instances from unauthorized access - Enforces proper role hierarchy in team management References: - Identified by Aikido AI whitebox pentest service - CVE: Pending assignment - Severity: Critical 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> 2025-10-15 09:42:25 +00:00
fix(team): normalize email case in invite link generation 2025-09-25 07:32:39 +00:00			`$this->email = strtolower($this->email);`

wip: boarding 2023-08-22 15:44:49 +00:00			`$member_emails = currentTeam()->members()->get()->pluck('email');`
updates 2023-06-12 10:00:01 +00:00			`if ($member_emails->contains($this->email)) {`
Fix styling 2024-06-10 20:43:34 +00:00			`return handleError(livewire: $this, customErrorMessage: "$this->email is already a member of ".currentTeam()->name.'.');`
updates 2023-06-12 10:00:01 +00:00			`}`
fix: invitation 2023-09-15 09:19:36 +00:00			`$uuid = new Cuid2(32);`
Fix styling 2024-06-10 20:43:34 +00:00			`$link = url('/').config('constants.invitation.link.base_url').$uuid;`
fix: invitation 2023-09-15 09:19:36 +00:00			`$user = User::whereEmail($this->email)->first();`
updates 2023-06-12 10:00:01 +00:00
fix: invitation 2023-09-15 09:19:36 +00:00			`if (is_null($user)) {`
			`$password = Str::password();`
			`$user = User::create([`
refactor: Update code to use str() instead of Str::of() for string manipulation 2024-06-25 08:37:10 +00:00			`'name' => str($this->email)->before('@'),`
fix: invitation 2023-09-15 09:19:36 +00:00			`'email' => $this->email,`
			`'password' => Hash::make($password),`
			`'force_password_reset' => true,`
			`]);`
			`$token = Crypt::encryptString("{$user->email}@@@$password");`
			`$link = route('auth.link', ['token' => $token]);`
			`}`
			`$invitation = TeamInvitation::whereEmail($this->email)->first();`
Fix styling 2024-06-10 20:43:34 +00:00			`if (! is_null($invitation)) {`
fix: invitation 2023-09-15 09:19:36 +00:00			`$invitationValid = $invitation->isValid();`
			`if ($invitationValid) {`
fix: boarding fix: error handling fix: restarting state 2023-09-15 13:34:25 +00:00			`return handleError(livewire: $this, customErrorMessage: "Pending invitation already exists for $this->email.");`
roles 2023-06-09 13:55:21 +00:00			`} else {`
			`$invitation->delete();`
			`}`
			`}`
updates 2023-06-12 10:00:01 +00:00
fix: invitation 2023-09-15 09:19:36 +00:00			`$invitation = TeamInvitation::firstOrCreate([`
wip: boarding 2023-08-22 15:44:49 +00:00			`'team_id' => currentTeam()->id,`
updates 2023-06-12 10:00:01 +00:00			`'uuid' => $uuid,`
roles 2023-06-09 13:55:21 +00:00			`'email' => $this->email,`
updates 2023-06-12 10:00:01 +00:00			`'role' => $this->role,`
roles 2023-06-09 13:55:21 +00:00			`'link' => $link,`
fix: invitation 2023-09-15 09:19:36 +00:00			`'via' => $sendEmail ? 'email' : 'link',`
roles 2023-06-09 13:55:21 +00:00			`]);`
fix: invitation 2023-09-15 09:19:36 +00:00			`if ($sendEmail) {`
Fix styling 2024-07-24 19:11:12 +00:00			`$mail = new MailMessage;`
fix: invitation 2023-09-15 09:19:36 +00:00			`$mail->view('emails.invitation-link', [`
			`'team' => currentTeam()->name,`
			`'invitation_link' => $link,`
			`]);`
Fix styling 2024-06-10 20:43:34 +00:00			`$mail->subject('You have been invited to '.currentTeam()->name.' on '.config('app.name').'.');`
fix: invitation 2023-09-15 09:19:36 +00:00			`send_user_an_email($mail, $this->email);`
Update success messages 2024-02-22 13:53:42 +00:00			`$this->dispatch('success', 'Invitation sent via email.');`
wip: migrate to livewire 3 2023-12-07 18:06:32 +00:00			`$this->dispatch('refreshInvitations');`
Fix styling 2024-06-10 20:43:34 +00:00
fix: invitation 2023-09-15 09:19:36 +00:00			`return;`
fix 2023-06-12 11:10:34 +00:00			`} else {`
wip: migrate to livewire 3 2023-12-07 18:06:32 +00:00			`$this->dispatch('success', 'Invitation link generated.');`
			`$this->dispatch('refreshInvitations');`
updates 2023-06-12 10:00:01 +00:00			`}`
roles 2023-06-09 13:55:21 +00:00			`} catch (\Throwable $e) {`
			`$error_message = $e->getMessage();`
			`if ($e->getCode() === '23505') {`
			`$error_message = 'Invitation already sent.';`
			`}`
Fix styling 2024-06-10 20:43:34 +00:00
fix: boarding fix: error handling fix: restarting state 2023-09-15 13:34:25 +00:00			`return handleError(error: $e, livewire: $this, customErrorMessage: $error_message);`
roles 2023-06-09 13:55:21 +00:00			`}`
			`}`
testing php storm code cleanup and styling 2023-08-08 09:51:36 +00:00			`}`