From 97dd3ec9cb6cfde697fa3599b7ab78613c2f0ca2 Mon Sep 17 00:00:00 2001
From: Alex Holliday <ajhollid@gmail.com>
Date: Wed, 4 Feb 2026 17:57:00 +0000
Subject: [PATCH] add permissin check to sendInviteEmail

---
 server/src/controllers/inviteController.ts   |  6 +++++-
 server/src/service/business/inviteService.ts | 16 +++++++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/server/src/controllers/inviteController.ts b/server/src/controllers/inviteController.ts
index 990b81651..e6d5d7ccb 100755
--- a/server/src/controllers/inviteController.ts
+++ b/server/src/controllers/inviteController.ts
@@ -35,13 +35,17 @@ class InviteController {
 
 	sendInviteEmail = async (req: Request, res: Response, next: NextFunction) => {
 		try {
+			const teamId = requireTeamId(req?.user?.teamId);
+			const userRoles = requireUserRoles(req?.user?.role);
+
 			const inviteRequest = req.body;
-			inviteRequest.teamId = req?.user?.teamId;
+			inviteRequest.teamId = teamId;
 			await inviteBodyValidation.validateAsync(inviteRequest);
 
 			const inviteToken = await this.inviteService.sendInviteEmail({
 				invite: inviteRequest,
 				firstName: req?.user?.firstName,
+				userRoles,
 			});
 			return res.status(200).json({
 				success: true,
diff --git a/server/src/service/business/inviteService.ts b/server/src/service/business/inviteService.ts
index ba6039b34..e4069d485 100644
--- a/server/src/service/business/inviteService.ts
+++ b/server/src/service/business/inviteService.ts
@@ -51,7 +51,21 @@ class InviteService {
 		return inviteToken;
 	};
 
-	sendInviteEmail = async ({ invite, firstName }: { invite: Partial<Invite>; firstName: any }) => {
+	sendInviteEmail = async ({ invite, firstName, userRoles }: { invite: Partial<Invite>; firstName: any; userRoles: UserRole[] }) => {
+		const inviteRoles = invite.role ?? [];
+
+		for (const targetRole of inviteRoles) {
+			const canManage = userRoles.some((actorRole) => canManageRole(actorRole, targetRole));
+			if (!canManage) {
+				throw new AppError({
+					message: "You do not have permission to create this invite",
+					service: SERVICE_NAME,
+					method: "getInviteToken",
+					status: 403,
+				});
+			}
+		}
+
 		const inviteToken = await this.invitesRepository.create(invite);
 		const { clientHost } = this.settingsService.getSettings();