add permissin check to sendInviteEmail

server/src/controllers/inviteController.ts

@@ -35,13 +35,17 @@ class InviteController {
 
 	sendInviteEmail = async (req: Request, res: Response, next: NextFunction) => {
 		try {
+			const teamId = requireTeamId(req?.user?.teamId);
+			const userRoles = requireUserRoles(req?.user?.role);
+
 			const inviteRequest = req.body;
-			inviteRequest.teamId = req?.user?.teamId;
+			inviteRequest.teamId = teamId;
 			await inviteBodyValidation.validateAsync(inviteRequest);
 
 			const inviteToken = await this.inviteService.sendInviteEmail({
 				invite: inviteRequest,
 				firstName: req?.user?.firstName,
+				userRoles,
 			});
 			return res.status(200).json({
 				success: true,

server/src/service/business/inviteService.ts

@@ -51,7 +51,21 @@ class InviteService {
 		return inviteToken;
 	};
 
-	sendInviteEmail = async ({ invite, firstName }: { invite: Partial<Invite>; firstName: any }) => {
+	sendInviteEmail = async ({ invite, firstName, userRoles }: { invite: Partial<Invite>; firstName: any; userRoles: UserRole[] }) => {
+		const inviteRoles = invite.role ?? [];
+
+		for (const targetRole of inviteRoles) {
+			const canManage = userRoles.some((actorRole) => canManageRole(actorRole, targetRole));
+			if (!canManage) {
+				throw new AppError({
+					message: "You do not have permission to create this invite",
+					service: SERVICE_NAME,
+					method: "getInviteToken",
+					status: 403,
+				});
+			}
+		}
+
 		const inviteToken = await this.invitesRepository.create(invite);
 		const { clientHost } = this.settingsService.getSettings();