From 791a3bebeb391f8035442e69da0be70e77938c87 Mon Sep 17 00:00:00 2001
From: mertmit <mertmit99@gmail.com>
Date: Mon, 11 Sep 2023 03:49:18 +0300
Subject: [PATCH] fix: validate invite role

Signed-off-by: mertmit <mertmit99@gmail.com>
---
 .../project-users/project-users.service.ts    | 21 +++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/packages/nocodb/src/services/project-users/project-users.service.ts b/packages/nocodb/src/services/project-users/project-users.service.ts
index 43e5ee06c4..bad2b32a47 100644
--- a/packages/nocodb/src/services/project-users/project-users.service.ts
+++ b/packages/nocodb/src/services/project-users/project-users.service.ts
@@ -1,6 +1,7 @@
 import { Injectable } from '@nestjs/common';
 import {
   AppEvents,
+  extractRolesObj,
   OrgUserRoles,
   PluginCategory,
   ProjectRoles,
@@ -53,6 +54,26 @@ export class ProjectUsersService {
       param.projectUser,
     );
 
+    if (
+      getProjectRolePower({
+        project_roles: extractRolesObj(param.projectUser.roles),
+      }) > getProjectRolePower(param.req.user)
+    ) {
+      NcError.badRequest(`Insufficient privilege to invite with this role`);
+    }
+
+    if (
+      ![
+        ProjectRoles.CREATOR,
+        ProjectRoles.EDITOR,
+        ProjectRoles.COMMENTER,
+        ProjectRoles.VIEWER,
+        ProjectRoles.NO_ACCESS,
+      ].includes(param.projectUser.roles as ProjectRoles)
+    ) {
+      NcError.badRequest('Invalid role');
+    }
+
     const emails = (param.projectUser.email || '')
       .toLowerCase()
       .split(/\s*,\s*/)