adalal/solidtime
1
0
Fork 0
mirror of https://github.com/solidtime-io/solidtime.git synced 2026-06-15 05:22:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: adalal:77a62afd699036eeea4827a561ad07ef1223a300
Branches Tags
adalal:main adalal:feature/user-management adalal:dependabot/github_actions/main/codecov/codecov-action-7.0.0 adalal:dependabot/github_actions/main/docker/setup-qemu-action-4 adalal:dependabot/npm_and_yarn/main/major-updates-87a9fdc274 adalal:dependabot/composer/main/minor-updates-6d1cf0063b adalal:dependabot/npm_and_yarn/main/minor-updates-04904bbd88 adalal:feature/timesheets adalal:feature/openapi_invoice_clone adalal:feature/update_openapi_invoice_copy adalal:feature/public_projects adalal:dependabot/github_actions/main/docker/login-action-4 adalal:dependabot/github_actions/main/actions/download-artifact-8 adalal:dependabot/github_actions/main/docker/metadata-action-6 adalal:feature/docker_runtime_uid_remap adalal:fix/dropdown-alphabetical-sort adalal:dependabot/npm_and_yarn/npm_and_yarn-eeacf2bf74 adalal:feature/e2e_setup_data_api_fix adalal:feature/calendar_settings adalal:feature/upgrade_inertia adalal:claude/fix-issue-997-qdXZK adalal:feature/fix_rounding_up_on_boundaries adalal:feature/change_calendar_header_duration_basis_to_minutes adalal:feature/project_table_sorting_filtering adalal:feature/fix_acl_time_entries_private_projects adalal:feature/move_date_components_to_ui_package adalal:feature/employee_create_task_permission adalal:feature/update_packages adalal:hotfix/exporter_client_archived_at adalal:feature/add_support_for_hhmmss_input_format adalal:feature/add_set_end_time_to_timetracker adalal:pullrequests/GROSSWEBER/employee-assigned-clients adalal:feature/add_discard_option adalal:feature/add_restrict_overlap_option adalal:feature/reporting_tag_grouping adalal:feature/tag_grouping adalal:feature/sidebar_dropdowns adalal:feature/calendar_view adalal:feature/add_shared_report_e2e_tests adalal:feature/on-premise-build adalal:feature/fix_billable_filter_reporting adalal:feature/add_contribution_guidelines adalal:feature/add_strict_js_formatting adalal:feature/fix_font_embed adalal:feature/fix-modules-service-provider adalal:feature/fix_time_entry_row_inconsistency adalal:dependabot/composer/composer-3c676574cc adalal:dependabot/npm_and_yarn/npm_and_yarn-1db02b7bbb adalal:feature/rounding adalal:feature/expiring-api-tokens adalal:feature/dependencies_update adalal:feature/fix_last_seven_days_labels adalal:feature/consistency_fixes adalal:feature/delete_member_with_related adalal:feature/12_hour_format_timepicker_support adalal:feature/fix_system_theme_change adalal:feature/postgres_versions adalal:feature/github_actions_permissions adalal:feature/parallel_tests_in_github_action adalal:feature/consistency_checks adalal:feature/base_request adalal:feature/formatting_options_frontend adalal:hotfix/fix_query_invalidation_on_detailed_update adalal:feature/fix_shared_report_currency adalal:feature/add_reporting_e2e_tests adalal:feature/more_validation_for_clockify_importer adalal:feature/fix_import_issue_with_duplicate_project_names adalal:feature/number_and_date_formats adalal:feature/light_mode adalal:feature/chart-api adalal:feature/hide_billable_amounts_for_employees adalal:feature/fix_bug_in_merge_into adalal:feature/fix_timepicker_dropdown adalal:feature/fix_toggl_import_timezone adalal:feature/api_tokens adalal:feature/fix_docker_image adalal:feature/try_to_fix_build adalal:feature/improve_recently_tracked_dropdown adalal:feature/improve_focus_states adalal:feature/disable_registration adalal:feature/fix_tests adalal:feature/update_ui_package adalal:feature/roles_for_project_members adalal:feature/tanstack_tables
adalal:v0.14.0 adalal:v0.13.0 adalal:v0.12.2 adalal:v0.12.1 adalal:v0.12.0 adalal:v0.11.6 adalal:v0.11.5 adalal:v0.11.4 adalal:v0.11.3 adalal:v0.11.2 adalal:v0.11.1 adalal:v0.11.0 adalal:v0.10.0 adalal:v0.9.0 adalal:v0.8.0 adalal:v0.7.0 adalal:v0.6.0 adalal:v0.5.0 adalal:v0.4.0 adalal:v0.3.1 adalal:v0.3.0 adalal:v0.2.0 adalal:v0.1.0 adalal:v0.0.3 adalal:v0.0.2 adalal:0.0.2 adalal:v0.0.1 adalal:0.0.1
...
compare: adalal:f7663b1c8b7aa2191ef9650eaab92e88e3154cee
Branches Tags
adalal:feature/user-management adalal:dependabot/github_actions/main/codecov/codecov-action-7.0.0 adalal:dependabot/github_actions/main/docker/setup-qemu-action-4 adalal:main adalal:dependabot/npm_and_yarn/main/major-updates-87a9fdc274 adalal:dependabot/composer/main/minor-updates-6d1cf0063b adalal:dependabot/npm_and_yarn/main/minor-updates-04904bbd88 adalal:feature/timesheets adalal:feature/openapi_invoice_clone adalal:feature/update_openapi_invoice_copy adalal:feature/public_projects adalal:dependabot/github_actions/main/docker/login-action-4 adalal:dependabot/github_actions/main/actions/download-artifact-8 adalal:dependabot/github_actions/main/docker/metadata-action-6 adalal:feature/docker_runtime_uid_remap adalal:fix/dropdown-alphabetical-sort adalal:dependabot/npm_and_yarn/npm_and_yarn-eeacf2bf74 adalal:feature/e2e_setup_data_api_fix adalal:feature/calendar_settings adalal:feature/upgrade_inertia adalal:claude/fix-issue-997-qdXZK adalal:feature/fix_rounding_up_on_boundaries adalal:feature/change_calendar_header_duration_basis_to_minutes adalal:feature/project_table_sorting_filtering adalal:feature/fix_acl_time_entries_private_projects adalal:feature/move_date_components_to_ui_package adalal:feature/employee_create_task_permission adalal:feature/update_packages adalal:hotfix/exporter_client_archived_at adalal:feature/add_support_for_hhmmss_input_format adalal:feature/add_set_end_time_to_timetracker adalal:pullrequests/GROSSWEBER/employee-assigned-clients adalal:feature/add_discard_option adalal:feature/add_restrict_overlap_option adalal:feature/reporting_tag_grouping adalal:feature/tag_grouping adalal:feature/sidebar_dropdowns adalal:feature/calendar_view adalal:feature/add_shared_report_e2e_tests adalal:feature/on-premise-build adalal:feature/fix_billable_filter_reporting adalal:feature/add_contribution_guidelines adalal:feature/add_strict_js_formatting adalal:feature/fix_font_embed adalal:feature/fix-modules-service-provider adalal:feature/fix_time_entry_row_inconsistency adalal:dependabot/composer/composer-3c676574cc adalal:dependabot/npm_and_yarn/npm_and_yarn-1db02b7bbb adalal:feature/rounding adalal:feature/expiring-api-tokens adalal:feature/dependencies_update adalal:feature/fix_last_seven_days_labels adalal:feature/consistency_fixes adalal:feature/delete_member_with_related adalal:feature/12_hour_format_timepicker_support adalal:feature/fix_system_theme_change adalal:feature/postgres_versions adalal:feature/github_actions_permissions adalal:feature/parallel_tests_in_github_action adalal:feature/consistency_checks adalal:feature/base_request adalal:feature/formatting_options_frontend adalal:hotfix/fix_query_invalidation_on_detailed_update adalal:feature/fix_shared_report_currency adalal:feature/add_reporting_e2e_tests adalal:feature/more_validation_for_clockify_importer adalal:feature/fix_import_issue_with_duplicate_project_names adalal:feature/number_and_date_formats adalal:feature/light_mode adalal:feature/chart-api adalal:feature/hide_billable_amounts_for_employees adalal:feature/fix_bug_in_merge_into adalal:feature/fix_timepicker_dropdown adalal:feature/fix_toggl_import_timezone adalal:feature/api_tokens adalal:feature/fix_docker_image adalal:feature/try_to_fix_build adalal:feature/improve_recently_tracked_dropdown adalal:feature/improve_focus_states adalal:feature/disable_registration adalal:feature/fix_tests adalal:feature/update_ui_package adalal:feature/roles_for_project_members adalal:feature/tanstack_tables
adalal:v0.14.0 adalal:v0.13.0 adalal:v0.12.2 adalal:v0.12.1 adalal:v0.12.0 adalal:v0.11.6 adalal:v0.11.5 adalal:v0.11.4 adalal:v0.11.3 adalal:v0.11.2 adalal:v0.11.1 adalal:v0.11.0 adalal:v0.10.0 adalal:v0.9.0 adalal:v0.8.0 adalal:v0.7.0 adalal:v0.6.0 adalal:v0.5.0 adalal:v0.4.0 adalal:v0.3.1 adalal:v0.3.0 adalal:v0.2.0 adalal:v0.1.0 adalal:v0.0.3 adalal:v0.0.2 adalal:0.0.2 adalal:v0.0.1 adalal:0.0.1

2 Commits
77a62afd69 ... f7663b1c8b

Author SHA1 Message Date
Gregor Vostrak
f7663b1c8b Clarify out of scope items for vulnerability reports 
Added out of scope section for vulnerability reporting.
 2026-05-18 19:21:32 +02:00
Gregor Vostrak
793bd11dcf remove member, invitation, and owner email disclosure from Teams/Show inertia props 
The Teams/Show Inertia page serialized members, pending invitations, and the
owner email into props using only a belongsToTeam authorization gate, while
the corresponding API endpoints correctly enforced members:view and
invitations:view. The serialized data was unused by the live UI (the
TeamMemberManager partial that referenced it was orphaned), so dropping the
fields removes the disclosure surface without functional impact. The owner
card retains name and photo.
 2026-05-18 19:04:57 +02:00
7 changed files with 62 additions and 477 deletions
Expand all files Collapse all files

15
SECURITY.md
View File

@@ -3,3 +3,18 @@
## Reporting a Vulnerability
If you discover a security vulnerability regarding this project, please e-mail me to [security@solidtime.io](mailto:security@solidtime.io)!
## Out of scope
Reports we typically won't issue an advisory for:
* Theoretical findings without a working PoC
* Raw scanner output without manual validation
* Missing/weak security headers in isolation (CSP, X-Frame-Options, HSTS, etc.)
* SPF/DKIM/DMARC on non-mail-sending domains; missing DNSSEC/CAA; TLS cipher preferences
* Self-XSS; CSRF on non-state-changing endpoints (logout, theme)
* CSV / spreadsheet formula injection in exports — treated as a spreadsheet-application issue
* Org owners or admins acting destructively within their own organization
* Anything requiring direct DB, shell, or filesystem access on a self-hosted instance
* Missing OAuth Scope enforcement (this is not implemented yet, but AI scanners flag it which is why it is included in this list until we actually support it)

20
app/Providers/JetstreamServiceProvider.php
View File

@@ -304,28 +304,8 @@ class JetstreamServiceProvider extends ServiceProvider
'owner' => [
'id' => $owner->getKey(),
'name' => $owner->name,
'email' => $owner->email,
'profile_photo_url' => $owner->profile_photo_url,
],
'users' => $teamModel->users->map(function (User $user): array {
return [
'id' => $user->getKey(),
'name' => $user->name,
'email' => $user->email,
'profile_photo_url' => $user->profile_photo_url,
'membership' => [
'id' => $user->membership->id,
'role' => $user->membership->role,
],
];
}),
'team_invitations' => $teamModel->teamInvitations->map(function (OrganizationInvitation $invitation): array {
return [
'id' => $invitation->getKey(),
'email' => $invitation->email,
'role' => $invitation->role,
];
}),
],
'currencies' => array_map(function (Currency $currency): string {
return $currency->getName();

448
resources/js/Pages/Teams/Partials/TeamMemberManager.vue
View File

@@ -1,448 +0,0 @@
<script setup lang="ts">
import { computed, ref } from 'vue';
import { router, useForm, usePage } from '@inertiajs/vue3';
import ActionMessage from '@/Components/ActionMessage.vue';
import ActionSection from '@/Components/ActionSection.vue';
import ConfirmationModal from '@/Components/ConfirmationModal.vue';
import DangerButton from '@/packages/ui/src/Buttons/DangerButton.vue';
import DialogModal from '@/packages/ui/src/DialogModal.vue';
import FormSection from '@/Components/FormSection.vue';
import { Field, FieldLabel, FieldError } from '@/packages/ui/src/field';
import PrimaryButton from '@/packages/ui/src/Buttons/PrimaryButton.vue';
import SecondaryButton from '@/packages/ui/src/Buttons/SecondaryButton.vue';
import SectionBorder from '@/Components/SectionBorder.vue';
import TextInput from '@/packages/ui/src/Input/TextInput.vue';
import type { Organization, OrganizationInvitation, User } from '@/types/models';
import type { Membership, Permissions, Role } from '@/types/jetstream';
import { filterRoles } from '@/utils/roles';
type UserWithMembership = User & { membership: Membership };
const props = defineProps<{
team: Organization;
availableRoles: Role[];
userPermissions: Permissions;
}>();
const users = computed(() => {
return props.team.users as Array<UserWithMembership>;
});
const page = usePage<{
auth: {
user: User;
};
}>();
const addTeamMemberForm = useForm({
email: '',
role: null as string | null,
});
const updateRoleForm = useForm({
role: null as string | null,
});
const leaveTeamForm = useForm({});
const removeTeamMemberForm = useForm({});
const currentlyManagingRole = ref(false);
const managingRoleFor = ref<User | null>(null);
const confirmingLeavingTeam = ref(false);
const teamMemberBeingRemoved = ref<User | null>(null);
const addTeamMember = () => {
addTeamMemberForm.post(route('team-members.store', props.team.id), {
errorBag: 'addTeamMember',
preserveScroll: true,
onSuccess: () => addTeamMemberForm.reset(),
});
};
const cancelTeamInvitation = (invitation: OrganizationInvitation) => {
router.delete(route('team-invitations.destroy', invitation.id), {
preserveScroll: true,
});
};
const manageRole = (teamMember: User & { membership: Membership }) => {
managingRoleFor.value = teamMember;
updateRoleForm.role = teamMember.membership.role;
currentlyManagingRole.value = true;
};
const updateRole = () => {
updateRoleForm.put(
route('team-members.update', {
team: props.team.id,
user: managingRoleFor.value?.id,
}),
{
preserveScroll: true,
onSuccess: () => (currentlyManagingRole.value = false),
}
);
};
const confirmLeavingTeam = () => {
confirmingLeavingTeam.value = true;
};
const leaveTeam = () => {
leaveTeamForm.delete(route('team-members.destroy', [props.team.id, page.props.auth.user.id]));
};
const confirmTeamMemberRemoval = (teamMember: User) => {
teamMemberBeingRemoved.value = teamMember;
};
const removeTeamMember = () => {
removeTeamMemberForm.delete(
route('team-members.destroy', {
team: props.team.id,
user: teamMemberBeingRemoved.value?.id,
}),
{
errorBag: 'removeTeamMember',
preserveScroll: true,
preserveState: true,
onSuccess: () => (teamMemberBeingRemoved.value = null),
}
);
};
const displayableRole = (role: string) => {
return props.availableRoles.find((r) => r.key === role)?.name;
};
</script>
<template>
<div>
<div v-if="userPermissions.canAddTeamMembers">
<SectionBorder />
<!-- Add Organization Member -->
<FormSection @submitted="addTeamMember">
<template #title> Add Organization Member</template>
<template #description>
Add a new member to your organization, allowing them to collaborate with you.
</template>
<template #form>
<div class="col-span-6">
<div class="max-w-xl text-sm text-muted">
Please provide the email address of the person you would like to add to
this organization.
</div>
</div>
<!-- Member Email -->
<Field class="col-span-6 sm:col-span-4">
<FieldLabel for="email">Email</FieldLabel>
<TextInput
id="email"
v-model="addTeamMemberForm.email"
type="email"
class="block w-full" />
<FieldError v-if="addTeamMemberForm.errors.email">{{
addTeamMemberForm.errors.email
}}</FieldError>
</Field>
<!-- Role -->
<div v-if="availableRoles.length > 0" class="col-span-6 lg:col-span-4">
<FieldLabel for="roles">Role</FieldLabel>
<FieldError v-if="addTeamMemberForm.errors.role">{{
addTeamMemberForm.errors.role
}}</FieldError>
<div
class="relative z-0 mt-1 border border-card-border rounded-lg cursor-pointer">
<button
v-for="(role, i) in filterRoles(availableRoles)"
:key="role.key"
type="button"
class="relative px-4 py-3 inline-flex w-full rounded-lg focus:z-10 focus:outline-none focus:border-indigo-500 focus:ring-2 focus:ring-indigo-500"
:class="{
'border-t border-card-border focus:border-none rounded-t-none':
i > 0,
'rounded-b-none': i != Object.keys(availableRoles).length - 1,
}"
@click="addTeamMemberForm.role = role.key">
<div
:class="{
'opacity-50':
addTeamMemberForm.role &&
addTeamMemberForm.role != role.key,
}">
<!-- Role Name -->
<div class="flex items-center">
<div
class="text-sm text-text-primary"
:class="{
'font-semibold': addTeamMemberForm.role == role.key,
}">
{{ role.name }}
</div>
<svg
v-if="addTeamMemberForm.role == role.key"
class="ms-2 h-5 w-5 text-green-400"
xmlns="http://www.w3.org/2000/svg"
fill="none"
viewBox="0 0 24 24"
stroke-width="1.5"
stroke="currentColor">
<path
stroke-linecap="round"
stroke-linejoin="round"
d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
</svg>
</div>
<!-- Role Description -->
<div class="mt-2 text-xs text-muted text-start">
{{ role.description }}
</div>
</div>
</button>
</div>
</div>
</template>
<template #actions>
<ActionMessage :on="addTeamMemberForm.recentlySuccessful" class="me-3">
Added.
</ActionMessage>
<PrimaryButton
:class="{ 'opacity-25': addTeamMemberForm.processing }"
:disabled="addTeamMemberForm.processing">
Add
</PrimaryButton>
</template>
</FormSection>
</div>
<div v-if="team.team_invitations.length > 0 && userPermissions.canAddTeamMembers">
<SectionBorder />
<!-- Organization Member Invitations -->
<ActionSection class="mt-10 sm:mt-0">
<template #title> Pending Organization Invitations</template>
<template #description>
These people have been invited to your organization and have been sent an
invitation email. They may join the organization by accepting the email
invitation.
</template>
<!-- Pending Organization Member Invitation List -->
<template #content>
<div class="space-y-6">
<div
v-for="invitation in team.team_invitations"
:key="invitation.id"
class="flex items-center justify-between">
<div class="text-muted">
{{ invitation.email }}
</div>
<div class="flex items-center">
<!-- Cancel Organization Invitation -->
<button
v-if="userPermissions.canRemoveTeamMembers"
class="cursor-pointer ms-6 text-sm text-red-500 focus:outline-none"
@click="cancelTeamInvitation(invitation)">
Cancel
</button>
</div>
</div>
</div>
</template>
</ActionSection>
</div>
<div v-if="users.length > 0">
<SectionBorder />
<!-- Manage Organization Members -->
<ActionSection class="mt-10 sm:mt-0">
<template #title> Organization Members</template>
<template #description>
All of the people that are part of this organization.
</template>
<!-- Organization Member List -->
<template #content>
<div class="space-y-6">
<div
v-for="user in users"
:key="user.id"
class="flex items-center justify-between">
<div class="flex items-center">
<img
class="w-8 h-8 rounded-full object-cover"
:src="user.profile_photo_url"
:alt="user.name" />
<div class="ms-4 text-text-primary">
{{ user.name }}
</div>
</div>
<div class="flex items-center">
<!-- Manage Organization Member Role -->
<button
v-if="
userPermissions.canUpdateTeamMembers &&
availableRoles.length
"
class="ms-2 text-sm text-gray-400 underline"
@click="manageRole(user)">
{{ displayableRole(user.membership.role) }}
</button>
<div
v-else-if="availableRoles.length"
class="ms-2 text-sm text-gray-400">
{{ displayableRole(user.membership.role) }}
</div>
<!-- Leave Organization -->
<button
v-if="page.props.auth.user.id === user.id"
class="cursor-pointer ms-6 text-sm text-red-500"
@click="confirmLeavingTeam">
Leave
</button>
<!-- Remove Organization Member -->
<button
v-else-if="userPermissions.canRemoveTeamMembers"
class="cursor-pointer ms-6 text-sm text-red-500"
@click="confirmTeamMemberRemoval(user)">
Remove
</button>
</div>
</div>
</div>
</template>
</ActionSection>
</div>
<!-- Role Management Modal -->
<DialogModal :show="currentlyManagingRole" @close="currentlyManagingRole = false">
<template #title> Manage Role</template>
<template #content>
<div v-if="managingRoleFor">
<div
class="relative z-0 mt-1 border border-card-border rounded-lg cursor-pointer">
<button
v-for="(role, i) in availableRoles"
:key="role.key"
type="button"
class="relative px-4 py-3 inline-flex w-full rounded-lg focus:z-10 focus:outline-none focus:border-indigo-500 focus:ring-2 focus:ring-indigo-500"
:class="{
'border-t border-card-border focus:border-none rounded-t-none':
i > 0,
'rounded-b-none': i !== Object.keys(availableRoles).length - 1,
}"
@click="updateRoleForm.role = role.key">
<div
:class="{
'opacity-50':
updateRoleForm.role && updateRoleForm.role !== role.key,
}">
<!-- Role Name -->
<div class="flex items-center">
<div
class="text-sm text-muted"
:class="{
'font-semibold': updateRoleForm.role === role.key,
}">
{{ role.name }}
</div>
<svg
v-if="updateRoleForm.role == role.key"
class="ms-2 h-5 w-5 text-green-400"
xmlns="http://www.w3.org/2000/svg"
fill="none"
viewBox="0 0 24 24"
stroke-width="1.5"
stroke="currentColor">
<path
stroke-linecap="round"
stroke-linejoin="round"
d="M9 12.75L11.25 15 15 9.75M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
</svg>
</div>
<!-- Role Description -->
<div class="mt-2 text-xs text-muted">
{{ role.description }}
</div>
</div>
</button>
</div>
</div>
</template>
<template #footer>
<SecondaryButton @click="currentlyManagingRole = false"> Cancel </SecondaryButton>
<PrimaryButton
class="ms-3"
:class="{ 'opacity-25': updateRoleForm.processing }"
:disabled="updateRoleForm.processing"
@click="updateRole">
Save
</PrimaryButton>
</template>
</DialogModal>
<!-- Leave Organization Confirmation Modal -->
<ConfirmationModal :show="confirmingLeavingTeam" @close="confirmingLeavingTeam = false">
<template #title> Leave Organization</template>
<template #content> Are you sure you would like to leave this organization? </template>
<template #footer>
<SecondaryButton @click="confirmingLeavingTeam = false"> Cancel </SecondaryButton>
<DangerButton
class="ms-3"
:class="{ 'opacity-25': leaveTeamForm.processing }"
:disabled="leaveTeamForm.processing"
@click="leaveTeam">
Leave
</DangerButton>
</template>
</ConfirmationModal>
<!-- Remove Organization Member Confirmation Modal -->
<ConfirmationModal :show="!!teamMemberBeingRemoved" @close="teamMemberBeingRemoved = null">
<template #title> Remove Organization Member</template>
<template #content>
Are you sure you would like to remove this person from the organization?
</template>
<template #footer>
<SecondaryButton @click="teamMemberBeingRemoved = null"> Cancel </SecondaryButton>
<DangerButton
class="ms-3"
:class="{ 'opacity-25': removeTeamMemberForm.processing }"
:disabled="removeTeamMemberForm.processing"
@click="removeTeamMember">
Remove
</DangerButton>
</template>
</ConfirmationModal>
</div>
</template>

3
resources/js/Pages/Teams/Partials/UpdateTeamNameForm.vue
View File

@@ -51,9 +51,6 @@ const updateTeamName = () => {
<div class="text-text-primary">
{{ team.owner.name }}
</div>
<div class="text-text-secondary text-sm">
{{ team.owner.email }}
</div>
</div>
</div>
</div>

4
resources/js/types/models.d.ts vendored
View File

@@ -22,9 +22,7 @@ export interface Organization {
currency: string;
created_at: string | null;
updated_at: string | null;
owner: User;
users: User[];
team_invitations: OrganizationInvitation[];
owner: Pick<User, 'id' | 'name' | 'profile_photo_url'>;
}
export interface OrganizationInvitation {
id: string;

4
resources/js/types/models.ts
View File

@@ -29,9 +29,7 @@ export interface Organization {
created_at: string | null;
updated_at: string | null;
// relations
owner: User;
users: User[];
team_invitations: OrganizationInvitation[];
owner: Pick<User, 'id' | 'name' | 'profile_photo_url'>;
}
export interface OrganizationInvitation {

45
tests/Unit/Endpoint/Web/TeamShowEndpointTest.php Normal file
View File

@@ -0,0 +1,45 @@
<?php
declare(strict_types=1);
namespace Tests\Unit\Endpoint\Web;
use App\Models\OrganizationInvitation;
use App\Providers\JetstreamServiceProvider;
use Inertia\Testing\AssertableInertia as Assert;
use Laravel\Jetstream\Jetstream;
use PHPUnit\Framework\Attributes\CoversClass;
#[CoversClass(JetstreamServiceProvider::class)]
class TeamShowEndpointTest extends EndpointTestAbstract
{
protected function setUp(): void
{
Jetstream::$inertiaManager = null;
parent::setUp();
}
public function test_team_show_does_not_expose_member_roster_invitations_or_owner_email(): void
{
// Arrange
$data = $this->createUserWithPermission([]);
OrganizationInvitation::factory()->forOrganization($data->organization)->create([
'email' => 'pending@example.com',
]);
$this->actingAs($data->user);
// Act
$response = $this->get('/teams/'.$data->organization->getKey());
// Assert
$response->assertOk();
$response->assertInertia(fn (Assert $page) => $page
->missing('team.users')
->missing('team.team_invitations')
->missing('team.owner.email')
->has('team.owner.id')
->has('team.owner.name')
->has('team.owner.profile_photo_url')
);
}
}