diff --git a/app/Http/Controllers/Controller.php b/app/Http/Controllers/Controller.php index 718ba5ed4..9f1e4eeb8 100644 --- a/app/Http/Controllers/Controller.php +++ b/app/Http/Controllers/Controller.php @@ -110,13 +110,19 @@ class Controller extends BaseController return redirect()->route('login')->with('error', 'Invalid credentials.'); } - public function accept_invitation() + public function acceptInvitation() { $resetPassword = request()->query('reset-password'); $invitationUuid = request()->route('uuid'); + $invitation = TeamInvitation::whereUuid($invitationUuid)->firstOrFail(); $user = User::whereEmail($invitation->email)->firstOrFail(); + + if (Auth::id() !== $user->id) { + abort(400, 'You are not allowed to accept this invitation.'); + } $invitationValid = $invitation->isValid(); + if ($invitationValid) { if ($resetPassword) { $user->update([ @@ -131,14 +137,12 @@ class Controller extends BaseController } $user->teams()->attach($invitation->team->id, ['role' => $invitation->role]); $invitation->delete(); - if (Auth::id() !== $user->id) { - return redirect()->route('login'); - } + refreshSession($invitation->team); return redirect()->route('team.index'); } else { - abort(401); + abort(400, 'Invitation expired.'); } } diff --git a/app/Models/TeamInvitation.php b/app/Models/TeamInvitation.php index 0f298a829..bc1a90d58 100644 --- a/app/Models/TeamInvitation.php +++ b/app/Models/TeamInvitation.php @@ -28,8 +28,8 @@ class TeamInvitation extends Model public function isValid() { $createdAt = $this->created_at; - $diff = $createdAt->diffInMinutes(now()); - if ($diff <= config('constants.invitation.link.expiration')) { + $diff = $createdAt->diffInDays(now()); + if ($diff <= config('constants.invitation.link.expiration_days')) { return true; } else { $this->delete(); diff --git a/config/constants.php b/config/constants.php index e979b2087..418326541 100644 --- a/config/constants.php +++ b/config/constants.php @@ -19,7 +19,7 @@ return [ 'invitation' => [ 'link' => [ 'base_url' => '/invitations/', - 'expiration' => 10, + 'expiration_days' => 0, ], ], 'services' => [ diff --git a/resources/views/errors/400.blade.php b/resources/views/errors/400.blade.php new file mode 100644 index 000000000..72bf84722 --- /dev/null +++ b/resources/views/errors/400.blade.php @@ -0,0 +1,23 @@ +@extends('layouts.base') +
+
+

400

+

Bad Request

+ @if ($exception->getMessage()) +

{{ $exception->getMessage() }}

+ @else +

The request could not be understood by the server due to + malformed syntax. +

+ @endif +
+ + Go back home + + Contact + support + + +
+
+
diff --git a/routes/web.php b/routes/web.php index eaf849ce6..afe392052 100644 --- a/routes/web.php +++ b/routes/web.php @@ -164,7 +164,7 @@ Route::middleware(['auth', 'verified'])->group(function () { })->name('terminal.auth'); Route::prefix('invitations')->group(function () { - Route::get('/{uuid}', [Controller::class, 'accept_invitation'])->name('team.invitation.accept'); + Route::get('/{uuid}', [Controller::class, 'acceptInvitation'])->name('team.invitation.accept'); Route::get('/{uuid}/revoke', [Controller::class, 'revoke_invitation'])->name('team.invitation.revoke'); });