fix update role permission

gondzo · gondzo · commit 01fabdea323d · 2019-01-03T13:38:02.000+01:00
diff --git a/src/routes/projectMemberInvites/update.js b/src/routes/projectMemberInvites/update.js
@@ -66,7 +66,8 @@ module.exports = [
         if (!util.hasRoles(req, MANAGER_ROLES) && invite.role !== PROJECT_MEMBER_ROLE.CUSTOMER) {
           error = `Project members can cancel invites only for ${PROJECT_MEMBER_ROLE.CUSTOMER}`;
         }
-      } else if (!!putInvite.userId && putInvite.userId !== req.authUser.userId) {
+      } else if ((!!putInvite.userId && putInvite.userId !== req.authUser.userId) ||
+                 (!!putInvite.email && putInvite.email !== req.authUser.email)) {
         error = 'Project members can only update invites for themselves';
       }
 

Original file line number	Diff line number	Diff line change
`@@ -66,7 +66,8 @@ module.exports = [`
`66`	`66`	`if (!util.hasRoles(req, MANAGER_ROLES) && invite.role !== PROJECT_MEMBER_ROLE.CUSTOMER) {`
`67`	`67`	error = `Project members can cancel invites only for ${PROJECT_MEMBER_ROLE.CUSTOMER}`;
`68`	`68`	`}`
`69`		`- } else if (!!putInvite.userId && putInvite.userId !== req.authUser.userId) {`
	`69`	`+ } else if ((!!putInvite.userId && putInvite.userId !== req.authUser.userId) \|\|`
	`70`	`+ (!!putInvite.email && putInvite.email !== req.authUser.email)) {`
`70`	`71`	`error = 'Project members can only update invites for themselves';`
`71`	`72`	`}`
`72`	`73`