daan/ledgerrz
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

added invitations
Some checks failed
linter / quality (push) Failing after 1m8s
Details
tests / ci (8.3) (push) Failing after 48s
Details
tests / ci (8.4) (push) Failing after 1m6s
Details
tests / ci (8.5) (push) Failing after 1m4s
Details

Browse Source
This commit is contained in:
Daan Meijer 2026-06-16 16:29:17 +02:00
parent 5404b1a535
commit 06cd53fe91
12 changed files with 509 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
app/Http/Controllers/DynamicController.php
View File

@ -46,11 +46,11 @@ class DynamicController extends Controller
/**
* Display the specified resource.
*/
public function show(Dynamic $dynamic, ActivityService $activityService)
public function show(Request $request, Dynamic $dynamic, ActivityService $activityService)
{
$this->authorize('view', $dynamic);
$activityService->updateCursor(auth()->user(), $dynamic);
$activityService->updateCursor($request->user(), $dynamic);
$dynamic->load([
'ledgers.media',
@ -59,8 +59,14 @@ class DynamicController extends Controller
'chat.messages.media'
]);
$isOwner = $dynamic->participants()
->where('user_id', $request->user()->id)
->where('role', 'owner')
->exists();
return Inertia::render('Dynamics/Show', [
'dynamic' => $dynamic,
'isOwner' => $isOwner,
]);
}

112
app/Http/Controllers/DynamicInvitationController.php Normal file
View File

@ -0,0 +1,112 @@
<?php
namespace App\Http\Controllers;
use App\Mail\DynamicInvitationMail;
use App\Models\Dynamic;
use App\Models\DynamicInvitation;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Str;
class DynamicInvitationController extends Controller
{
/**
* Store a newly created invitation in storage.
*/
public function store(Request $request, Dynamic $dynamic)
{
// 1. Authorize - only owners can send invitations!
$isOwner = $dynamic->participants()
->where('user_id', $request->user()->id)
->where('role', 'owner')
->exists();
if (!$isOwner) {
abort(403, 'Only dynamic owners can invite other users.');
}
// 2. Validate
$request->validate([
'email' => ['required', 'email'],
'role' => ['required', 'string', 'in:owner,participant,editor,viewer'],
]);
$email = $request->input('email');
$role = $request->input('role');
// Check if user is already a participant of this dynamic
$isParticipant = $dynamic->participants()->where('email', $email)->exists();
if ($isParticipant) {
return redirect()->back()->withErrors([
'email' => 'This user is already a participant of this dynamic.',
]);
}
// Check if there is an active pending invitation for this user
$hasPendingInvite = $dynamic->invitations()
->where('email', $email)
->where('expires_at', '>', now())
->exists();
if ($hasPendingInvite) {
return redirect()->back()->withErrors([
'email' => 'An active invitation is already pending for this email address.',
]);
}
// 3. Create Invitation
$invitation = $dynamic->invitations()->create([
'email' => $email,
'role' => $role,
'token' => Str::random(40),
'expires_at' => now()->addDays(7),
]);
// 4. Send Email
Mail::to($email)->send(new DynamicInvitationMail($invitation, $request->user()->name));
return redirect()->back()->with('success', 'Invitation successfully sent!');
}
/**
* Accept the specified invitation.
*/
public function accept(Request $request, string $token)
{
// Must be signed!
if (!$request->hasValidSignature()) {
abort(401, 'Invalid or expired signature.');
}
$invitation = DynamicInvitation::where('token', $token)->firstOrFail();
if ($invitation->isExpired()) {
abort(403, 'This invitation has expired.');
}
// Ensure the logged in user's email matches the invitation's email!
// "Only the user with the specified email address should be able to access the link."
if ($request->user()->email !== $invitation->email) {
abort(403, 'This invitation was sent to a different email address.');
}
DB::transaction(function () use ($request, $invitation) {
// Attach user to dynamic as a participant with the specified role
$dynamic = $invitation->dynamic;
$dynamic->participants()->attach($request->user()->id, ['role' => $invitation->role]);
// Log to Dynamic chat activity log!
$dynamic->chat->messages()->create([
'user_id' => $request->user()->id,
'content' => "System: {$request->user()->name} joined the Dynamic as a " . strtoupper($invitation->role) . " after accepting an invitation.",
]);
// Delete the invitation record
$invitation->delete();
});
return redirect()->route('dynamics.show', $invitation->dynamic_id)->with('success', 'Successfully joined the dynamic!');
}
}

42
app/Mail/DynamicInvitationMail.php Normal file
View File

@ -0,0 +1,42 @@
<?php
namespace App\Mail;
use App\Models\DynamicInvitation;
use Illuminate\Bus\Queueable;
use Illuminate\Mail\Mailable;
use Illuminate\Mail\Mailables\Content;
use Illuminate\Mail\Mailables\Envelope;
use Illuminate\Queue\SerializesModels;
use Illuminate\Support\Facades\URL;
class DynamicInvitationMail extends Mailable {
use Queueable, SerializesModels;
public function __construct(public DynamicInvitation $invitation, public string $inviterName) {
//
}
public function envelope(): Envelope {
return new Envelope(
subject: 'Invitation to Join Dynamic: ' . $this->invitation->dynamic->name,
);
}
public function content(): Content {
$acceptUrl = URL::temporarySignedRoute(
'dynamics.invitations.accept',
$this->invitation->expires_at,
['token' => $this->invitation->token]
);
return new Content(
markdown: 'emails.dynamics.invitation',
with: [
'acceptUrl' => $acceptUrl,
'dynamicName' => $this->invitation->dynamic->name,
'role' => $this->invitation->role,
],
);
}
}

5
app/Models/Dynamic.php
View File

@ -29,6 +29,11 @@ class Dynamic extends Model
return $this->hasMany(Ledger::class);
}
public function invitations(): HasMany
{
return $this->hasMany(DynamicInvitation::class);
}
public function chat(): MorphOne
{
return $this->morphOne(Chat::class, 'chatable');

31
app/Models/DynamicInvitation.php Normal file
View File

@ -0,0 +1,31 @@
<?php
namespace App\Models;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Relations\BelongsTo;
class DynamicInvitation extends Model {
use HasFactory;
protected $fillable = [
'dynamic_id',
'email',
'role',
'token',
'expires_at',
];
protected $casts = [
'expires_at' => 'datetime',
];
public function dynamic(): BelongsTo {
return $this->belongsTo(Dynamic::class);
}
public function isExpired(): bool {
return $this->expires_at->isPast();
}
}

23
database/migrations/2026_06_15_223640_create_dynamic_invitations_table.php Normal file
View File

@ -0,0 +1,23 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration {
public function up(): void {
Schema::create('dynamic_invitations', function (Blueprint $table) {
$table->id();
$table->foreignId('dynamic_id')->constrained()->cascadeOnDelete();
$table->string('email');
$table->string('role');
$table->string('token')->unique();
$table->timestamp('expires_at');
$table->timestamps();
});
}
public function down(): void {
Schema::dropIfExists('dynamic_invitations');
}
};

1
resources/css/components.css
View File

@ -14,3 +14,4 @@
@import './components/auth-layout.css';
@import './components/chat.css';
@import './components/lightbox.css';
@import './components/invite-form.css';

67
resources/css/components/invite-form.css Normal file
View File

@ -0,0 +1,67 @@
/* 13. InviteForm Component */
.c-invite-form {
@apply mt-8;
.c-invite-form__card {
@apply overflow-hidden;
background-color: var(--card);
border: 1px solid var(--border);
border-radius: var(--radius);
.c-invite-form__body {
@apply p-6;
color: var(--foreground);
.c-invite-form__title {
@apply text-lg font-medium;
}
.c-invite-form__form {
@apply mt-6 space-y-6;
.c-invite-form__field {
@apply block;
.c-invite-form__label {
@apply block text-sm font-medium;
color: var(--foreground);
}
.c-invite-form__input {
@apply mt-1 block w-full rounded-md border shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:focus:border-indigo-600 dark:focus:ring-indigo-600;
border-color: var(--border);
background-color: var(--background);
color: var(--foreground);
}
.c-invite-form__select {
@apply mt-1 block w-full rounded-md border p-2 text-sm shadow-sm focus:border-indigo-500 focus:ring-indigo-500 dark:focus:border-indigo-600 dark:focus:ring-indigo-600;
border-color: var(--border);
background-color: var(--background);
color: var(--foreground);
}
.c-invite-form__error {
@apply text-sm;
color: var(--destructive);
}
}
.c-invite-form__actions {
@apply flex items-center gap-4;
.c-invite-form__submit-btn {
@apply inline-flex items-center border border-transparent px-4 py-2 text-xs font-semibold tracking-widest uppercase transition duration-150 ease-in-out focus:ring-2 focus:outline-none;
border-radius: var(--radius);
background-color: var(--primary);
color: var(--primary-foreground);
&:hover {
opacity: 0.9;
}
}
}
}
}
}
}

98
resources/js/pages/Dynamics/Show.vue
View File

@ -1,10 +1,10 @@
<script setup lang="ts">
import { Head } from '@inertiajs/vue3';
import { route } from 'ziggy-js';
import Chat from '@/components/Chat.vue';
import CreateLedgerForm from '@/components/CreateLedgerForm.vue';
import LedgerList from '@/components/LedgerList.vue';
import ParticipantsList from '@/components/ParticipantsList.vue';
import LedgerList from '@/components/LedgerList.vue';
import CreateLedgerForm from '@/components/CreateLedgerForm.vue';
import { Head, useForm } from '@inertiajs/vue3';
import { route } from 'ziggy-js';
const props = defineProps<{
dynamic: {
@ -21,6 +21,7 @@ const props = defineProps<{
media?: Array<{ id: number; url: string; mime_type: string }>;
}>;
};
isOwner: boolean;
}>();
const breadcrumbs = [
@ -33,6 +34,17 @@ const breadcrumbs = [
href: route('dynamics.show', props.dynamic.id),
},
];
const inviteForm = useForm({
email: '',
role: 'participant',
});
function submitInvite() {
inviteForm.post(route('dynamics.invitations.store', props.dynamic.id), {
onSuccess: () => inviteForm.reset(),
});
}
</script>
<template>
@ -60,6 +72,81 @@ const breadcrumbs = [
<!-- Create Ledger Form Component -->
<CreateLedgerForm :dynamic-id="dynamic.id" />
<!-- Invite Participant Form (Owners only) -->
<div v-if="isOwner" class="c-invite-form">
<div class="c-invite-form__card">
<div class="c-invite-form__body">
<h3 class="c-invite-form__title">
Invite User to Dynamic
</h3>
<form
@submit.prevent="submitInvite"
class="c-invite-form__form"
>
<div class="c-invite-form__field">
<label
for="invite_email"
class="c-invite-form__label"
>Email Address</label
>
<input
v-model="inviteForm.email"
id="invite_email"
type="email"
required
class="c-invite-form__input"
/>
<div
v-if="inviteForm.errors.email"
class="c-invite-form__error"
>
{{ inviteForm.errors.email }}
</div>
</div>
<div class="c-invite-form__field">
<label
for="invite_role"
class="c-invite-form__label"
>Role</label
>
<select
v-model="inviteForm.role"
id="invite_role"
class="c-invite-form__select"
>
<option value="owner">
Owner (Full Access & Approvals)
</option>
<option value="participant">
Participant (Add Suggestions)
</option>
<option value="editor">Editor</option>
<option value="viewer">Viewer</option>
</select>
<div
v-if="inviteForm.errors.role"
class="c-invite-form__error"
>
{{ inviteForm.errors.role }}
</div>
</div>
<div class="c-invite-form__actions">
<button
type="submit"
:disabled="inviteForm.processing"
class="c-invite-form__submit-btn"
>
Send Invitation
</button>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</template>
@ -92,6 +179,7 @@ const breadcrumbs = [
}
.c-dynamic-show__rules {
@apply mt-2 text-sm text-gray-600 dark:text-gray-400;
@apply mt-2 text-sm;
color: var(--muted-foreground);
}
</style>

18
resources/views/emails/dynamics/invitation.blade.php Normal file
View File

@ -0,0 +1,18 @@
<x-mail::message>
# You have been invited!
Hello,
**{{ $inviterName }}** has invited you to join their Dynamic: **{{ $dynamicName }}** as a **{{ strtoupper($role) }}**.
Only the user registered with this email address can accept this invitation. The invitation link will be valid for 7 days.
<x-mail::button :url="$acceptUrl">
Accept Invitation
</x-mail::button>
If you do not have an account yet, please register using this email address first, then click the button above.
Thanks,<br>
{{ config('app.name') }}
</x-mail::message>

6
routes/web.php
View File

@ -16,8 +16,14 @@ Route::middleware(['auth', 'verified'])->group(function () {
Route::resource('dynamics.ledgers', LedgerController::class)->scoped();
Route::resource('dynamics.ledgers.mutations', MutationController::class)->scoped();
Route::post('/dynamics/{dynamic}/invitations', [\App\Http\Controllers\DynamicInvitationController::class, 'store'])->name('dynamics.invitations.store');
Route::post('/chats/{chat}/messages', [MessageController::class, 'store'])->name('chats.messages.store');
});
Route::get('/invitations/accept/{token}', [\App\Http\Controllers\DynamicInvitationController::class, 'accept'])
->middleware(['auth', 'signed'])
->name('dynamics.invitations.accept');
\Illuminate\Support\Facades\Broadcast::routes();
require __DIR__.'/settings.php';

103
tests/Feature/InvitationTest.php Normal file
View File

@ -0,0 +1,103 @@
<?php
use App\Models\User;
use App\Models\Dynamic;
use App\Models\DynamicInvitation;
use App\Mail\DynamicInvitationMail;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Facades\URL;
test('only owners can invite other users to a dynamic', function () {
Mail::fake();
$owner = User::factory()->create();
$participant = User::factory()->create();
$dynamic = Dynamic::factory()->create();
$dynamic->participants()->attach($owner->id, ['role' => 'owner']);
$dynamic->participants()->attach($participant->id, ['role' => 'participant']);
// 1. Participant tries to send an invite (forbidden)
$response = $this->actingAs($participant)
->post(route('dynamics.invitations.store', $dynamic), [
'email' => 'invitee@example.com',
'role' => 'participant',
]);
$response->assertStatus(403);
Mail::assertNothingSent();
// 2. Owner sends a valid invite (allowed)
$response = $this->actingAs($owner)
->post(route('dynamics.invitations.store', $dynamic), [
'email' => 'invitee@example.com',
'role' => 'participant',
]);
$response->assertRedirect();
$response->assertSessionHasNoErrors();
// Verify invitation is stored
$invitation = DynamicInvitation::firstWhere('email', 'invitee@example.com');
expect($invitation)->not->toBeNull();
expect($invitation->role)->toBe('participant');
expect($invitation->dynamic_id)->toBe($dynamic->id);
// Verify email was dispatched
Mail::assertSent(DynamicInvitationMail::class, function ($mail) use ($invitation) {
return $mail->hasTo($invitation->email);
});
});
test('only the user with the specified email address can accept the link', function () {
$owner = User::factory()->create();
$invitee = User::factory()->create(['email' => 'matching@example.com']);
$hijacker = User::factory()->create(['email' => 'hijacker@example.com']);
$dynamic = Dynamic::factory()->create();
$dynamic->participants()->attach($owner->id, ['role' => 'owner']);
// Create a pending invitation
$invitation = $dynamic->invitations()->create([
'email' => 'matching@example.com',
'role' => 'editor',
'token' => 'secure_test_token_123',
'expires_at' => now()->addDays(7),
]);
// Generate a secure, valid signed URL
$signedUrl = URL::temporarySignedRoute(
'dynamics.invitations.accept',
$invitation->expires_at,
['token' => $invitation->token]
);
// 1. Unauthenticated user tries to accept (redirected to login)
$response = $this->get($signedUrl);
$response->assertRedirect('/login');
// 2. Different user (hijacker) tries to accept (forbidden / 403)
$response = $this->actingAs($hijacker)->get($signedUrl);
$response->assertStatus(403);
expect($dynamic->participants()->where('user_id', $hijacker->id)->exists())->toBeFalse();
// 3. Intended user accepts the signed invitation link (success)
$response = $this->actingAs($invitee)->get($signedUrl);
$response->assertRedirect(route('dynamics.show', $dynamic));
// Verify invitee is joined as a participant with the specified role
$isJoined = $dynamic->participants()
->where('user_id', $invitee->id)
->wherePivot('role', 'editor')
->exists();
expect($isJoined)->toBeTrue();
// Verify invitation is deleted from the database
expect(DynamicInvitation::where('token', 'secure_test_token_123')->exists())->toBeFalse();
// Verify system notification is added to Dynamic activity chat
$chatMessages = $dynamic->chat->messages;
expect($chatMessages)->not->toBeEmpty();
expect($chatMessages->last()->content)->toBe("System: {$invitee->name} joined the Dynamic as a EDITOR after accepting an invitation.");
});