From b160445a18468372d068f790ef29351f5a10ad78 Mon Sep 17 00:00:00 2001
From: abhishek9686 <abhi281342@gmail.com>
Date: Fri, 9 Aug 2024 17:06:26 +0530
Subject: [PATCH] add validation checks for admin invite

---
 pro/controllers/users.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/pro/controllers/users.go b/pro/controllers/users.go
index 344bf45b..bac22bef 100644
--- a/pro/controllers/users.go
+++ b/pro/controllers/users.go
@@ -164,6 +164,21 @@ func inviteUsers(w http.ResponseWriter, r *http.Request) {
 		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "badrequest"))
 		return
 	}
+	callerUserName := r.Header.Get("user")
+	caller, err := logic.GetUser(callerUserName)
+	if err != nil {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(err, "notfound"))
+		return
+	}
+	if inviteReq.PlatformRoleID == models.SuperAdminRole.String() {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("super admin cannot be invited"), "badrequest"))
+		return
+	}
+	if (inviteReq.PlatformRoleID == models.AdminRole.String() ||
+		inviteReq.PlatformRoleID == models.SuperAdminRole.String()) && caller.PlatformRoleID != models.SuperAdminRole {
+		logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("only superadmin can invite admin users"), "forbidden"))
+		return
+	}
 	//validate Req
 	err = proLogic.IsGroupsValid(inviteReq.UserGroups)
 	if err != nil {