fix: disable invitations when password login is disabled (#6781)

2026-02-11 02:13:12 -05:00 · 2026-01-30 21:05:40 +01:00
parent 731ee8ae3d
commit c7be4a452a
5 changed files with 53 additions and 13 deletions
--- a/mealie/routes/households/controller_invitations.py
+++ b/mealie/routes/households/controller_invitations.py
@@ -2,6 +2,7 @@ from typing import Annotated

 from fastapi import APIRouter, Header, HTTPException, status

+from mealie.core.config import get_app_settings
 from mealie.core.security import url_safe_token
 from mealie.routes._base import BaseUserController, controller
 from mealie.schema.household.invite_token import (
@@ -21,10 +22,23 @@ router = APIRouter(prefix="/households/invitations", tags=["Households: Invitati
 class GroupInvitationsController(BaseUserController):
    @router.get("", response_model=list[ReadInviteToken])
    def get_invite_tokens(self):
+        if not self.user.admin:
+            raise HTTPException(
+                status.HTTP_403_FORBIDDEN,
+                detail="Only admins can list invite tokens",
+            )
+
        return self.repos.group_invite_tokens.page_all(PaginationQuery(page=1, per_page=-1)).items

    @router.post("", response_model=ReadInviteToken, status_code=status.HTTP_201_CREATED)
    def create_invite_token(self, body: CreateInviteToken):
+        settings = get_app_settings()
+        if not settings.ALLOW_PASSWORD_LOGIN:
+            raise HTTPException(
+                status.HTTP_403_FORBIDDEN,
+                detail="Invitation tokens are disabled when password login is not allowed",
+            )
+
        if not self.user.can_invite:
            raise HTTPException(
                status.HTTP_403_FORBIDDEN,
@@ -51,6 +65,19 @@ class GroupInvitationsController(BaseUserController):
        invite: EmailInvitation,
        accept_language: Annotated[str | None, Header()] = None,
    ):
+        settings = get_app_settings()
+        if not settings.ALLOW_PASSWORD_LOGIN:
+            raise HTTPException(
+                status.HTTP_403_FORBIDDEN,
+                detail="Invitation email are disabled when password login is not allowed",
+            )
+
+        if not self.user.can_invite:
+            raise HTTPException(
+                status.HTTP_403_FORBIDDEN,
+                detail="This user can't send email invitations",
+            )
+
        email_service = EmailService(locale=accept_language)
        url = f"{self.settings.BASE_URL}/register?token={invite.token}"