Add team seat validation, owner self-invite prevention, and fix seat counting to include owner

simonhamp · claude · simonhamp · commit f7b6b0315e31 · 2026-03-28T13:31:11.000Z
Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/app/Http/Controllers/TeamUserController.php b/app/Http/Controllers/TeamUserController.php
@@ -42,6 +42,11 @@ public function invite(InviteTeamUserRequest $request): RedirectResponse
 
         $email = $request->validated()['email'];
 
+        // Prevent owner from inviting themselves
+        if (strtolower($email) === strtolower($user->email)) {
+            return back()->with('error', 'You cannot invite yourself to your own team.');
+        }
+
         // Check for duplicate (active or pending)
         $existingMember = $team->users()
             ->where('email', $email)
diff --git a/app/Livewire/TeamManager.php b/app/Livewire/TeamManager.php
@@ -20,6 +20,10 @@ public function mount(Team $team): void
 
     public function addSeats(int $count = 1): void
     {
+        if ($count < 1 || $count > 50) {
+            return;
+        }
+
         $owner = $this->team->owner;
         $subscription = $owner->subscription();
 
@@ -64,6 +68,10 @@ public function addSeats(int $count = 1): void
 
     public function removeSeats(int $count = 1): void
     {
+        if ($count < 1 || $count > 50) {
+            return;
+        }
+
         if ($this->team->extra_seats < $count) {
             return;
         }
diff --git a/app/Models/Team.php b/app/Models/Team.php
@@ -70,7 +70,7 @@ public function totalSeatCapacity(): int
 
     public function occupiedSeatCount(): int
     {
-        return $this->activeUserCount() + $this->pendingInvitations()->count();
+        return 1 + $this->activeUserCount() + $this->pendingInvitations()->count();
     }
 
     public function availableSeats(): int
@@ -85,7 +85,7 @@ public function isOverIncludedLimit(): bool
 
     public function extraSeatsCount(): int
     {
-        return max(0, $this->activeUserCount() - $this->includedSeats());
+        return max(0, 1 + $this->activeUserCount() - $this->includedSeats());
     }
 
     public function suspend(): bool
diff --git a/tests/Feature/TeamManagementTest.php b/tests/Feature/TeamManagementTest.php
@@ -8,6 +8,7 @@
 use App\Jobs\RevokeTeamUserAccessJob;
 use App\Jobs\SuspendTeamJob;
 use App\Jobs\UnsuspendTeamJob;
+use App\Livewire\TeamManager;
 use App\Models\License;
 use App\Models\Plugin;
 use App\Models\PluginLicense;
@@ -25,6 +26,7 @@
 use Laravel\Cashier\Events\WebhookReceived;
 use Laravel\Cashier\Subscription;
 use Laravel\Pennant\Feature;
+use Livewire\Livewire;
 use Tests\TestCase;
 
 class TeamManagementTest extends TestCase
@@ -202,14 +204,31 @@ public function test_cannot_invite_when_team_suspended(): void
         Notification::assertNothingSent();
     }
 
+    public function test_owner_cannot_invite_themselves(): void
+    {
+        Notification::fake();
+
+        [$owner, $team] = $this->createTeamWithOwner();
+
+        $response = $this->actingAs($owner)
+            ->post(route('customer.team.invite'), ['email' => $owner->email]);
+
+        $response->assertSessionHas('error', 'You cannot invite yourself to your own team.');
+        Notification::assertNothingSent();
+        $this->assertDatabaseMissing('team_users', [
+            'team_id' => $team->id,
+            'email' => $owner->email,
+        ]);
+    }
+
     public function test_cannot_invite_beyond_seat_limit(): void
     {
         Notification::fake();
 
         [$owner, $team] = $this->createTeamWithOwner();
 
-        // Create 10 active members to fill all seats
-        TeamUser::factory()->count(10)->active()->create(['team_id' => $team->id]);
+        // Create 9 active members to fill all seats (owner occupies 1 of 10 included seats)
+        TeamUser::factory()->count(9)->active()->create(['team_id' => $team->id]);
 
         $response = $this->actingAs($owner)
             ->post(route('customer.team.invite'), ['email' => 'extra@example.com']);
@@ -873,4 +892,77 @@ public function test_team_detail_page_shows_owner_purchased_plugins(): void
         $response->assertSee('acme/shared-plugin');
         $response->assertSee('Accessible Plugins');
     }
+
+    // ========================================
+    // Seat Validation Tests
+    // ========================================
+
+    public function test_cannot_add_zero_seats(): void
+    {
+        [$owner, $team] = $this->createTeamWithOwner();
+
+        Livewire::actingAs($owner)
+            ->test(TeamManager::class, ['team' => $team])
+            ->call('addSeats', 0);
+
+        $this->assertEquals(0, $team->fresh()->extra_seats);
+    }
+
+    public function test_cannot_add_negative_seats(): void
+    {
+        [$owner, $team] = $this->createTeamWithOwner();
+
+        Livewire::actingAs($owner)
+            ->test(TeamManager::class, ['team' => $team])
+            ->call('addSeats', -1);
+
+        $this->assertEquals(0, $team->fresh()->extra_seats);
+    }
+
+    public function test_cannot_add_more_than_fifty_seats(): void
+    {
+        [$owner, $team] = $this->createTeamWithOwner();
+
+        Livewire::actingAs($owner)
+            ->test(TeamManager::class, ['team' => $team])
+            ->call('addSeats', 51);
+
+        $this->assertEquals(0, $team->fresh()->extra_seats);
+    }
+
+    public function test_cannot_remove_zero_seats(): void
+    {
+        [$owner, $team] = $this->createTeamWithOwner();
+        $team->update(['extra_seats' => 5]);
+
+        Livewire::actingAs($owner)
+            ->test(TeamManager::class, ['team' => $team])
+            ->call('removeSeats', 0);
+
+        $this->assertEquals(5, $team->fresh()->extra_seats);
+    }
+
+    public function test_cannot_remove_negative_seats(): void
+    {
+        [$owner, $team] = $this->createTeamWithOwner();
+        $team->update(['extra_seats' => 5]);
+
+        Livewire::actingAs($owner)
+            ->test(TeamManager::class, ['team' => $team])
+            ->call('removeSeats', -1);
+
+        $this->assertEquals(5, $team->fresh()->extra_seats);
+    }
+
+    public function test_cannot_remove_more_than_fifty_seats(): void
+    {
+        [$owner, $team] = $this->createTeamWithOwner();
+        $team->update(['extra_seats' => 60]);
+
+        Livewire::actingAs($owner)
+            ->test(TeamManager::class, ['team' => $team])
+            ->call('removeSeats', 51);
+
+        $this->assertEquals(60, $team->fresh()->extra_seats);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,10 @@ public function mount(Team $team): void`
`20`	`20`
`21`	`21`	`public function addSeats(int $count = 1): void`
`22`	`22`	`{`
	`23`	`+ if ($count < 1 \|\| $count > 50) {`
	`24`	`+ return;`
	`25`	`+ }`
	`26`	`+`
`23`	`27`	`$owner = $this->team->owner;`
`24`	`28`	`$subscription = $owner->subscription();`
`25`	`29`
`@@ -64,6 +68,10 @@ public function addSeats(int $count = 1): void`
`64`	`68`
`65`	`69`	`public function removeSeats(int $count = 1): void`
`66`	`70`	`{`
	`71`	`+ if ($count < 1 \|\| $count > 50) {`
	`72`	`+ return;`
	`73`	`+ }`
	`74`	`+`
`67`	`75`	`if ($this->team->extra_seats < $count) {`
`68`	`76`	`return;`
`69`	`77`	`}`
Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ public function totalSeatCapacity(): int`
`70`	`70`
`71`	`71`	`public function occupiedSeatCount(): int`
`72`	`72`	`{`
`73`		`- return $this->activeUserCount() + $this->pendingInvitations()->count();`
	`73`	`+ return 1 + $this->activeUserCount() + $this->pendingInvitations()->count();`
`74`	`74`	`}`
`75`	`75`
`76`	`76`	`public function availableSeats(): int`
`@@ -85,7 +85,7 @@ public function isOverIncludedLimit(): bool`
`85`	`85`
`86`	`86`	`public function extraSeatsCount(): int`
`87`	`87`	`{`
`88`		`- return max(0, $this->activeUserCount() - $this->includedSeats());`
	`88`	`+ return max(0, 1 + $this->activeUserCount() - $this->includedSeats());`
`89`	`89`	`}`
`90`	`90`
`91`	`91`	`public function suspend(): bool`