Do not allow for CRM role invitations

oharsta · oharsta · commit 7a91e199bf85 · 2026-02-25T15:25:52.000+01:00
diff --git a/server/src/main/java/invite/api/InvitationController.java b/server/src/main/java/invite/api/InvitationController.java
@@ -81,6 +81,7 @@
 import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
+import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.stream.Collectors;
 
 import static invite.SwaggerOpenIdConfig.API_TOKENS_SCHEME_NAME;
@@ -557,17 +558,29 @@ private void checkEmailEquality(User user, Invitation invitation) {
     }
 
     private void checkCrmUniqueOrganisation(User user, Invitation invitation) {
-        if (StringUtils.hasText(invitation.getCrmContactId()) &&
-                StringUtils.hasText(user.getCrmContactId()) &&
-                user.getCrmContactId().equals(invitation.getCrmContactId()) &&
-                !user.getCrmOrganisationId().equals(invitation.getCrmOrganisationId())) {
-            throw new InvitationUniqueCrmOrganisationException(
-                    String.format("User %s is not allowed to accept an invitation from Organisation %s, because it already has roles for Organisation %s",
-                            user.getEmail(),
-                            invitation.getCrmOrganisationId(),
-                            user.getCrmOrganisationId()
-                            ));
-
+        String invitationCrmContactId = invitation.getCrmContactId();
+        if (StringUtils.hasText(invitationCrmContactId)) {
+            String userCrmOrganisationId = user.getCrmOrganisationId();
+            AtomicBoolean throwException = new AtomicBoolean(false);
+            if (StringUtils.hasText(userCrmOrganisationId) &&
+                    !userCrmOrganisationId.equals(invitation.getCrmOrganisationId())) {
+                throwException.set(true);
+            }
+            Optional<User> optionalUser = userRepository.findByCrmContactIdAndCrmOrganisationId(
+                    invitationCrmContactId, invitation.getCrmOrganisationId());
+            optionalUser.ifPresent(userFromDB -> {
+                if (!userFromDB.getId().equals(user.getId())) {
+                    throwException.set(true);
+                }
+            });
+            if (throwException.get()) {
+                throw new InvitationUniqueCrmOrganisationException(
+                        String.format("User %s is not allowed to accept an invitation from Organisation %s, because it already has roles for Organisation %s",
+                                user.getEmail(),
+                                invitation.getCrmOrganisationId(),
+                                userCrmOrganisationId
+                        ));
+            }
         }
     }
 }
diff --git a/server/src/main/java/invite/api/InvitationOperations.java b/server/src/main/java/invite/api/InvitationOperations.java
@@ -19,6 +19,7 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.util.CollectionUtils;
+import org.springframework.util.StringUtils;
 
 import java.time.Instant;
 import java.time.Period;
@@ -51,6 +52,7 @@ public ResponseEntity<InvitationResponse> sendInvitation(InvitationRequest invit
         //We need to assert validations on the roles soo we need to load them
         List<Role> requestedRoles = invitationRequest.getRoleIdentifiers().stream()
                 .map(id -> invitationResource.getRoleRepository().findById(id)
+                        .filter(role -> !StringUtils.hasText(role.getCrmRoleId()))
                         .orElseThrow(() -> new NotFoundException("Role not found"))).toList();
 
         if (user != null) {
diff --git a/server/src/test/java/invite/api/InvitationControllerTest.java b/server/src/test/java/invite/api/InvitationControllerTest.java
@@ -303,6 +303,7 @@ void accept() throws Exception {
     @Test
     void acceptWithCRMConstraint() throws Exception {
         AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/login", KB_USER_SUB);
+
         String hash = Authority.GUEST.name();
         Invitation invitation = invitationRepository.findByHash(hash).get();
         invitation.setCrmOrganisationId(UUID.randomUUID().toString());
@@ -321,6 +322,30 @@ void acceptWithCRMConstraint() throws Exception {
                 .then()
                 .statusCode(HttpStatus.NOT_ACCEPTABLE.value());
     }
+
+    @Test
+    void acceptWithCRMConstraintDuplicateProfile() throws Exception {
+        AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/login", GUEST_SUB);
+
+        String hash = Authority.GUEST.name();
+        Invitation invitation = invitationRepository.findByHash(hash).get();
+        invitation.setCrmOrganisationId(CRM_ORGANIZATION_ID);
+        invitation.setCrmContactId(CRM_CONTACT_ID);
+        invitationRepository.save(invitation);
+
+        AcceptInvitation acceptInvitation = new AcceptInvitation(hash, invitation.getId());
+        given()
+                .when()
+                .filter(accessCookieFilter.cookieFilter())
+                .accept(ContentType.JSON)
+                .header(accessCookieFilter.csrfToken().getHeaderName(), accessCookieFilter.csrfToken().getToken())
+                .contentType(ContentType.JSON)
+                .body(acceptInvitation)
+                .post("/api/v1/invitations/accept")
+                .then()
+                .statusCode(HttpStatus.NOT_ACCEPTABLE.value());
+    }
+
     @Test
     void acceptGraph() throws Exception {
         AccessCookieFilter accessCookieFilter = openIDConnectFlow("/api/v1/users/login", "graph@new.com");
