From 3d3b3ff701673dc34b57ae04038170c87f15732a Mon Sep 17 00:00:00 2001
From: Fabien 'egg' O'Carroll <fabien@allou.is>
Date: Tue, 26 Mar 2024 00:45:08 +0700
Subject: [PATCH] Fixed Editors being able to invite Editors (#19904)

ref ENG-774
ref https://linear.app/tryghost/issue/ENG-774

Staff Tokens will have both a `user` and an `apiKey` present on the
`loadedPermissions`.

The check here for `apiKey` was written when we could assume that an
`apiKey` was an Admin Integration - so it completely overwrote the
previous `allowed` list. When we added the concept of Staff Tokens -
this resulted in a privilege escalation.

This is a good lesson in not using proxies or indicators for data, as
changes elsewhere can invalidate them - if we had been specific and
checked the role of the current actor we wouldn't've had this bug!
---
 ghost/core/core/server/models/invite.js           |  3 +--
 ghost/core/test/unit/server/models/invite.test.js | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/ghost/core/core/server/models/invite.js b/ghost/core/core/server/models/invite.js
index a957509498..f2af62b6de 100644
--- a/ghost/core/core/server/models/invite.js
+++ b/ghost/core/core/server/models/invite.js
@@ -93,8 +93,7 @@ Invite = ghostBookshelf.Model.extend({
                     } else if (_.some(loadedPermissions.user.roles, {name: 'Editor'})) {
                         allowed = ['Author', 'Contributor'];
                     }
-                }
-                if (loadedPermissions.apiKey) {
+                } else if (loadedPermissions.apiKey) {
                     allowed = ['Editor', 'Author', 'Contributor'];
                 }
 
diff --git a/ghost/core/test/unit/server/models/invite.test.js b/ghost/core/test/unit/server/models/invite.test.js
index 70e052516c..166af92b34 100644
--- a/ghost/core/test/unit/server/models/invite.test.js
+++ b/ghost/core/test/unit/server/models/invite.test.js
@@ -153,6 +153,21 @@ describe('Unit: models/invite', function () {
                         });
                 });
 
+                it('invite editor with staff token', function () {
+                    loadedPermissions.apiKey = {
+                        roles: [{name: 'Admin Integration'}]
+                    };
+                    sinon.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel);
+                    roleModel.get.withArgs('name').returns('Editor');
+
+                    return models.Invite.permissible(inviteModel, 'add', context, unsafeAttrs, loadedPermissions, true, true, true)
+                        .then(Promise.reject)
+                        .catch((err) => {
+                            (err instanceof errors.NoPermissionError).should.eql(true);
+                            delete loadedPermissions.apiKey;
+                        });
+                });
+
                 it('invite author', function () {
                     sinon.stub(models.Role, 'findOne').withArgs({id: 'role_id'}).resolves(roleModel);
                     roleModel.get.withArgs('name').returns('Author');