QT/InvoiceShelf
1
0
Fork 0
mirror of https://github.com/InvoiceShelf/InvoiceShelf.git synced 2026-04-17 10:14:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add company invitation system (backend)

Browse Source 
New feature allowing company owners/admins to invite users by email with
a specific company-scoped role.

Database:
- New company_invitations table (company_id, email, role_id, token,
  status, invited_by, expires_at)

Backend:
- CompanyInvitation model with pending/forUser scopes
- InvitationService: invite, accept, decline, getPendingForUser
- CompanyInvitationMail with markdown email template
- InvitationController (company-scoped): list, send, cancel invitations
- InvitationResponseController (user-scoped): pending, accept, decline
- BootstrapController returns pending_invitations in response
- CompanyMiddleware handles zero-company users gracefully

Tests: 9 feature tests covering invite, accept, decline, cancel, expire,
duplicate prevention, and bootstrap integration.
This commit is contained in:
Darko Gjorgjijoski
2026-04-03 22:58:55 +02:00
parent 4318c59976
commit 92a1baced4
12 changed files with 725 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
app/Http/Controllers/Company/General/BootstrapController.php
View File

@@ -3,9 +3,11 @@
namespace App\Http\Controllers\Company\General;
use App\Http\Controllers\Controller;
use App\Http\Resources\CompanyInvitationResource;
use App\Http\Resources\CompanyResource;
use App\Http\Resources\UserResource;
use App\Models\Company;
use App\Models\CompanyInvitation;
use App\Models\CompanySetting;
use App\Models\Currency;
use App\Models\Module;
@@ -28,13 +30,47 @@ class BootstrapController extends Controller
{
$current_user = $request->user();
$current_user_settings = $current_user->getAllSettings();
$companies = $current_user->companies;
$pendingInvitations = CompanyInvitation::forUser($current_user)
->pending()
->with(['company', 'role', 'invitedBy'])
->get();
$global_settings = Setting::getSettings([
'api_token',
'admin_portal_theme',
'admin_portal_logo',
'login_page_logo',
'login_page_heading',
'login_page_description',
'admin_page_title',
'copyright_text',
'save_pdf_to_disk',
]);
// User has no companies — return minimal bootstrap
if ($companies->isEmpty()) {
return response()->json([
'current_user' => new UserResource($current_user),
'current_user_settings' => $current_user_settings,
'current_user_abilities' => [],
'companies' => [],
'current_company' => null,
'current_company_settings' => [],
'current_company_currency' => Currency::first(),
'config' => config('invoiceshelf'),
'global_settings' => $global_settings,
'main_menu' => [],
'setting_menu' => [],
'modules' => [],
'pending_invitations' => CompanyInvitationResource::collection($pendingInvitations),
]);
}
$main_menu = $this->generateMenu('main_menu', $current_user);
$setting_menu = $this->generateMenu('setting_menu', $current_user);
$companies = $current_user->companies;
$current_company = Company::find($request->header('company'));
if ((! $current_company) || ($current_company && ! $current_user->hasCompany($current_company->id))) {
@@ -49,18 +85,6 @@ class BootstrapController extends Controller
BouncerFacade::refreshFor($current_user);
$global_settings = Setting::getSettings([
'api_token',
'admin_portal_theme',
'admin_portal_logo',
'login_page_logo',
'login_page_heading',
'login_page_description',
'admin_page_title',
'copyright_text',
'save_pdf_to_disk',
]);
return response()->json([
'current_user' => new UserResource($current_user),
'current_user_settings' => $current_user_settings,
@@ -74,6 +98,7 @@ class BootstrapController extends Controller
'main_menu' => $main_menu,
'setting_menu' => $setting_menu,
'modules' => Module::where('enabled', true)->pluck('name'),
'pending_invitations' => CompanyInvitationResource::collection($pendingInvitations),
]);
}

49
app/Http/Controllers/Company/General/InvitationResponseController.php Normal file
View File

@@ -0,0 +1,49 @@
<?php
namespace App\Http\Controllers\Company\General;
use App\Http\Controllers\Controller;
use App\Http\Resources\CompanyInvitationResource;
use App\Models\CompanyInvitation;
use App\Services\InvitationService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
class InvitationResponseController extends Controller
{
public function __construct(
private readonly InvitationService $invitationService,
) {}
/**
* Get pending invitations for the authenticated user.
*/
public function pending(Request $request): JsonResponse
{
$invitations = $this->invitationService->getPendingForUser($request->user());
return response()->json([
'invitations' => CompanyInvitationResource::collection($invitations),
]);
}
/**
* Accept a company invitation.
*/
public function accept(Request $request, CompanyInvitation $invitation): JsonResponse
{
$this->invitationService->accept($invitation, $request->user());
return response()->json(['success' => true]);
}
/**
* Decline a company invitation.
*/
public function decline(Request $request, CompanyInvitation $invitation): JsonResponse
{
$this->invitationService->decline($invitation, $request->user());
return response()->json(['success' => true]);
}
}

69
app/Http/Controllers/Company/Settings/InvitationController.php Normal file
View File

@@ -0,0 +1,69 @@
<?php
namespace App\Http\Controllers\Company\Settings;
use App\Http\Controllers\Controller;
use App\Http\Resources\CompanyInvitationResource;
use App\Models\Company;
use App\Models\CompanyInvitation;
use App\Services\InvitationService;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
class InvitationController extends Controller
{
public function __construct(
private readonly InvitationService $invitationService,
) {}
public function index(Request $request): JsonResponse
{
$company = Company::find($request->header('company'));
$invitations = CompanyInvitation::where('company_id', $company->id)
->pending()
->with(['role', 'invitedBy'])
->latest()
->get();
return response()->json([
'invitations' => CompanyInvitationResource::collection($invitations),
]);
}
public function store(Request $request): JsonResponse
{
$request->validate([
'email' => 'required|email',
'role_id' => 'required|exists:roles,id',
]);
$company = Company::find($request->header('company'));
$invitation = $this->invitationService->invite(
$company,
$request->email,
$request->role_id,
$request->user()
);
return response()->json([
'success' => true,
'invitation' => new CompanyInvitationResource($invitation->load(['company', 'role', 'invitedBy'])),
]);
}
public function destroy(CompanyInvitation $companyInvitation): JsonResponse
{
if ($companyInvitation->status !== CompanyInvitation::STATUS_PENDING) {
return response()->json([
'success' => false,
'message' => 'Only pending invitations can be cancelled.',
], 422);
}
$companyInvitation->delete();
return response()->json(['success' => true]);
}
}

21
app/Http/Middleware/CompanyMiddleware.php
View File

@@ -9,18 +9,25 @@ use Symfony\Component\HttpFoundation\Response;
class CompanyMiddleware
{
/**
* Handle an incoming request.
*
* @return mixed
*/
public function handle(Request $request, Closure $next): Response
{
if (Schema::hasTable('user_company')) {
$user = $request->user();
if ((! $request->header('company')) || (! $user->hasCompany($request->header('company')))) {
$request->headers->set('company', $user->companies()->first()->id);
if (! $user) {
return $next($request);
}
$firstCompany = $user->companies()->first();
// User has no companies — allow request through without company header
// (BootstrapController handles this gracefully)
if (! $firstCompany) {
return $next($request);
}
if (! $request->header('company') || ! $user->hasCompany($request->header('company'))) {
$request->headers->set('company', $firstCompany->id);
}
}

31
app/Http/Resources/CompanyInvitationResource.php Normal file
View File

@@ -0,0 +1,31 @@
<?php
namespace App\Http\Resources;
use Illuminate\Http\Request;
use Illuminate\Http\Resources\Json\JsonResource;
class CompanyInvitationResource extends JsonResource
{
public function toArray(Request $request): array
{
return [
'id' => $this->id,
'company_id' => $this->company_id,
'email' => $this->email,
'token' => $this->token,
'status' => $this->status,
'expires_at' => $this->expires_at,
'created_at' => $this->created_at,
'company' => $this->when($this->relationLoaded('company'), function () {
return new CompanyResource($this->company);
}),
'role' => $this->when($this->relationLoaded('role'), function () {
return new RoleResource($this->role);
}),
'invited_by' => $this->when($this->relationLoaded('invitedBy'), function () {
return new UserResource($this->invitedBy);
}),
];
}
}

43
app/Mail/CompanyInvitationMail.php Normal file
View File

@@ -0,0 +1,43 @@
<?php
namespace App\Mail;
use App\Models\CompanyInvitation;
use Illuminate\Bus\Queueable;
use Illuminate\Mail\Mailable;
use Illuminate\Mail\Mailables\Content;
use Illuminate\Mail\Mailables\Envelope;
use Illuminate\Queue\SerializesModels;
class CompanyInvitationMail extends Mailable
{
use Queueable, SerializesModels;
public function __construct(
public readonly CompanyInvitation $invitation,
) {}
public function envelope(): Envelope
{
return new Envelope(
subject: __('You\'ve been invited to join :company', [
'company' => $this->invitation->company->name,
]),
);
}
public function content(): Content
{
return new Content(
markdown: 'emails.company-invitation',
with: [
'invitation' => $this->invitation,
'companyName' => $this->invitation->company->name,
'roleName' => $this->invitation->role->title,
'inviterName' => $this->invitation->invitedBy->name,
'acceptUrl' => url("/invitations/{$this->invitation->token}/accept"),
'declineUrl' => url("/invitations/{$this->invitation->token}/decline"),
],
);
}
}

77
app/Models/CompanyInvitation.php Normal file
View File

@@ -0,0 +1,77 @@
<?php
namespace App\Models;
use Carbon\Carbon;
use Illuminate\Database\Eloquent\Builder;
use Illuminate\Database\Eloquent\Factories\HasFactory;
use Illuminate\Database\Eloquent\Model;
use Illuminate\Database\Eloquent\Relations\BelongsTo;
use Silber\Bouncer\Database\Role;
class CompanyInvitation extends Model
{
use HasFactory;
protected $guarded = ['id'];
protected $dates = ['expires_at'];
public const STATUS_PENDING = 'pending';
public const STATUS_ACCEPTED = 'accepted';
public const STATUS_DECLINED = 'declined';
public const STATUS_EXPIRED = 'expired';
public function company(): BelongsTo
{
return $this->belongsTo(Company::class);
}
public function user(): BelongsTo
{
return $this->belongsTo(User::class);
}
public function invitedBy(): BelongsTo
{
return $this->belongsTo(User::class, 'invited_by');
}
public function role(): BelongsTo
{
return $this->belongsTo(Role::class);
}
public function isExpired(): bool
{
return Carbon::now()->greaterThan($this->expires_at);
}
public function isPending(): bool
{
return $this->status === self::STATUS_PENDING && ! $this->isExpired();
}
/**
* Scope to pending, non-expired invitations.
*/
public function scopePending(Builder $query): void
{
$query->where('status', self::STATUS_PENDING)
->where('expires_at', '>', Carbon::now());
}
/**
* Scope to invitations for a specific user (by user_id or email).
*/
public function scopeForUser(Builder $query, User $user): void
{
$query->where(function (Builder $q) use ($user) {
$q->where('user_id', $user->id)
->orWhere('email', $user->email);
});
}
}

113
app/Services/InvitationService.php Normal file
View File

@@ -0,0 +1,113 @@
<?php
namespace App\Services;
use App\Mail\CompanyInvitationMail;
use App\Models\Company;
use App\Models\CompanyInvitation;
use App\Models\User;
use Carbon\Carbon;
use Illuminate\Support\Collection;
use Illuminate\Support\Facades\Mail;
use Illuminate\Support\Str;
use Illuminate\Validation\ValidationException;
use Silber\Bouncer\BouncerFacade;
use Silber\Bouncer\Database\Role;
class InvitationService
{
/**
* Invite a user to a company by email with a specific role.
*/
public function invite(Company $company, string $email, int $roleId, User $invitedBy): CompanyInvitation
{
// Check for existing pending invitation
$existing = CompanyInvitation::where('company_id', $company->id)
->where('email', $email)
->pending()
->first();
if ($existing) {
throw ValidationException::withMessages([
'email' => ['An invitation is already pending for this email.'],
]);
}
// Check if user is already a member
$existingUser = User::where('email', $email)->first();
if ($existingUser && $existingUser->hasCompany($company->id)) {
throw ValidationException::withMessages([
'email' => ['This user is already a member of this company.'],
]);
}
$invitation = CompanyInvitation::create([
'company_id' => $company->id,
'user_id' => $existingUser?->id,
'email' => $email,
'role_id' => $roleId,
'token' => Str::random(64),
'status' => CompanyInvitation::STATUS_PENDING,
'invited_by' => $invitedBy->id,
'expires_at' => Carbon::now()->addDays(7),
]);
Mail::to($email)->send(new CompanyInvitationMail($invitation));
return $invitation;
}
/**
* Accept a pending invitation and add the user to the company.
*/
public function accept(CompanyInvitation $invitation, User $user): void
{
if (! $invitation->isPending()) {
throw ValidationException::withMessages([
'invitation' => ['This invitation is no longer valid.'],
]);
}
// Add user to company
$user->companies()->attach($invitation->company_id);
// Assign role scoped to the invitation's company
$role = Role::withoutGlobalScopes()->find($invitation->role_id);
BouncerFacade::scope()->to($invitation->company_id);
$user->assign($role->name);
// Update invitation
$invitation->update([
'status' => CompanyInvitation::STATUS_ACCEPTED,
'user_id' => $user->id,
]);
}
/**
* Decline a pending invitation.
*/
public function decline(CompanyInvitation $invitation, User $user): void
{
if (! $invitation->isPending()) {
throw ValidationException::withMessages([
'invitation' => ['This invitation is no longer valid.'],
]);
}
$invitation->update([
'status' => CompanyInvitation::STATUS_DECLINED,
'user_id' => $user->id,
]);
}
/**
* Get all pending invitations for a user (by user_id or email).
*/
public function getPendingForUser(User $user): Collection
{
return CompanyInvitation::forUser($user)
->pending()
->with(['company', 'role', 'invitedBy'])
->get();
}
}

32
database/migrations/2026_04_03_204854_create_company_invitations_table.php Normal file
View File

@@ -0,0 +1,32 @@
<?php
use Illuminate\Database\Migrations\Migration;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Support\Facades\Schema;
return new class extends Migration
{
public function up(): void
{
Schema::create('company_invitations', function (Blueprint $table) {
$table->id();
$table->foreignId('company_id')->constrained()->cascadeOnDelete();
$table->foreignId('user_id')->nullable()->constrained()->nullOnDelete();
$table->string('email');
$table->foreignId('role_id')->constrained('roles')->cascadeOnDelete();
$table->string('token')->unique();
$table->enum('status', ['pending', 'accepted', 'declined', 'expired'])->default('pending');
$table->foreignId('invited_by')->constrained('users')->cascadeOnDelete();
$table->timestamp('expires_at');
$table->timestamps();
$table->index(['email', 'status']);
$table->index(['user_id', 'status']);
});
}
public function down(): void
{
Schema::dropIfExists('company_invitations');
}
};

16
resources/views/emails/company-invitation.blade.php Normal file
View File

@@ -0,0 +1,16 @@
<x-mail::message>
# You've been invited!
**{{ $inviterName }}** has invited you to join **{{ $companyName }}** as **{{ $roleName }}**.
<x-mail::button :url="$acceptUrl">
Accept Invitation
</x-mail::button>
If you don't want to join, you can <a href="{{ $declineUrl }}">decline this invitation</a>.
This invitation will expire in 7 days.
Thanks,<br>
{{ config('app.name') }}
</x-mail::message>

14
routes/api.php
View File

@@ -27,6 +27,7 @@ use App\Http\Controllers\Company\Expense\ExpensesController;
use App\Http\Controllers\Company\General\BootstrapController;
use App\Http\Controllers\Company\General\ConfigController;
use App\Http\Controllers\Company\General\FormatsController;
use App\Http\Controllers\Company\General\InvitationResponseController;
use App\Http\Controllers\Company\General\NotesController;
use App\Http\Controllers\Company\General\SearchController;
use App\Http\Controllers\Company\General\SerialNumberController;
@@ -43,6 +44,7 @@ use App\Http\Controllers\Company\Role\RolesController;
use App\Http\Controllers\Company\Settings\CompanyController;
use App\Http\Controllers\Company\Settings\CompanyMailConfigurationController;
use App\Http\Controllers\Company\Settings\CompanySettingsController;
use App\Http\Controllers\Company\Settings\InvitationController;
use App\Http\Controllers\Company\Settings\TaxTypesController;
use App\Http\Controllers\Company\Settings\UserProfileController;
use App\Http\Controllers\Company\Users\UsersController;
@@ -171,6 +173,13 @@ Route::prefix('/v1')->group(function () {
Route::get('/bootstrap', BootstrapController::class);
// Invitations (user-scoped — respond to invitations)
// ----------------------------------
Route::get('/invitations/pending', [InvitationResponseController::class, 'pending']);
Route::post('/invitations/{invitation:token}/accept', [InvitationResponseController::class, 'accept']);
Route::post('/invitations/{invitation:token}/decline', [InvitationResponseController::class, 'decline']);
// Currencies
// ----------------------------------
@@ -216,6 +225,11 @@ Route::prefix('/v1')->group(function () {
Route::get('/current-company', [BootstrapController::class, 'currentCompany']);
// Company Invitations (company-scoped — send invitations)
// ----------------------------------
Route::apiResource('company-invitations', InvitationController::class)->only(['index', 'store', 'destroy']);
// Customers
// ----------------------------------

227
tests/Feature/Admin/InvitationTest.php Normal file
View File

@@ -0,0 +1,227 @@
<?php
use App\Mail\CompanyInvitationMail;
use App\Models\Company;
use App\Models\CompanyInvitation;
use App\Models\User;
use Illuminate\Support\Facades\Artisan;
use Illuminate\Support\Facades\Mail;
use Laravel\Sanctum\Sanctum;
use Silber\Bouncer\Database\Role;
use function Pest\Laravel\deleteJson;
use function Pest\Laravel\getJson;
use function Pest\Laravel\postJson;
beforeEach(function () {
Artisan::call('db:seed', ['--class' => 'DatabaseSeeder', '--force' => true]);
Artisan::call('db:seed', ['--class' => 'DemoSeeder', '--force' => true]);
$user = User::find(1);
$this->withHeaders([
'company' => $user->companies()->first()->id,
]);
Sanctum::actingAs($user, ['*']);
});
test('invite user to company', function () {
Mail::fake();
$company = Company::first();
$role = Role::where('name', 'owner')->first();
$response = postJson('api/v1/company-invitations', [
'email' => 'newuser@example.com',
'role_id' => $role->id,
]);
$response->assertOk();
$response->assertJsonPath('success', true);
$this->assertDatabaseHas('company_invitations', [
'company_id' => $company->id,
'email' => 'newuser@example.com',
'role_id' => $role->id,
'status' => 'pending',
]);
Mail::assertSent(CompanyInvitationMail::class);
});
test('cannot invite user already in company', function () {
$company = Company::first();
$role = Role::where('name', 'owner')->first();
$existingUser = User::first();
$response = postJson('api/v1/company-invitations', [
'email' => $existingUser->email,
'role_id' => $role->id,
]);
$response->assertStatus(422);
});
test('cannot send duplicate invitation', function () {
Mail::fake();
$company = Company::first();
$role = Role::where('name', 'owner')->first();
postJson('api/v1/company-invitations', [
'email' => 'duplicate@example.com',
'role_id' => $role->id,
])->assertOk();
postJson('api/v1/company-invitations', [
'email' => 'duplicate@example.com',
'role_id' => $role->id,
])->assertStatus(422);
});
test('list pending invitations for company', function () {
Mail::fake();
$company = Company::first();
$role = Role::where('name', 'owner')->first();
postJson('api/v1/company-invitations', [
'email' => 'invited@example.com',
'role_id' => $role->id,
]);
$response = getJson('api/v1/company-invitations');
$response->assertOk();
$response->assertJsonCount(1, 'invitations');
});
test('cancel pending invitation', function () {
Mail::fake();
$company = Company::first();
$role = Role::where('name', 'owner')->first();
$storeResponse = postJson('api/v1/company-invitations', [
'email' => 'cancel@example.com',
'role_id' => $role->id,
]);
$storeResponse->assertOk();
$invitation = CompanyInvitation::where('email', 'cancel@example.com')->first();
$this->assertNotNull($invitation);
deleteJson("api/v1/company-invitations/{$invitation->id}")
->assertOk();
$this->assertDatabaseMissing('company_invitations', [
'email' => 'cancel@example.com',
]);
});
test('accept invitation adds user to company', function () {
Mail::fake();
$company = Company::first();
$role = Role::where('name', 'owner')->first();
// Create a new user not in the company
$newUser = User::factory()->create(['email' => 'accept@example.com']);
// Create invitation
$invitation = CompanyInvitation::create([
'company_id' => $company->id,
'user_id' => $newUser->id,
'email' => $newUser->email,
'role_id' => $role->id,
'token' => 'test-accept-token',
'status' => 'pending',
'invited_by' => User::first()->id,
'expires_at' => now()->addDays(7),
]);
// Act as the invited user
Sanctum::actingAs($newUser, ['*']);
postJson("api/v1/invitations/{$invitation->token}/accept")
->assertOk();
$this->assertTrue($newUser->fresh()->hasCompany($company->id));
$this->assertDatabaseHas('company_invitations', [
'token' => 'test-accept-token',
'status' => 'accepted',
]);
});
test('decline invitation', function () {
$company = Company::first();
$role = Role::where('name', 'owner')->first();
$newUser = User::factory()->create(['email' => 'decline@example.com']);
$invitation = CompanyInvitation::create([
'company_id' => $company->id,
'user_id' => $newUser->id,
'email' => $newUser->email,
'role_id' => $role->id,
'token' => 'test-decline-token',
'status' => 'pending',
'invited_by' => User::first()->id,
'expires_at' => now()->addDays(7),
]);
Sanctum::actingAs($newUser, ['*']);
postJson("api/v1/invitations/{$invitation->token}/decline")
->assertOk();
$this->assertDatabaseHas('company_invitations', [
'token' => 'test-decline-token',
'status' => 'declined',
]);
$this->assertFalse($newUser->fresh()->hasCompany($company->id));
});
test('cannot accept expired invitation', function () {
$company = Company::first();
$role = Role::where('name', 'owner')->first();
$newUser = User::factory()->create(['email' => 'expired@example.com']);
$invitation = CompanyInvitation::create([
'company_id' => $company->id,
'user_id' => $newUser->id,
'email' => $newUser->email,
'role_id' => $role->id,
'token' => 'test-expired-token',
'status' => 'pending',
'invited_by' => User::first()->id,
'expires_at' => now()->subDay(),
]);
Sanctum::actingAs($newUser, ['*']);
postJson("api/v1/invitations/{$invitation->token}/accept")
->assertStatus(422);
$this->assertFalse($newUser->fresh()->hasCompany($company->id));
});
test('bootstrap includes pending invitations', function () {
$company = Company::first();
$role = Role::where('name', 'owner')->first();
$user = User::first();
CompanyInvitation::create([
'company_id' => $company->id,
'user_id' => $user->id,
'email' => $user->email,
'role_id' => $role->id,
'token' => 'test-bootstrap-token',
'status' => 'pending',
'invited_by' => $user->id,
'expires_at' => now()->addDays(7),
]);
$response = getJson('api/v1/bootstrap');
$response->assertOk();
$response->assertJsonStructure(['pending_invitations']);
});