From 9f434b0edd01b2322b6b571a26e018503ee10178 Mon Sep 17 00:00:00 2001
From: Mikhail Rakhmanov <rakhmanov.m@gmail.com>
Date: Mon, 12 May 2025 18:18:54 +0200
Subject: [PATCH] Improve invite validation

---
 commonspace/object/acl/list/models.go    |  4 ++++
 commonspace/object/acl/list/validator.go | 11 ++++++++---
 2 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/commonspace/object/acl/list/models.go b/commonspace/object/acl/list/models.go
index 0c8d537e..cc8132ce 100644
--- a/commonspace/object/acl/list/models.go
+++ b/commonspace/object/acl/list/models.go
@@ -85,6 +85,10 @@ func (p AclPermissions) IsOwner() bool {
 	return aclrecordproto.AclUserPermissions(p) == aclrecordproto.AclUserPermissions_Owner
 }
 
+func (p AclPermissions) IsGuest() bool {
+	return aclrecordproto.AclUserPermissions(p) == aclrecordproto.AclUserPermissions_Guest
+}
+
 func (p AclPermissions) CanWrite() bool {
 	switch aclrecordproto.AclUserPermissions(p) {
 	case aclrecordproto.AclUserPermissions_Admin:
diff --git a/commonspace/object/acl/list/validator.go b/commonspace/object/acl/list/validator.go
index 6ddd8b23..6c23cd8e 100644
--- a/commonspace/object/acl/list/validator.go
+++ b/commonspace/object/acl/list/validator.go
@@ -219,9 +219,14 @@ func (c *contentValidator) ValidateInvite(ch *aclrecordproto.AclAccountInvite, a
 	if !c.aclState.Permissions(authorIdentity).CanManageAccounts() {
 		return ErrInsufficientPermissions
 	}
-	if ch.InviteType == aclrecordproto.AclInviteType_AnyoneCanJoin &&
-		(AclPermissions(ch.Permissions).IsOwner() || AclPermissions(ch.Permissions).NoPermissions()) {
-		return ErrInsufficientPermissions
+	permissions := AclPermissions(ch.Permissions)
+	if ch.InviteType == aclrecordproto.AclInviteType_AnyoneCanJoin {
+		if permissions.IsOwner() || permissions.NoPermissions() || permissions.IsGuest() {
+			return ErrInsufficientPermissions
+		}
+		if ch.EncryptedReadKey == nil {
+			return ErrIncorrectReadKey
+		}
 	}
 	_, err = c.keyStore.PubKeyFromProto(ch.InviteKey)
 	return