project/collaborators: check the api in a similar way

sagemathinc · haraldschilly · Dec 3, 2025 · Dec 11, 2025 · Dec 11, 2025 · Dec 11, 2025
commit d43af728c5e2337318e2f2058eb3b557e2d00969
diff --git a/src/packages/frontend/projects/actions.ts b/src/packages/frontend/projects/actions.ts
@@ -640,13 +640,14 @@ export class ProjectsActions extends Actions<ProjectsState> {
   ): Promise<void> {
     const removed_name = redux.getStore("users").get_name(account_id);
     try {
-      await this.redux
-        .getProjectActions(project_id)
-        .async_log({ event: "remove_collaborator", removed_name });
       await webapp_client.project_collaborators.remove({
         project_id,
         account_id,
       });
+      // Log AFTER successful removal
+      await this.redux
+        .getProjectActions(project_id)
+        .async_log({ event: "remove_collaborator", removed_name });
     } catch (err) {
       const message = `Error removing ${removed_name} from project ${project_id} -- ${err}`;
       alert_message({ type: "error", message });
@@ -693,11 +694,6 @@ export class ProjectsActions extends Actions<ProjectsState> {
     replyto?: string,
     replyto_name?: string,
   ): Promise<void> {
-    await this.redux.getProjectActions(project_id).async_log({
-      event: "invite_user",
-      invitee_account_id: account_id,
-    });
-
     const title = store.get_title(project_id);
     const link2proj = `https://${window.location.hostname}/projects/${project_id}/`;
     // convert body from markdown to html, which is what the backend expects
@@ -714,6 +710,11 @@ export class ProjectsActions extends Actions<ProjectsState> {
         email,
         subject,
       });
+      // Log AFTER successful invite
+      await this.redux.getProjectActions(project_id).async_log({
+        event: "invite_user",
+        invitee_account_id: account_id,
+      });
     } catch (err) {
       if (!silent) {
         const message = `Error inviting collaborator ${account_id} from ${project_id} -- ${err}`;
@@ -732,11 +733,6 @@ export class ProjectsActions extends Actions<ProjectsState> {
     replyto: string | undefined,
     replyto_name: string | undefined,
   ): Promise<void> {
-    await this.redux.getProjectActions(project_id).async_log({
-      event: "invite_nonuser",
-      invitee_email: to,
-    });
-
     const title = store.get_title(project_id);
     if (body == null) {
       const name = this.redux.getStore("account").get_fullname();
@@ -756,6 +752,11 @@ export class ProjectsActions extends Actions<ProjectsState> {
         email,
         subject,
       });
+      // Log AFTER successful invite
+      await this.redux.getProjectActions(project_id).async_log({
+        event: "invite_nonuser",
+        invitee_email: to,
+      });
       if (!silent) {
         alert_message({
           message: `Invited ${to} to collaborate on project.`,

diff --git a/src/packages/server/projects/collab.ts b/src/packages/server/projects/collab.ts
@@ -1,5 +1,5 @@
 /*
- *  This file is part of CoCalc: Copyright © 2020 Sagemath, Inc.
+ *  This file is part of CoCalc: Copyright © 2020 - 2025 Sagemath, Inc.
  *  License: MS-RSL – see LICENSE.md for details
  */
 
@@ -8,6 +8,10 @@ import { is_array, is_valid_uuid_string } from "@cocalc/util/misc";
 import { callback2 } from "@cocalc/util/async-utils";
 import isSandbox from "@cocalc/server/projects/is-sandbox";
 import idleSandboxUsers from "@cocalc/server/projects/idle-sandbox-users";
+import {
+  ensureCanManageCollaborators,
+  ensureCanRemoveUser,
+} from "./ownership-checks";
 
 const GROUPS = ["owner", "collaborator"] as const;
 
@@ -40,6 +44,18 @@ export async function add_collaborators_to_projects(
     Also, the input is uuid's, which typescript can't check. */
   verify_types(account_id, accounts, projects);
 
+  // Check strict_collaborator_management setting before database changes
+  // Only check if not using tokens (tokens have their own permission system)
+  if (!tokens) {
+    for (const project_id of new Set(projects)) {
+      if (!project_id) continue; // skip empty strings
+      await ensureCanManageCollaborators({
+        project_id,
+        account_id,
+      });
+    }
+  }
+
   // We now know that account_id is allowed to add users to all of the projects,
   // *OR* at that there are valid tokens to permit adding users.
 
@@ -71,7 +87,7 @@ export async function remove_collaborators_from_projects(
   db: PostgreSQL,
   account_id: string,
   accounts: string[],
-  projects: string[], // can be empty strings if tokens specified (since they determine project_id)
+  projects: string[],
 ): Promise<void> {
   try {
     // Ensure user is allowed to modify project(s)
@@ -92,6 +108,31 @@ export async function remove_collaborators_from_projects(
     Also, the input is uuid's, which typescript can't check. */
   verify_types(account_id, accounts, projects);
 
+  // Check strict_collaborator_management setting before database changes
+  // Skip check if the user is only removing themselves
+  const is_self_remove_only =
+    accounts.length === 1 && accounts[0] === account_id;
+  if (!is_self_remove_only) {
+    for (const project_id of new Set(projects)) {
+      if (!project_id) continue; // skip empty strings
+      await ensureCanManageCollaborators({
+        project_id,
+        account_id,
+      });
+    }
+  }
+
+  // CRITICAL: Verify that no target users are owners
+  // Owners must be demoted to collaborator first, then removed
+  for (const i in projects) {
+    const project_id: string = projects[i];
+    const target_account_id: string = accounts[i];
+    await ensureCanRemoveUser({
+      project_id,
+      target_account_id,
+    });
+  }
+
   // Remove users from projects
   //
   for (const i in projects) {