fix(security): short-circuit admin check when caller is invitee

waleedlatif1 · claude · waleedlatif1 · commit 1db2ab47ed99 · 2026-03-27T17:40:57.000-07:00
Skip the hasWorkspaceAdminAccess DB query when the caller is already
the invitee, avoiding an unnecessary round-trip. Aligns with the org
invitation route pattern.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts b/apps/sim/app/api/workspaces/invitations/[invitationId]/route.ts
@@ -199,10 +199,12 @@ export async function GET(
     }
 
     const isInvitee = session.user.email?.toLowerCase() === invitation.email.toLowerCase()
-    const hasAdminAccess = await hasWorkspaceAdminAccess(session.user.id, invitation.workspaceId)
 
-    if (!isInvitee && !hasAdminAccess) {
-      return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 })
+    if (!isInvitee) {
+      const hasAdminAccess = await hasWorkspaceAdminAccess(session.user.id, invitation.workspaceId)
+      if (!hasAdminAccess) {
+        return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 })
+      }
     }
 
     return NextResponse.json({

Original file line number	Diff line number	Diff line change
`@@ -199,10 +199,12 @@ export async function GET(`
`199`	`199`	`}`
`200`	`200`
`201`	`201`	`const isInvitee = session.user.email?.toLowerCase() === invitation.email.toLowerCase()`
`202`		`- const hasAdminAccess = await hasWorkspaceAdminAccess(session.user.id, invitation.workspaceId)`
`203`	`202`
`204`		`- if (!isInvitee && !hasAdminAccess) {`
`205`		`- return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 })`
	`203`	`+ if (!isInvitee) {`
	`204`	`+ const hasAdminAccess = await hasWorkspaceAdminAccess(session.user.id, invitation.workspaceId)`
	`205`	`+ if (!hasAdminAccess) {`
	`206`	`+ return NextResponse.json({ error: 'Insufficient permissions' }, { status: 403 })`
	`207`	`+ }`
`206`	`208`	`}`
`207`	`209`
`208`	`210`	`return NextResponse.json({`