Delete all invitations when removing a user from a project

Signed-off-by: Radoslav Dimitrov <[email protected]>

database/query/invitations.sql

@@ -64,3 +64,10 @@ DELETE FROM user_invites WHERE code = $1 RETURNING *;
 
 -- name: UpdateInvitationRole :one
 UPDATE user_invites SET role = $2, updated_at = NOW() WHERE code = $1 RETURNING *;
+
+
+-- DeleteInvitationsBySponsor deletes all invitations by a sponsor. This is intended
+-- to be called by a user who has decided to revoke all invitations they have issued.
+
+-- name: DeleteInvitationsBySponsor :many
+DELETE FROM user_invites WHERE sponsor = $1 RETURNING *;

internal/controlplane/handlers_authz.go

@@ -604,7 +604,8 @@ func (s *Server) removeRole(
 	}
 
 	// Verify if user exists
-	if _, err := s.store.GetUserBySubject(ctx, identity.String()); err != nil {
+	userToRemove, err := s.store.GetUserBySubject(ctx, identity.String())
+	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return nil, util.UserVisibleError(codes.NotFound, "User not found")
 		}
@@ -631,6 +632,20 @@ func (s *Server) removeRole(
 		}
 	}
 
+	// In case this user is a sponsor of an invitation, we need to remove the invitation
+	deletedInvites, err := s.store.DeleteInvitationsBySponsor(ctx, userToRemove.ID)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "error deleting invitations: %v", err)
+	}
+
+	if len(deletedInvites) > 0 {
+		zerolog.Ctx(ctx).Info().
+			Int("invites_deleted", len(deletedInvites)).
+			Str("sponsor_subject", userToRemove.IdentitySubject).
+			Int32("sponsor", userToRemove.ID).
+			Msg("deleted pending invitations from sponsor")
+	}
+
 	// Delete the role assignment
 	if err := s.authzClient.Delete(ctx, identity.String(), roleToRemove, targetProject); err != nil {
 		return nil, status.Errorf(codes.Internal, "error writing role assignment: %v", err)