sagemathinc
diff --git a/‎src/packages/server/projects/collab.ts‎
Lines changed: 46 additions & 2 deletions b/‎src/packages/server/projects/collab.ts‎
Lines changed: 46 additions & 2 deletions
diff --git a/‎src/packages/server/projects/collaborators-ownership.test.ts‎
Lines changed: 250 additions & 0 deletions b/‎src/packages/server/projects/collaborators-ownership.test.ts‎
Lines changed: 250 additions & 0 deletions
@@ -1,5 +1,5 @@
 /*
- *  This file is part of CoCalc: Copyright © 2020 Sagemath, Inc.
+ *  This file is part of CoCalc: Copyright © 2020 - 2025 Sagemath, Inc.
  *  License: MS-RSL – see LICENSE.md for details
  */
 
@@ -8,6 +8,10 @@ import { is_array, is_valid_uuid_string } from "@cocalc/util/misc";
 import { callback2 } from "@cocalc/util/async-utils";
 import isSandbox from "@cocalc/server/projects/is-sandbox";
 import idleSandboxUsers from "@cocalc/server/projects/idle-sandbox-users";
+import {
+  ensureCanManageCollaborators,
+  ensureCanRemoveUser,
+} from "./ownership-checks";
 
 const GROUPS = ["owner", "collaborator"] as const;
 
@@ -40,6 +44,19 @@ export async function add_collaborators_to_projects(
     Also, the input is uuid's, which typescript can't check. */
   verify_types(account_id, accounts, projects);
 
+  // Check strict_collaborator_management setting before database changes
+  // Only check if not using tokens (tokens have their own permission system)
+  if (!tokens) {
+    for (const project_id of new Set(projects)) {
+      if (!project_id) continue; // skip empty strings
+      await ensureCanManageCollaborators({
+        project_id,
+        account_id,
+        db,
+      });
+    }
+  }
+
   // We now know that account_id is allowed to add users to all of the projects,
   // *OR* at that there are valid tokens to permit adding users.
 
@@ -71,7 +88,7 @@ export async function remove_collaborators_from_projects(
   db: PostgreSQL,
   account_id: string,
   accounts: string[],
-  projects: string[], // can be empty strings if tokens specified (since they determine project_id)
+  projects: string[],
 ): Promise<void> {
   try {
     // Ensure user is allowed to modify project(s)
@@ -92,6 +109,33 @@ export async function remove_collaborators_from_projects(
     Also, the input is uuid's, which typescript can't check. */
   verify_types(account_id, accounts, projects);
 
+  // Check strict_collaborator_management setting before database changes
+  // Skip check if the user is only removing themselves
+  const is_self_remove_only =
+    accounts.length === 1 && accounts[0] === account_id;
+  if (!is_self_remove_only) {
+    for (const project_id of new Set(projects)) {
+      if (!project_id) continue; // skip empty strings
+      await ensureCanManageCollaborators({
+        project_id,
+        account_id,
+        db,
+      });
+    }
+  }
+
+  // CRITICAL: Verify that no target users are owners
+  // Owners must be demoted to collaborator first, then removed
+  for (const i in projects) {
+    const project_id: string = projects[i];
+    const target_account_id: string = accounts[i];
+    await ensureCanRemoveUser({
+      project_id,
+      target_account_id,
+      db,
+    });
+  }
+
   // Remove users from projects
   //
   for (const i in projects) {
 
@@ -16,6 +16,10 @@ import {
   inviteCollaboratorWithoutAccount,
   removeCollaborator,
 } from "@cocalc/server/projects/collaborators";
+import {
+  add_collaborators_to_projects,
+  remove_collaborators_from_projects,
+} from "@cocalc/server/projects/collab";
 import {
   resetServerSettingsCache,
   getServerSettings,
@@ -320,3 +324,249 @@ describe("invite permissions", () => {
     ).rejects.toMatchObject({ code: OwnershipErrorCode.NOT_OWNER });
   });
 });
+
+describe("REST API level protection (collab.ts functions)", () => {
+  test("add_collaborators_to_projects bypasses check when using tokens", async () => {
+    const { projectId } = await createProjectWithOwner();
+    const outsideUserId = await createUser("outsider");
+
+    // Create a project invite token
+    const { rows } = await getPool().query(
+      "INSERT INTO project_invite_tokens (token, project_id, usage_limit) VALUES ($1, $2, $3) RETURNING token",
+      ["test-token-123", projectId, 10],
+    );
+    const token = rows[0].token;
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Outside user should be able to add themselves using a token
+    // even though they're not a collaborator or owner
+    await expect(
+      add_collaborators_to_projects(
+        db(),
+        outsideUserId,
+        [outsideUserId],
+        [""], // empty project_id because token determines the project
+        [token],
+      ),
+    ).resolves.toBeUndefined();
+
+    // Verify the user was actually added
+    const { rows: projectRows } = await getPool().query(
+      "SELECT users FROM projects WHERE project_id=$1",
+      [projectId],
+    );
+    expect(projectRows[0].users[outsideUserId]).toBeDefined();
+  });
+
+  test("add_collaborators_to_projects enforces strict_collaborator_management site setting", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaboratorId = await createUser("collab");
+    const newCollabId = await createUser("newcollab");
+
+    // Add first collaborator as owner
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaboratorId],
+      [projectId],
+    );
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Collaborator should not be able to add another user
+    await expect(
+      add_collaborators_to_projects(
+        db(),
+        collaboratorId,
+        [newCollabId],
+        [projectId],
+      ),
+    ).rejects.toThrow("Only owners can manage collaborators");
+  });
+
+  test("add_collaborators_to_projects enforces project-level manage_users_owner_only", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaboratorId = await createUser("collab");
+    const newCollabId = await createUser("newcollab");
+
+    // Add first collaborator as owner
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaboratorId],
+      [projectId],
+    );
+
+    // Enable project-level strict management
+    await getPool().query(
+      "UPDATE projects SET manage_users_owner_only=$1 WHERE project_id=$2",
+      [true, projectId],
+    );
+
+    // Collaborator should not be able to add another user
+    await expect(
+      add_collaborators_to_projects(
+        db(),
+        collaboratorId,
+        [newCollabId],
+        [projectId],
+      ),
+    ).rejects.toThrow("Only owners can manage collaborators");
+  });
+
+  test("remove_collaborators_from_projects enforces strict_collaborator_management site setting", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaborator1Id = await createUser("collab1");
+    const collaborator2Id = await createUser("collab2");
+
+    // Add collaborators as owner
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaborator1Id, collaborator2Id],
+      [projectId, projectId],
+    );
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Collaborator should not be able to remove another collaborator
+    await expect(
+      remove_collaborators_from_projects(
+        db(),
+        collaborator1Id,
+        [collaborator2Id],
+        [projectId],
+      ),
+    ).rejects.toThrow("Only owners can manage collaborators");
+  });
+
+  test("remove_collaborators_from_projects allows self-removal even with strict_collaborator_management", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaboratorId = await createUser("collab");
+
+    // Add collaborator as owner
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaboratorId],
+      [projectId],
+    );
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Collaborator should be able to remove themselves
+    await expect(
+      remove_collaborators_from_projects(
+        db(),
+        collaboratorId,
+        [collaboratorId],
+        [projectId],
+      ),
+    ).resolves.toBeUndefined();
+  });
+
+  test("remove_collaborators_from_projects enforces project-level manage_users_owner_only", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaborator1Id = await createUser("collab1");
+    const collaborator2Id = await createUser("collab2");
+
+    // Add collaborators as owner
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaborator1Id, collaborator2Id],
+      [projectId, projectId],
+    );
+
+    // Enable project-level strict management
+    await getPool().query(
+      "UPDATE projects SET manage_users_owner_only=$1 WHERE project_id=$2",
+      [true, projectId],
+    );
+
+    // Collaborator should not be able to remove another collaborator
+    await expect(
+      remove_collaborators_from_projects(
+        db(),
+        collaborator1Id,
+        [collaborator2Id],
+        [projectId],
+      ),
+    ).rejects.toThrow("Only owners can manage collaborators");
+  });
+
+  test("add_collaborators_to_projects allows owners to add when strict management is enabled", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const newCollabId = await createUser("newcollab");
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Owner should be able to add a collaborator
+    await expect(
+      add_collaborators_to_projects(db(), ownerId, [newCollabId], [projectId]),
+    ).resolves.toBeUndefined();
+  });
+
+  test("remove_collaborators_from_projects allows owners to remove when strict management is enabled", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const collaboratorId = await createUser("collab");
+
+    // Add collaborator
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [collaboratorId],
+      [projectId],
+    );
+
+    // Enable site-wide strict collaborator management
+    await setSiteStrictCollab("yes");
+
+    // Owner should be able to remove a collaborator
+    await expect(
+      remove_collaborators_from_projects(
+        db(),
+        ownerId,
+        [collaboratorId],
+        [projectId],
+      ),
+    ).resolves.toBeUndefined();
+  });
+
+  test("remove_collaborators_from_projects blocks removing owners", async () => {
+    const { ownerId, projectId } = await createProjectWithOwner();
+    const secondOwnerId = await createUser("owner2");
+
+    // Add second owner
+    await add_collaborators_to_projects(
+      db(),
+      ownerId,
+      [secondOwnerId],
+      [projectId],
+    );
+    await changeUserType({
+      account_id: ownerId,
+      opts: {
+        project_id: projectId,
+        target_account_id: secondOwnerId,
+        new_group: "owner",
+      },
+    });
+
+    // Even the first owner should not be able to directly remove the second owner -- owners have to demote to collaborator first
+    await expect(
+      remove_collaborators_from_projects(
+        db(),
+        ownerId,
+        [secondOwnerId],
+        [projectId],
+      ),
+    ).rejects.toThrow("Cannot remove an owner");
+  });
+});