fix vulnerabilities

app/controllers/admin/invitations_controller.rb

@@ -44,6 +44,12 @@ class Admin::InvitationsController < Admin::BaseController
   private
 
   def invitation_params
-    params.require(:user).permit(:email, :name, :role, :primary_language)
+    permitted = params.require(:user).permit(:email, :name, :primary_language)
+
+    if params[:user][:role].present? && User.roles.key?(params[:user][:role])
+      permitted[:role] = params[:user][:role]
+    end
+
+    permitted
   end
 end

app/controllers/admin/users_controller.rb

@@ -3,14 +3,20 @@ class Admin::UsersController < Admin::BaseController
 
   def index
     @users = User.order(created_at: :desc)
-    @users = @users.where(role: params[:role]) if params[:role].present?
-    @users = @users.where("email LIKE ?", "%#{params[:q]}%") if params[:q].present?
+                 .by_role(params[:role])
+                 .search_email(params[:q])
   end
 
   def edit
   end
 
   def update
+    # Prevent users from modifying their own role
+    if @user == current_user && user_params[:role].present?
+      redirect_to admin_users_path, alert: "You cannot modify your own role."
+      return
+    end
+
     if @user.update(user_params)
       redirect_to admin_users_path, notice: "User updated successfully."
     else
@@ -40,6 +46,13 @@ class Admin::UsersController < Admin::BaseController
   end
 
   def user_params
-    params.require(:user).permit(:name, :email, :role, :primary_language)
+    permitted = params.require(:user).permit(:name, :email, :primary_language)
+
+    # Only allow role if it's a valid role enum value
+    if params[:user][:role].present? && User.roles.key?(params[:user][:role])
+      permitted[:role] = params[:user][:role]
+    end
+
+    permitted
   end
 end