Business Logic Bypass Allows Setting “Read Access” Role Without Pro Plan Subscription

## Summary: A business logic flaw allows a user with a free plan to generate an invitation link that assigns the Read Access (Read) role, even though this role is intended to be restricted to users with a Pro Plan subscription. By manipulating the invitation creation process, an attacker can create an invite link that grants this restricted role without having the required paid subscription. ## Steps To Reproduce: 1. Create two accounts one for the owner and the second one for the user who will be invited to the project. 2. From the owner account create a project. {F5489258} 3. Choose any template, click use template button, name your project, and click Remix button {F5489260} 4. Go to the created project you will find it at `Projects` section. {F5489266} 5. Click on `share`, on the top right corner, and notice in the invite link that you should be on the pro plane to modify the access to `View access`. {F5489273} 6. From invite link click `Disabled`. 7. Return the access right back to `Edit access` while keeping the intercept on. 8. You should notice the `OPTIONS request` has been issued to the projects endpoint. Forward it and wait for the `POST method`. 9. Modify the `access_level` parameter from `write` to `read` and do intercept to the response. {F5489341} 10. Notice that the `read` permission reflected in the response without any issues. Go Back to your project and refresh the page. Click on share and you will find that right access become `View access` while you are on the free plane. 11. Copy the invite link and paste it in the second account , accept the invitation to the project, click on share -> `people you invited`, and you will find that the second account gained access with the `viewer` permission. {F5489359} Example of the request from which you can modify the access right ``` POST /projects/Project-ID/magic-codes HTTP/2 Host: api.lovable.dev Cookie: [Your-Cookie] User-Agent: [] Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://lovable.dev/ Authorization: Bearer [Your-Authorization-Header] Content-Type: application/json Content-Length: 23 Origin: https://lovable.dev Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Priority: u=0 Te: trailers {"access_level":"read"} ``` ## Impact Impact: This vulnerability allows users to bypass the platform’s subscription restrictions and access premium features without paying. As a result, attackers can assign roles that should only be available to Pro Plan users, leading to unauthorized use of paid functionality and potential financial impact on the platform due to subscription bypass. From a security perspective, this mainly affects Integrity and Business Logic enforcement, as the system fails to properly validate plan-based permission restrictions.