rhino-rails 4.0.1 → 4.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 547b86334ce61b25d13d6dccaa977a5821b8bdb3b275a5fb13a8b5b62d1cd0ee
-  data.tar.gz: 35f4ffa23101a49ab7c1403abd51aa15a2f1f57ff1c437000e49e394b6d1b8c0
+  metadata.gz: c15dd271d0b613f2effa9bb7c8d050b3214c74884e3021461150017f0f159af6
+  data.tar.gz: 5b4e5dcb736acc54674ad24e9d689cd93582e7ba0195554ef99e7735f2c33050
 SHA512:
-  metadata.gz: 68dc8254b5a402eb13ca75a7a2d3b2919aef8e1bd6f5f2ffdae273ff5bad6eb69dc34a4aa3ee5bf6c20cd66dc1cdff5b301d1989c54c2101ae4eb4b8b042caae
-  data.tar.gz: aae80fedc9b6b03cc433204487b0f03fb6bffeed9805aea056cad1f74398f707882c02e9a434f88cce16618ec83c6b5a617c11d1c00230b45c5edfbc0a8aee23
+  metadata.gz: 93c2de702533d23edcfe6b334aa0ffaf0f327efe6518a8c608e8072b4fe27862430d6591a651e730f198f9e9e8cf39456005464490a12137dadce641613ef268
+  data.tar.gz: 7fe767badf982f99dd3fca7b72c441929ee0eb336b72b117ed4a5296cdcaafacda6582a338025e6e611f1a0e87117d6d906469c8b01abc9339109d9da32c711a

data/MIT-LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Rhino
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/lib/rhino/auth_hooks.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Rhino
+  # Base class for per-group auth lifecycle hooks. A group's optional `hooks:`
+  # class may subclass this (or simply respond to the event methods) and
+  # override any of the events; each defaults to a no-op.
+  #
+  # Each event receives the affected user and a context hash:
+  #   { user:, route_group:, organization:, token:, request: }
+  #
+  # A hook rejects an action by raising Rhino::AuthRejected (optionally with a
+  # status). For token-issuing actions (login/register) the controller revokes
+  # the just-issued token and returns the status; for the others it returns the
+  # status without side effects.
+  #
+  # See GROUP_AUTH_DESIGN.md §7.
+  class AuthHooks
+    def after_login(user, context = {}); end
+
+    def after_logout(user, context = {}); end
+
+    def after_register(user, context = {}); end
+
+    def after_password_recover(user, context = {}); end
+
+    def after_password_reset(user, context = {}); end
+  end
+end

data/lib/rhino/auth_rejected.rb

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Rhino
+  # Raised by a lifecycle hook (or membership enforcement) to reject an auth
+  # action. Carries an HTTP status (default 403) and a message. For
+  # token-issuing actions (login/register) the controller revokes the
+  # just-issued token before returning the status.
+  #
+  # See GROUP_AUTH_DESIGN.md §7.
+  class AuthRejected < StandardError
+    attr_reader :status
+
+    def initialize(message = "Forbidden", status: 403)
+      @status = status
+      super(message)
+    end
+  end
+end

data/lib/rhino/blueprint/sorter.rb

@@ -0,0 +1,118 @@
+# frozen_string_literal: true
+
+module Rhino
+  module Blueprint
+    # Orders blueprints so that a referenced model's table is created before any
+    # model whose migration adds a foreign key to it (parents before children).
+    #
+    # Foreign keys are taken from +foreignId+ columns that carry a +foreign_model+
+    # mapping to another model in the same generation set. References that impose
+    # no ordering are ignored:
+    #   - self-references (a model's FK to its own table — one migration),
+    #   - references to models NOT in this set (e.g. Organization/User, whose
+    #     tables are created by +rhino:install+, not the blueprint run).
+    #
+    # Uses Kahn's algorithm with a stable tie-break: among models with no
+    # remaining unmet dependency, the one earliest in the input order wins. The
+    # input is already alphabetical (by file name), so the output stays
+    # alphabetical wherever relationships don't force a reorder.
+    #
+    # A circular FK dependency (A -> B -> A) has no linear migration order. Such
+    # models are emitted in a deterministic best-effort order and reported via
+    # {#cycles} so the caller can warn (one side should be a nullable/deferred FK).
+    class Sorter
+      # Model names involved in a circular foreign-key dependency during the last
+      # {#sort} (empty when the dependency graph is acyclic).
+      attr_reader :cycles
+
+      def initialize
+        @cycles = []
+      end
+
+      # Re-order blueprints into a valid migration sequence (parents first).
+      #
+      # @param blueprints [Array<Hash>] normalized blueprints (each with a
+      #   +:model+ name and +:columns+).
+      # @return [Array<Hash>] the blueprints, re-ordered.
+      def sort(blueprints)
+        @cycles = []
+        return blueprints.dup if blueprints.length < 2
+
+        by_model = {}
+        blueprints.each do |bp|
+          model = bp[:model]
+          by_model[model] ||= bp if model
+        end
+
+        dependents = {}
+        indegree = {}
+        by_model.each_key do |m|
+          dependents[m] = []
+          indegree[m] = 0
+        end
+
+        by_model.each do |model, bp|
+          seen = {}
+          dependency_models(bp).each do |ref|
+            next if ref == model || !by_model.key?(ref) || seen[ref]
+
+            seen[ref] = true
+            dependents[ref] << model
+            indegree[model] += 1
+          end
+        end
+
+        input_order = by_model.keys
+
+        # Record the models that actually participate in a cycle (reachable from
+        # themselves), in input order, so the caller can warn about the full cycle.
+        input_order.each do |model|
+          @cycles << model if reachable_from_self?(model, dependents)
+        end
+
+        ordered = []
+        resolved = {}
+        while ordered.length < by_model.length
+          # Earliest-input model with all dependencies already emitted...
+          pick = input_order.find { |m| !resolved[m] && indegree[m].zero? }
+          # ...or, when a cycle blocks the graph, the earliest unresolved model
+          # (deterministic cycle-break; the cycle itself is reported via #cycles).
+          pick ||= input_order.find { |m| !resolved[m] }
+
+          ordered << by_model[pick]
+          resolved[pick] = true
+          dependents[pick].each { |child| indegree[child] -= 1 }
+        end
+
+        ordered
+      end
+
+      private
+
+      # Whether +start+ can reach itself by following dependency edges — i.e. it
+      # participates in a circular foreign-key dependency. +adj+ maps a model to
+      # the models that reference it (its dependents).
+      def reachable_from_self?(start, adj)
+        stack = (adj[start] || []).dup
+        visited = {}
+        until stack.empty?
+          node = stack.pop
+          return true if node == start
+          next if visited[node]
+
+          visited[node] = true
+          (adj[node] || []).each { |n| stack << n }
+        end
+        false
+      end
+
+      # The model names this blueprint's migration adds foreign keys to, taken
+      # from its +foreignId+ columns that carry a +foreign_model+.
+      def dependency_models(blueprint)
+        (blueprint[:columns] || [])
+          .select { |c| c[:type] == "foreignId" && c[:foreign_model] }
+          .map { |c| c[:foreign_model] }
+      end
+    end
+  end
+end

data/lib/rhino/commands/blueprint_command.rb

@@ -4,6 +4,7 @@ require "rhino/commands/base_command"
 require "fileutils"
 require "rhino/blueprint/blueprint_parser"
 require "rhino/blueprint/blueprint_validator"
+require "rhino/blueprint/sorter"
 require "rhino/blueprint/manifest_manager"
 require "rhino/blueprint/generators/policy_generator"
 require "rhino/blueprint/generators/test_generator"
@@ -85,6 +86,27 @@ module Rhino
 
         say "  Found #{yaml_files.length} blueprint(s)", :cyan
 
+        # Order so a referenced model's table is migrated before any model that
+        # foreign-keys to it (parents before children). Migration timestamps are
+        # assigned in iteration order, so this is what makes the set runnable.
+        parsed_for_order = []
+        unparseable = []
+        yaml_files.each do |f|
+          parsed_for_order << { file: f, blueprint: parser.parse_model(f) }
+        rescue StandardError
+          unparseable << f
+        end
+        sorter = Rhino::Blueprint::Sorter.new
+        ordered = sorter.sort(parsed_for_order.map { |p| p[:blueprint] })
+        file_by_model = parsed_for_order.each_with_object({}) do |p, h|
+          h[p[:blueprint][:model]] ||= p[:file]
+        end
+        yaml_files = ordered.map { |bp| file_by_model[bp[:model]] }.compact + unparseable
+        if sorter.cycles.any?
+          say "  ⚠ Circular foreign-key dependency among: #{sorter.cycles.join(', ')}. " \
+              "Migration order is best-effort — make one side nullable or add the FK in a later migration.", :yellow
+        end
+
         # 3. Process each blueprint
         is_multi_tenant = multi_tenant_enabled?
         org_identifier = detect_org_identifier

data/lib/rhino/concerns/has_permissions.rb

@@ -35,9 +35,28 @@ module Rhino
     # @param permission [String] Permission string like 'posts.index'
     # @param organization [Object, nil] Organization to check permissions for
     # @return [Boolean]
-    def has_permission?(permission, organization = nil)
+    def has_permission?(permission, organization = nil, route_group: nil)
       return false if permission.blank?
 
+      # Group-aware permission resolution (GROUP_AUTH_DESIGN.md §6). Only active
+      # when enforce_group_membership is on. Permissions then resolve from the
+      # membership row matching (route_group, organization), not the heuristic.
+      if group_membership_enforced?
+        membership = Rhino::GroupMembership.matching_membership(self, route_group, organization)
+        return false unless membership
+
+        ur_permissions = parse_permissions(membership.respond_to?(:permissions) ? membership.permissions : nil)
+        return matches_permission?(permission, ur_permissions) if ur_permissions.present?
+
+        role = membership.respond_to?(:role) ? membership.role : nil
+        if role
+          role_permissions = parse_permissions(role.respond_to?(:permissions) ? role.permissions : nil)
+          return matches_permission?(permission, role_permissions) if role_permissions.present?
+        end
+
+        return false
+      end
+
       if organization
         # Tenant route group: check permissions for this organization
         user_role = find_user_role(organization)
@@ -113,5 +132,9 @@ module Rhino
 
       user_roles.find_by(organization_id: organization.id)
     end
+
+    def group_membership_enforced?
+      Rhino.config.respond_to?(:enforce_group_membership?) && Rhino.config.enforce_group_membership?
+    end
   end
 end

data/lib/rhino/configuration.rb

@@ -4,6 +4,7 @@ module Rhino
   class Configuration
     attr_accessor :models, :route_groups, :multi_tenant, :invitations, :nested, :test_framework,
                   :client_path, :mobile_path
+    attr_reader :auth
 
     def initialize
       @models = {}
@@ -20,11 +21,26 @@ module Rhino
         max_operations: 50,
         allowed_models: nil
       }
+      @auth = {
+        enforce_group_membership: false
+      }
       @test_framework = "rspec"
       @client_path = nil
       @mobile_path = nil
     end
 
+    # Auth configuration accessor. Merges supplied keys over defaults so a host
+    # app can set just `enforce_group_membership` without losing future keys.
+    def auth=(value)
+      @auth = { enforce_group_membership: false }.merge((value || {}).symbolize_keys)
+    end
+
+    # Master flag (default off). When off, behavior is byte-for-byte today's:
+    # no group-membership enforcement.
+    def enforce_group_membership?
+      !!@auth[:enforce_group_membership]
+    end
+
     # Register a model with its slug
     # Usage: config.model :posts, 'Post'
     def model(slug, klass_name)
@@ -33,11 +49,24 @@ module Rhino
 
     # Register a route group with its configuration
     # Usage: config.route_group :tenant, prefix: ':organization', middleware: [Rhino::Middleware::ResolveOrganizationFromRoute], models: :all
-    def route_group(name, prefix: "", middleware: [], models: :all)
+    #
+    # The optional `domain:` keyword constrains the group's routes to a specific
+    # host. Two groups can then share the same `prefix:` but live on different
+    # domains. A parameterized domain such as "{organization}.example.com"
+    # captures the subdomain and feeds organization resolution exactly like the
+    # path-prefix ":organization" does. Groups without a domain (nil/blank)
+    # match any host (default, fully backward compatible).
+    def route_group(name, prefix: "", domain: nil, middleware: [], models: :all, auth: false, hooks: nil)
+      normalized_domain = domain.to_s.strip
+      normalized_domain = nil if normalized_domain.empty?
+
       @route_groups[name.to_sym] = {
         prefix: prefix.to_s,
+        domain: normalized_domain,
         middleware: Array(middleware),
-        models: models
+        models: models,
+        auth: !!auth,
+        hooks: hooks
       }
     end
 
@@ -97,5 +126,69 @@ module Rhino
     def model_in_group?(slug, group_name)
       models_for_group(group_name).include?(slug.to_sym)
     end
+
+    # ------------------------------------------------------------------
+    # Group-aware auth helpers (see GROUP_AUTH_DESIGN.md §5/§7)
+    # ------------------------------------------------------------------
+
+    # Whether a group has per-group auth routes enabled (`auth: true`).
+    # The `public` group is never auth-enabled.
+    def group_auth_enabled?(group_name)
+      return false if group_name.to_s == "public"
+
+      group = @route_groups[group_name.to_sym]
+      !!(group && group[:auth])
+    end
+
+    # Names of all groups (except :public) that opted into per-group auth.
+    def auth_enabled_groups
+      @route_groups.keys.reject { |name| name.to_s == "public" }
+                   .select { |name| group_auth_enabled?(name) }
+    end
+
+    # Names of auth-enabled groups that have an empty prefix AND no domain, i.e.
+    # groups whose auth routes would be byte-for-byte identical to the legacy
+    # unprefixed /api/auth/* set (GROUP_AUTH_DESIGN.md §11.1). Such a group IS
+    # the default/legacy auth: the legacy routes adopt its route_group/hooks
+    # instead of registering a colliding second set. Two or more is a conflict
+    # (raised by the route-group validator).
+    def auth_enabled_legacy_groups
+      auth_enabled_groups.select do |name|
+        group = @route_groups[name.to_sym]
+        prefix = group[:prefix].to_s
+        domain = group[:domain]
+        prefix.empty? && (domain.nil? || domain.to_s.strip.empty?)
+      end
+    end
+
+    # Resolve the configured lifecycle-hooks class for a group, instantiated.
+    # Returns nil when the group has no hooks configured. Accepts a class, a
+    # class name string, or an instance.
+    def hooks_for_group(group_name)
+      return nil if group_name.nil?
+
+      group = @route_groups[group_name.to_sym]
+      return nil unless group
+
+      hooks = group[:hooks]
+      return nil if hooks.nil?
+
+      case hooks
+      when String
+        klass = hooks.safe_constantize
+        klass&.new
+      when Class
+        hooks.new
+      else
+        hooks
+      end
+    end
+
+    # Whether a group is a tenant group (organization-scoped). Only the
+    # reserved `:tenant` group is treated as a tenant group, matching
+    # has_tenant_group?.
+    def group_is_tenant?(group_name)
+      group_name.to_s == "tenant"
+    end
   end
 end

data/lib/rhino/controllers/auth_controller.rb

@@ -30,6 +30,12 @@ module Rhino
         return render json: { message: "Invalid credentials" }, status: :unauthorized
       end
 
+      # Group membership is a coarse access gate (GROUP_AUTH_DESIGN.md §6).
+      # Gated entirely by the enforce_group_membership flag; off = unchanged.
+      if membership_enforced? && !group_member?(user)
+        return render json: { message: "You are not a member of this group" }, status: :forbidden
+      end
+
       token = generate_api_token(user)
 
       # Get the first organization the user belongs to
@@ -39,6 +45,10 @@ module Rhino
         organization_slug = first_org&.slug
       end
 
+      # Lifecycle hook (GROUP_AUTH_DESIGN.md §7). A reject revokes the token.
+      hook_response = run_hook(:after_login, user, token: token, revoke_on_reject: true)
+      return if hook_response
+
       render json: {
         token: token,
         organization_slug: organization_slug
@@ -55,6 +65,10 @@ module Rhino
         user.update_column(:api_token, SecureRandom.hex(32))
       end
 
+      # Token is already gone; a rejecting hook only changes the status code.
+      hook_response = run_hook(:after_logout, user, revoke_on_reject: false)
+      return if hook_response
+
       render json: { message: "Logged out successfully" }, status: :ok
     end
 
@@ -83,9 +97,18 @@ module Rhino
         # Send email via mailer if available
         mailer_class = "Rhino::PasswordRecoveryMailer".safe_constantize
         mailer_class&.recover(user, token)&.deliver_later
+
+        # Lifecycle hook fires only when a user actually exists, and its
+        # rejection is SWALLOWED here. recover_password must be an enumeration
+        # oracle-free endpoint: a rejecting hook would otherwise return a 403
+        # only for existing emails, letting a caller distinguish real accounts
+        # from fake ones. The hook still runs for its side effects (e.g.
+        # auditing, throttling), but its reject never changes the response.
+        run_hook(:after_password_recover, user, revoke_on_reject: false, swallow_reject: true)
       end
 
-      # Always return success to prevent email enumeration
+      # Always return the same response (existing OR non-existing email) to
+      # prevent email enumeration — this is the documented contract.
       render json: { message: "Password recovery email sent." }, status: :ok
     end
 
@@ -132,6 +155,9 @@ module Rhino
       user.reset_password_sent_at = nil
       user.save!
 
+      hook_response = run_hook(:after_password_reset, user, revoke_on_reject: false)
+      return if hook_response
+
       render json: { message: "Password has been reset." }, status: :ok
     end
 
@@ -184,7 +210,7 @@ module Rhino
         password: params[:password]
       )
 
-      # Accept invitation (adds user to organization)
+      # Accept invitation (adds user to organization, carrying its route_group)
       invitation.accept!(user)
 
       # Generate token
@@ -194,6 +220,15 @@ module Rhino
       organization = invitation.organization
       organization_slug = organization&.slug
 
+      # Lifecycle hook for the group the invitee joined (from the invitation).
+      invite_group = invitation.respond_to?(:route_group) ? invitation.route_group : nil
+      hook_response = run_hook(
+        :after_register, user,
+        token: token, revoke_on_reject: true,
+        group_override: invite_group, organization_override: organization
+      )
+      return if hook_response
+
       render json: {
         message: "Registration successful",
         token: token,
@@ -204,6 +239,87 @@ module Rhino
 
     private
 
+    # ------------------------------------------------------------------
+    # Group-aware auth (GROUP_AUTH_DESIGN.md §5/§6/§7)
+    # ------------------------------------------------------------------
+
+    # The route_group resolved from the matched route's defaults. nil for the
+    # legacy unprefixed auth routes with no :default group.
+    def current_route_group
+      params[:route_group].presence
+    end
+
+    # Resolve the organization for group-aware auth (tenant groups carry the
+    # :organization prefix param). Returns nil for non-tenant/legacy routes.
+    def current_organization
+      return @current_organization if defined?(@current_organization)
+
+      @current_organization = begin
+        org_identifier = params[:organization]
+        if org_identifier.present?
+          org_class = "Organization".safe_constantize
+          if org_class
+            column = Rhino.config.multi_tenant[:organization_identifier_column] || "id"
+            org_class.find_by(column => org_identifier)
+          end
+        end
+      end
+    end
+
+    def membership_enforced?
+      Rhino.config.respond_to?(:enforce_group_membership?) && Rhino.config.enforce_group_membership?
+    end
+
+    # Coarse membership gate for the resolved group (and org for tenant groups).
+    def group_member?(user)
+      Rhino::GroupMembership.member?(user, current_route_group, current_organization)
+    end
+
+    # Run the configured lifecycle hook for the current (or overridden) group.
+    # Returns true when a response was rendered (rejection), false/nil otherwise.
+    #
+    # On Rhino::AuthRejected: for token-issuing actions (revoke_on_reject) the
+    # just-issued token is revoked, then the carried status is returned.
+    #
+    # When swallow_reject is true (password/recover only), a rejection is run
+    # for its side effects but NOT surfaced: the action proceeds to its uniform
+    # response so the endpoint cannot be used as an email-enumeration oracle.
+    def run_hook(event, user, token: nil, revoke_on_reject: false, swallow_reject: false, group_override: :__none__, organization_override: :__none__)
+      group = group_override == :__none__ ? current_route_group : group_override
+      org = organization_override == :__none__ ? current_organization : organization_override
+
+      hooks = Rhino.config.respond_to?(:hooks_for_group) ? Rhino.config.hooks_for_group(group) : nil
+      return false unless hooks
+      return false unless hooks.respond_to?(event)
+
+      context = {
+        user: user,
+        route_group: group,
+        organization: org,
+        token: token,
+        request: request
+      }
+
+      hooks.public_send(event, user, context)
+      false
+    rescue Rhino::AuthRejected => e
+      return false if swallow_reject
+
+      revoke_token(user) if revoke_on_reject
+      render json: { message: e.message }, status: e.status
+      true
+    end
+
+    def revoke_token(user)
+      return unless user
+
+      if user.respond_to?(:regenerate_api_token)
+        user.regenerate_api_token
+      elsif user.respond_to?(:update_column) && user.class.column_names.include?("api_token")
+        user.update_column(:api_token, SecureRandom.hex(32))
+      end
+    end
+
     def authenticate_user!
       unless current_user
         render json: { message: "Unauthenticated." }, status: :unauthorized

data/lib/rhino/controllers/invitations_controller.rb

@@ -53,6 +53,20 @@ module Rhino
 
       email = params[:email].to_s.strip
       role_id = params[:role_id]
+      route_group = params[:route_group].presence
+
+      # The public group is never auth-enabled — it cannot be invited into.
+      if route_group.to_s == "public"
+        return render json: { message: "Cannot invite into the public group" }, status: :unprocessable_entity
+      end
+
+      # When group-membership enforcement is on, the inviter must themselves be
+      # a member of the target group (GROUP_AUTH_DESIGN.md §8).
+      if route_group.present? && membership_enforced?
+        unless Rhino::GroupMembership.member?(current_user, route_group, current_organization)
+          return render json: { message: "You are not a member of this group" }, status: :forbidden
+        end
+      end
 
       # Check if user already exists and is in organization
       user_class = "User".safe_constantize
@@ -75,13 +89,28 @@ module Rhino
         return render json: { message: "A pending invitation already exists for this email" }, status: :unprocessable_entity
       end
 
-      # Create invitation
-      invitation = OrganizationInvitation.create!(
-        organization_id: current_organization.id,
+      # Create invitation. Non-tenant groups (e.g. :admin, :driver) have no
+      # organization, so a non-tenant invite must store organization_id = nil —
+      # matching the nullable membership row that accept! will create. Only the
+      # tenant group (and the legacy no-group invite) carries the current org.
+      invitation_org_id =
+        if route_group.present? && !Rhino.config.group_is_tenant?(route_group)
+          nil
+        else
+          current_organization.id
+        end
+
+      invitation_attrs = {
+        organization_id: invitation_org_id,
         email: email,
         role_id: role_id,
         invited_by: current_user.id
-      )
+      }
+      if route_group.present? && OrganizationInvitation.column_names.include?("route_group")
+        invitation_attrs[:route_group] = route_group
+      end
+
+      invitation = OrganizationInvitation.create!(invitation_attrs)
 
       # Send notification email
       send_invitation_email(invitation)
@@ -221,6 +250,10 @@ module Rhino
       @organization
     end
 
+    def membership_enforced?
+      Rhino.config.respond_to?(:enforce_group_membership?) && Rhino.config.enforce_group_membership?
+    end
+
     def send_invitation_email(invitation)
       mailer_class = "Rhino::InvitationMailer".safe_constantize
       mailer_class&.invite(invitation)&.deliver_later