fix: address CRITICAL security issues - permission escalation and encoding inconsistency

backend/src/v1/inbox_messages/schemas.py

@@ -8,6 +8,31 @@ from uuid import UUID
 from pydantic import BaseModel, ConfigDict
 
 
+class PermissionBits:
+    VIEW = 1  # 001
+    INVITE = 2  # 010
+    EDIT = 4  # 100
+
+    @classmethod
+    def encode(cls, view: bool, edit: bool, invite: bool) -> int:
+        value = 0
+        if view:
+            value |= cls.VIEW
+        if edit:
+            value |= cls.EDIT
+        if invite:
+            value |= cls.INVITE
+        return value
+
+    @classmethod
+    def decode(cls, permission: int) -> dict[str, bool]:
+        return {
+            "view": bool(permission & cls.VIEW),
+            "edit": bool(permission & cls.EDIT),
+            "invite": bool(permission & cls.INVITE),
+        }
+
+
 class InboxMessageType(str, Enum):
     FRIEND_REQUEST = "friend_request"
     CALENDAR = "calendar"
@@ -41,6 +66,8 @@ class InboxMessageListRequest(BaseModel):
 
 
 class InboxMessageAcceptRequest(BaseModel):
+    model_config: ClassVar[ConfigDict] = ConfigDict(extra="forbid")
+
     permission_view: bool = True
     permission_edit: bool = False
     permission_invite: bool = False