From d2135b23c44fc616c47439b333d3fc89d026c692 Mon Sep 17 00:00:00 2001
From: Dan Ungureanu <dan@ungureanu.me>
Date: Wed, 2 Jun 2021 16:28:21 +0300
Subject: [PATCH] FIX: Do not require trust level to invite to group (#13230)

It used to require SiteSetting.min_trust_level_to_allow_invite to
invite a user to a group, even if the user existed and the inviter was
a group owner.
---
 app/controllers/groups_controller.rb    |  4 ++--
 spec/requests/groups_controller_spec.rb | 12 +++++++++---
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/app/controllers/groups_controller.rb b/app/controllers/groups_controller.rb
index 3d6e6262bc3..3196fa1cb24 100644
--- a/app/controllers/groups_controller.rb
+++ b/app/controllers/groups_controller.rb
@@ -328,8 +328,6 @@ class GroupsController < ApplicationController
       unless current_user.staff?
         RateLimiter.new(current_user, "public_group_membership", 3, 1.minute).performed!
       end
-    elsif !current_user.has_trust_level?(SiteSetting.min_trust_level_to_allow_invite.to_i)
-      raise Discourse::InvalidAccess
     end
 
     emails = []
@@ -340,6 +338,8 @@ class GroupsController < ApplicationController
       end
     end
 
+    guardian.ensure_can_invite_to_forum!([group]) if emails.present?
+
     if users.empty? && emails.empty?
       raise Discourse::InvalidParameters.new(I18n.t("groups.errors.usernames_or_emails_required"))
     end
diff --git a/spec/requests/groups_controller_spec.rb b/spec/requests/groups_controller_spec.rb
index 8a3d46868e4..1ef1174942d 100644
--- a/spec/requests/groups_controller_spec.rb
+++ b/spec/requests/groups_controller_spec.rb
@@ -1212,12 +1212,18 @@ describe GroupsController do
       end
 
       it 'does not add users without sufficient permission' do
+        group.add_owner(user)
         sign_in(user)
-        SiteSetting.min_trust_level_to_allow_invite = user.trust_level + 1
-        user2 = Fabricate(:user)
 
-        put "/groups/#{group.id}/members.json", params: { usernames: user2.username }
+        put "/groups/#{group.id}/members.json", params: { usernames: Fabricate(:user).username }
+        expect(response.status).to eq(200)
+      end
 
+      it 'does not send invites if user cannot invite' do
+        group.add_owner(user)
+        sign_in(user)
+
+        put "/groups/#{group.id}/members.json", params: { emails: "test@example.com" }
         expect(response.status).to eq(403)
       end