SECURITY: Any group can be invited into a PM.

app/controllers/topics_controller.rb

@@ -471,7 +471,7 @@ class TopicsController < ApplicationController
     topic = Topic.find_by(id: params[:topic_id])
 
     if topic.private_message?
-      guardian.ensure_can_send_private_message!(group)
+      guardian.ensure_can_invite_group_to_private_message!(group, topic)
       topic.invite_group(current_user, group)
       render_json_dump BasicGroupSerializer.new(group, scope: guardian, root: 'group')
     else

lib/guardian.rb

@@ -269,6 +269,11 @@ class Guardian
     is_admin? || (authenticated? && @user.id == user_id)
   end
 
+  def can_invite_group_to_private_message?(group, topic)
+    can_see_topic?(topic) &&
+    can_send_private_message?(group)
+  end
+
   def can_send_private_message?(target)
     (target.is_a?(Group) || target.is_a?(User)) &&
     # User is authenticated

spec/controllers/topics_controller_spec.rb

@@ -1011,31 +1011,57 @@ describe TopicsController do
   end
 
   describe 'invite_group' do
-    let :admins do
+    let(:admins) { Group[:admins] }
-      Group[:admins]
+    let(:pm) { Fabricate(:private_message_topic) }
-    end
 
-    let! :admin do
+    def invite_group(topic, expected_status)
-      log_in :admin
+      xhr :post, :invite_group, topic_id: topic.id, group: admins.name
+      expect(response.status).to eq(expected_status)
     end
 
     before do
-      admins.alias_level = Group::ALIAS_LEVELS[:everyone]
+      admins.update!(alias_level: Group::ALIAS_LEVELS[:everyone])
-      admins.save!
     end
 
-    it "disallows inviting a group to a topic" do
+    describe 'as an anon user' do
-      topic = Fabricate(:topic)
+      it 'should be forbidden' do
-      xhr :post, :invite_group, topic_id: topic.id, group: 'admins'
+        invite_group(pm, 403)
-      expect(response.status).to eq(422)
+      end
     end
 
-    it "allows inviting a group to a PM" do
+    describe 'as a normal user' do
-      topic = Fabricate(:private_message_topic)
+      let!(:user) { log_in }
-      xhr :post, :invite_group, topic_id: topic.id, group: 'admins'
 
-      expect(response.status).to eq(200)
+      describe 'when user does not have permission to view the topic' do
-      expect(topic.allowed_groups.first.id).to eq(admins.id)
+        it 'should be forbidden' do
+          invite_group(pm, 403)
+        end
+      end
+
+      describe 'when user has permission to view the topic' do
+        before do
+          pm.allowed_users << user
+        end
+
+        it 'should allow user to invite group to topic' do
+          invite_group(pm, 200)
+          expect(pm.allowed_groups.first.id).to eq(admins.id)
+        end
+      end
+    end
+
+    describe 'as an admin user' do
+      let!(:admin) { log_in(:admin) }
+
+      it "disallows inviting a group to a topic" do
+        topic = Fabricate(:topic)
+        invite_group(topic, 422)
+      end
+
+      it "allows inviting a group to a PM" do
+        invite_group(pm, 200)
+        expect(pm.allowed_groups.first.id).to eq(admins.id)
+      end
     end
   end