SECURITY: verify that inviter can invite new user to a topic

2024-11-26 19:00:40 +08:00 · 2017-10-09 15:52:41 +05:30 · 2017-10-09 15:52:41 +05:30 · a2183c3f1d
commit a2183c3f1d
parent 59aeb0bc56
4 changed files with 25 additions and 2 deletions
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -93,9 +93,11 @@ class InvitesController < ApplicationController
      group_ids: params[:group_ids],
      group_names: params[:group_names]
    )
-
    guardian.ensure_can_invite_to_forum!(groups)
+
    topic = Topic.find_by(id: params[:topic_id])
+    guardian.ensure_can_invite_to!(topic) if topic.present?
+
    group_ids = groups.map(&:id)

    invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first
--- a/app/models/invite.rb
+++ b/app/models/invite.rb
@ -138,7 +138,7 @@ class Invite < ActiveRecord::Base
        invite.invited_groups.create!(group_id: group_id)
      end
    else
-      if topic && topic.category # && Guardian.new(invited_by).can_invite_to?(topic)
+      if topic && topic.category && Guardian.new(invited_by).can_invite_to?(topic)
        group_ids = topic.category.groups.pluck(:id) - invite.invited_groups.pluck(:group_id)
        group_ids.each { |group_id| invite.invited_groups.create!(group_id: group_id) }
      end
--- a/spec/controllers/invites_controller_spec.rb
+++ b/spec/controllers/invites_controller_spec.rb
@ -164,6 +164,19 @@ describe InvitesController do
        expect(response).not_to be_success
      end

+      it "verifies that inviter is authorized to invite new user to a group-private topic" do
+        group = Fabricate(:group)
+        private_category = Fabricate(:private_category, group: group)
+        group_private_topic = Fabricate(:topic, category: private_category)
+        log_in(:trust_level_4)
+
+        post :create_invite_link, params: {
+          email: email, topic_id: group_private_topic.id
+        }, format: :json
+
+        expect(response).not_to be_success
+      end
+
      it "allows admins to invite to groups" do
        group = Fabricate(:group)
        log_in(:admin)
--- a/spec/models/invite_spec.rb
+++ b/spec/models/invite_spec.rb
@ -141,6 +141,7 @@ describe Invite do
    let(:inviter) { group_private_topic.user }

    before do
+      group.add_owner(inviter)
      @invite = group_private_topic.invite_by_email(inviter, iceking)
    end

@ -154,6 +155,13 @@ describe Invite do
        expect(@invite.groups).to eq([group])
      end
    end
+
+    it 'verifies that inviter is authorized to invite user to a topic' do
+      tl2_user = Fabricate(:user, trust_level: 2)
+
+      invite = group_private_topic.invite_by_email(tl2_user, 'foo@bar.com')
+      expect(invite.groups.count).to eq(0)
+    end
  end

  context 'an existing user' do