mirror of
https://github.com/discourse/discourse.git
synced 2024-11-30 07:33:43 +08:00
SECURITY: verify that inviter can invite new user to a topic
This commit is contained in:
parent
59aeb0bc56
commit
a2183c3f1d
|
@ -93,9 +93,11 @@ class InvitesController < ApplicationController
|
|||
group_ids: params[:group_ids],
|
||||
group_names: params[:group_names]
|
||||
)
|
||||
|
||||
guardian.ensure_can_invite_to_forum!(groups)
|
||||
|
||||
topic = Topic.find_by(id: params[:topic_id])
|
||||
guardian.ensure_can_invite_to!(topic) if topic.present?
|
||||
|
||||
group_ids = groups.map(&:id)
|
||||
|
||||
invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first
|
||||
|
|
|
@ -138,7 +138,7 @@ class Invite < ActiveRecord::Base
|
|||
invite.invited_groups.create!(group_id: group_id)
|
||||
end
|
||||
else
|
||||
if topic && topic.category # && Guardian.new(invited_by).can_invite_to?(topic)
|
||||
if topic && topic.category && Guardian.new(invited_by).can_invite_to?(topic)
|
||||
group_ids = topic.category.groups.pluck(:id) - invite.invited_groups.pluck(:group_id)
|
||||
group_ids.each { |group_id| invite.invited_groups.create!(group_id: group_id) }
|
||||
end
|
||||
|
|
|
@ -164,6 +164,19 @@ describe InvitesController do
|
|||
expect(response).not_to be_success
|
||||
end
|
||||
|
||||
it "verifies that inviter is authorized to invite new user to a group-private topic" do
|
||||
group = Fabricate(:group)
|
||||
private_category = Fabricate(:private_category, group: group)
|
||||
group_private_topic = Fabricate(:topic, category: private_category)
|
||||
log_in(:trust_level_4)
|
||||
|
||||
post :create_invite_link, params: {
|
||||
email: email, topic_id: group_private_topic.id
|
||||
}, format: :json
|
||||
|
||||
expect(response).not_to be_success
|
||||
end
|
||||
|
||||
it "allows admins to invite to groups" do
|
||||
group = Fabricate(:group)
|
||||
log_in(:admin)
|
||||
|
|
|
@ -141,6 +141,7 @@ describe Invite do
|
|||
let(:inviter) { group_private_topic.user }
|
||||
|
||||
before do
|
||||
group.add_owner(inviter)
|
||||
@invite = group_private_topic.invite_by_email(inviter, iceking)
|
||||
end
|
||||
|
||||
|
@ -154,6 +155,13 @@ describe Invite do
|
|||
expect(@invite.groups).to eq([group])
|
||||
end
|
||||
end
|
||||
|
||||
it 'verifies that inviter is authorized to invite user to a topic' do
|
||||
tl2_user = Fabricate(:user, trust_level: 2)
|
||||
|
||||
invite = group_private_topic.invite_by_email(tl2_user, 'foo@bar.com')
|
||||
expect(invite.groups.count).to eq(0)
|
||||
end
|
||||
end
|
||||
|
||||
context 'an existing user' do
|
||||
|
|
Loading…
Reference in New Issue
Block a user