FIX: only staff can access 'resend all invites' feature

2024-11-22 09:42:02 +08:00 · 2016-06-07 10:57:08 +05:30 · 2016-06-07 10:57:08 +05:30 · b1a94049e0
commit b1a94049e0
parent a9c6df198c
3 changed files with 6 additions and 6 deletions
--- a/app/assets/javascripts/discourse/controllers/user-invited-show.js.es6
+++ b/app/assets/javascripts/discourse/controllers/user-invited-show.js.es6
@ -35,7 +35,7 @@ export default Ember.Controller.extend({
  inviteRedeemed: Em.computed.equal('filter', 'redeemed'),

  showReinviteAllButton: function() {
-    return (this.get('filter') === "pending" && this.get('model').invites.length > 4);
+    return (this.get('filter') === "pending" && this.get('model').invites.length > 4 && this.currentUser.get('staff'));
  }.property('filter'),

  /**
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -141,14 +141,10 @@ class InvitesController < ApplicationController
  end

  def resend_all_invites
-    guardian.ensure_can_invite_to_forum!
-    RateLimiter.new(current_user, "resend-all-invites-per-day", 1, 1.day).performed!
+    guardian.ensure_can_resend_all_invites!(current_user)

    Invite.resend_all_invites_from(current_user.id)
    render nothing: true
-
-  rescue RateLimiter::LimitExceeded
-    render_json_error(I18n.t("rate_limiter.slow_down"))
  end

  def check_csv_chunk
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@ -246,6 +246,10 @@ class Guardian
    user.staff?
  end

+  def can_resend_all_invites?(user)
+    user.staff?
+  end
+
  def can_see_private_messages?(user_id)
    is_admin? || (authenticated? && @user.id == user_id)
  end