From b1a94049e0110d4f5022c82389154241353952aa Mon Sep 17 00:00:00 2001
From: Arpit Jalan <arpit@techapj.com>
Date: Tue, 7 Jun 2016 10:57:08 +0530
Subject: [PATCH] FIX: only staff can access 'resend all invites' feature

---
 .../discourse/controllers/user-invited-show.js.es6          | 2 +-
 app/controllers/invites_controller.rb                       | 6 +-----
 lib/guardian.rb                                             | 4 ++++
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/app/assets/javascripts/discourse/controllers/user-invited-show.js.es6 b/app/assets/javascripts/discourse/controllers/user-invited-show.js.es6
index cf58bce112e..15d71343589 100644
--- a/app/assets/javascripts/discourse/controllers/user-invited-show.js.es6
+++ b/app/assets/javascripts/discourse/controllers/user-invited-show.js.es6
@@ -35,7 +35,7 @@ export default Ember.Controller.extend({
   inviteRedeemed: Em.computed.equal('filter', 'redeemed'),
 
   showReinviteAllButton: function() {
-    return (this.get('filter') === "pending" && this.get('model').invites.length > 4);
+    return (this.get('filter') === "pending" && this.get('model').invites.length > 4 && this.currentUser.get('staff'));
   }.property('filter'),
 
   /**
diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb
index 2311ab82624..01936f68719 100644
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@@ -141,14 +141,10 @@ class InvitesController < ApplicationController
   end
 
   def resend_all_invites
-    guardian.ensure_can_invite_to_forum!
-    RateLimiter.new(current_user, "resend-all-invites-per-day", 1, 1.day).performed!
+    guardian.ensure_can_resend_all_invites!(current_user)
 
     Invite.resend_all_invites_from(current_user.id)
     render nothing: true
-
-  rescue RateLimiter::LimitExceeded
-    render_json_error(I18n.t("rate_limiter.slow_down"))
   end
 
   def check_csv_chunk
diff --git a/lib/guardian.rb b/lib/guardian.rb
index 717a90adc9f..1be5533c5b8 100644
--- a/lib/guardian.rb
+++ b/lib/guardian.rb
@@ -246,6 +246,10 @@ class Guardian
     user.staff?
   end
 
+  def can_resend_all_invites?(user)
+    user.staff?
+  end
+
   def can_see_private_messages?(user_id)
     is_admin? || (authenticated? && @user.id == user_id)
   end