From a2183c3f1d1ac16ab48ab68a567d9979c4912eb9 Mon Sep 17 00:00:00 2001
From: Arpit Jalan <arpit@techapj.com>
Date: Mon, 9 Oct 2017 15:52:41 +0530
Subject: [PATCH] SECURITY: verify that inviter can invite new user to a topic

---
 app/controllers/invites_controller.rb       |  4 +++-
 app/models/invite.rb                        |  2 +-
 spec/controllers/invites_controller_spec.rb | 13 +++++++++++++
 spec/models/invite_spec.rb                  |  8 ++++++++
 4 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/app/controllers/invites_controller.rb b/app/controllers/invites_controller.rb
index 2866ff2dcbf..9bd0c0e3918 100644
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@@ -93,9 +93,11 @@ class InvitesController < ApplicationController
       group_ids: params[:group_ids],
       group_names: params[:group_names]
     )
-
     guardian.ensure_can_invite_to_forum!(groups)
+
     topic = Topic.find_by(id: params[:topic_id])
+    guardian.ensure_can_invite_to!(topic) if topic.present?
+
     group_ids = groups.map(&:id)
 
     invite_exists = Invite.where(email: params[:email], invited_by_id: current_user.id).first
diff --git a/app/models/invite.rb b/app/models/invite.rb
index 1955654c2dd..8f9cf8ebd99 100644
--- a/app/models/invite.rb
+++ b/app/models/invite.rb
@@ -138,7 +138,7 @@ class Invite < ActiveRecord::Base
         invite.invited_groups.create!(group_id: group_id)
       end
     else
-      if topic && topic.category # && Guardian.new(invited_by).can_invite_to?(topic)
+      if topic && topic.category && Guardian.new(invited_by).can_invite_to?(topic)
         group_ids = topic.category.groups.pluck(:id) - invite.invited_groups.pluck(:group_id)
         group_ids.each { |group_id| invite.invited_groups.create!(group_id: group_id) }
       end
diff --git a/spec/controllers/invites_controller_spec.rb b/spec/controllers/invites_controller_spec.rb
index 0dd1b20158f..95c5eff1c7b 100644
--- a/spec/controllers/invites_controller_spec.rb
+++ b/spec/controllers/invites_controller_spec.rb
@@ -164,6 +164,19 @@ describe InvitesController do
         expect(response).not_to be_success
       end
 
+      it "verifies that inviter is authorized to invite new user to a group-private topic" do
+        group = Fabricate(:group)
+        private_category = Fabricate(:private_category, group: group)
+        group_private_topic = Fabricate(:topic, category: private_category)
+        log_in(:trust_level_4)
+
+        post :create_invite_link, params: {
+          email: email, topic_id: group_private_topic.id
+        }, format: :json
+
+        expect(response).not_to be_success
+      end
+
       it "allows admins to invite to groups" do
         group = Fabricate(:group)
         log_in(:admin)
diff --git a/spec/models/invite_spec.rb b/spec/models/invite_spec.rb
index b3abb0306b7..b36afc144d7 100644
--- a/spec/models/invite_spec.rb
+++ b/spec/models/invite_spec.rb
@@ -141,6 +141,7 @@ describe Invite do
     let(:inviter) { group_private_topic.user }
 
     before do
+      group.add_owner(inviter)
       @invite = group_private_topic.invite_by_email(inviter, iceking)
     end
 
@@ -154,6 +155,13 @@ describe Invite do
         expect(@invite.groups).to eq([group])
       end
     end
+
+    it 'verifies that inviter is authorized to invite user to a topic' do
+      tl2_user = Fabricate(:user, trust_level: 2)
+
+      invite = group_private_topic.invite_by_email(tl2_user, 'foo@bar.com')
+      expect(invite.groups.count).to eq(0)
+    end
   end
 
   context 'an existing user' do