FIX: check for inviter group permissions at the time of redeeming invite

2020-06-15 14:43:56 +05:30 · 2020-06-15 14:43:56 +05:30 · a94387c088
parent 402b80f306
commit a94387c088
3 changed files with 17 additions and 2 deletions
--- a/app/models/invite_redeemer.rb
+++ b/app/models/invite_redeemer.rb
@ -128,10 +128,14 @@ InviteRedeemer = Struct.new(:invite, :email, :username, :name, :password, :user_
  end

  def add_user_to_groups
+    guardian = Guardian.new(invite.invited_by)
    new_group_ids = invite.groups.pluck(:id) - invited_user.group_users.pluck(:group_id)
    new_group_ids.each do |id|
-      invited_user.group_users.create!(group_id: id)
-      DiscourseEvent.trigger(:user_added_to_group, invited_user, Group.find_by(id: id), automatic: false)
+      group = Group.find_by(id: id)
+      if guardian.can_edit_group?(group)
+        invited_user.group_users.create!(group_id: group.id)
+        DiscourseEvent.trigger(:user_added_to_group, invited_user, group, automatic: false)
+      end
    end
  end

--- a/spec/models/invite_redeemer_spec.rb
+++ b/spec/models/invite_redeemer_spec.rb
@ -144,9 +144,19 @@ describe InviteRedeemer do
      expect(user.custom_fields["user_field_#{optional_field.id}"]).to eq('value2')
    end

+    it "does not add user to group if inviter does not have permissions" do
+      group = Fabricate(:group, grant_trust_level: 2)
+      InvitedGroup.create(group_id: group.id, invite_id: invite.id)
+      user = InviteRedeemer.new(invite: invite, email: invite.email, username: username, name: name, password: password).redeem
+
+      expect(user.group_users.count).to eq(0)
+    end
+
    it "adds user to group" do
      group = Fabricate(:group, grant_trust_level: 2)
      InvitedGroup.create(group_id: group.id, invite_id: invite.id)
+      group.add_owner(invite.invited_by)
+
      user = InviteRedeemer.new(invite: invite, email: invite.email, username: username, name: name, password: password).redeem

      expect(user.group_users.count).to eq(4)
--- a/spec/models/invite_spec.rb
+++ b/spec/models/invite_spec.rb
@ -306,6 +306,7 @@ describe Invite do
    context "when inviting to groups" do
      it "add the user to the correct groups" do
        group = Fabricate(:group)
+        group.add_owner(invite.invited_by)
        invite.invited_groups.build(group_id: group.id)
        invite.save