Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: check trust level of user creating invite for group (#12993)

This commit is contained in:
Hariraj Venkatesan 2021-05-10 22:17:32 +05:30 committed by GitHub
parent 02f0acc41b
commit c473cde997
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/groups_controller.rb
View File

@ -322,6 +322,8 @@ class GroupsController < ApplicationController
unless current_user.staff?
RateLimiter.new(current_user, "public_group_membership", 3, 1.minute).performed!
end
elsif !current_user.has_trust_level?(SiteSetting.min_trust_level_to_allow_invite.to_i)
raise Discourse::InvalidAccess
end
emails = []

10
spec/requests/groups_controller_spec.rb
View File

@ -1211,6 +1211,16 @@ describe GroupsController do
expect(Topic.last.topic_users.map(&:user_id)).to include(Discourse::SYSTEM_USER_ID, user2.id)
end
it 'does not add users without sufficient permission' do
sign_in(user)
SiteSetting.min_trust_level_to_allow_invite = user.trust_level + 1
user2 = Fabricate(:user)
put "/groups/#{group.id}/members.json", params: { usernames: user2.username }
expect(response.status).to eq(403)
end
context "is able to add several members to a group" do
fab!(:user1) { Fabricate(:user) }
fab!(:user2) { Fabricate(:user, username: "UsEr2") }