FIX: should not receive topic invites from ignored users. (#14746)

Previously, ignored users can send notifications by inviting the ignorer to topics or PMs.
2021-10-28 21:03:00 +05:30 · 2021-10-28 21:03:00 +05:30 · c62242c6b3
parent 00b99c6613
commit c62242c6b3
3 changed files with 34 additions and 11 deletions
--- a/app/models/topic.rb
+++ b/app/models/topic.rb
@ -1022,13 +1022,7 @@ class Topic < ActiveRecord::Base
        raise UserExists.new(I18n.t("topic_invite.user_exists"))
      end

-      if MutedUser
-          .where(user: target_user, muted_user: invited_by)
-          .joins(:muted_user)
-          .where('NOT admin AND NOT moderator')
-          .exists?
-        raise NotAllowed.new(I18n.t("topic_invite.muted_invitee"))
-      end
+      ensure_can_invite!(target_user, invited_by)

      if TopicUser
          .where(topic: self,
@ -1066,6 +1060,22 @@ class Topic < ActiveRecord::Base
    end
  end

+  def ensure_can_invite!(target_user, invited_by)
+    if MutedUser
+        .where(user: target_user, muted_user: invited_by)
+        .joins(:muted_user)
+        .where('NOT admin AND NOT moderator')
+        .exists?
+      raise NotAllowed
+    elsif IgnoredUser
+        .where(user: target_user, ignored_user: invited_by)
+        .joins(:ignored_user)
+        .where('NOT admin AND NOT moderator')
+        .exists?
+      raise NotAllowed
+    end
+  end
+
  def email_already_exists_for?(invite)
    invite.email_already_exists && private_message?
  end
@ -1733,6 +1743,9 @@ class Topic < ActiveRecord::Base
  end

  def create_invite_notification!(target_user, notification_type, username)
+    invited_by = User.find_by_username(username)
+    ensure_can_invite!(target_user, invited_by)
+
    target_user.notifications.create!(
      notification_type: notification_type,
      topic_id: self.id,
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -270,7 +270,6 @@ en:
  topic_invite:
    failed_to_invite: "The user cannot be invited into this topic without a group membership in either one of the following groups: %{group_names}."
    user_exists: "Sorry, that user has already been invited. You may only invite a user to a topic once."
-    muted_invitee: "Sorry, that user muted you."
    muted_topic: "Sorry, that user muted this topic."
    receiver_does_not_allow_pm: "Sorry, that user does not allow you to send them private messages."
    sender_does_not_allow_pm: "Sorry, you do not allow that user to send you private messages."
--- a/spec/models/topic_spec.rb
+++ b/spec/models/topic_spec.rb
@ -711,12 +711,23 @@ describe Topic do
        end

        context "from a muted user" do
-          before { MutedUser.create!(user: another_user, muted_user: user) }
+          before { Fabricate(:muted_user, user: another_user, muted_user: user) }

-          it 'fails with an error message' do
+          it 'fails with an error' do
+            expect { topic.invite(user, another_user.username) }
+              .to raise_error(Topic::NotAllowed)
+            expect(topic.allowed_users).to_not include(another_user)
+            expect(Post.last).to be_blank
+            expect(Notification.last).to be_blank
+          end
+        end
+
+        context "from a ignored user" do
+          before { Fabricate(:ignored_user, user: another_user, ignored_user: user) }
+
+          it 'fails with an error' do
            expect { topic.invite(user, another_user.username) }
              .to raise_error(Topic::NotAllowed)
-              .with_message(I18n.t("topic_invite.muted_invitee"))
            expect(topic.allowed_users).to_not include(another_user)
            expect(Post.last).to be_blank
            expect(Notification.last).to be_blank